April 2010 Critical Patch Update Released
By Eric P. Maurice on Apr 13, 2010
Hi, this is Eric Maurice. Oracle just released the April 2010 Critical Patch Update (CPUApr2010),the first one to include security fixes for Sun products.
Today's Critical Patch Update (CPU) provides 47 new security fixes across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Life Sciences, Retail, and Communications Industry Suites, and various Sun products. 28 of these 47 new vulnerabilities are remotely exploitable without authentication, but the criticality of the affected components and the severity of these vulnerabilities vary greatly. Customers should, as usual, refer to the Risk Matrices in the CPU Advisory to assess the relevance of these fixes for their environment (and the urgency with which to apply the fixes).
7 of the 47 new vulnerabilities affect various versions of Oracle Database Server. None of these 7 vulnerabilities are remotely exploitable without authentication. Furthermore, none of these fixes are applicable to client-only deployments. The most severe CVSS Base Score for the Database Server vulnerabilities is 7.1. As a reminder, information about Oracle's use of the CVSS 2.0 standard can be found in Note 394487.1 (My Oracle Support subscription required). Note that this Critical Patch Update includes fixes for vulnerabilities that were publicly disclosed by David Litchfield at the BlackHat DC Conference in early February (CVE-2010-0866 and CVE-2010-0867).
5 of the 47 new vulnerabilities affect various components of the Oracle Fusion Middleware product family. The highest CVSS Base Score for these vulnerabilities is 7.5. Note that the patches for Oracle WebLogic Server are cumulative and this Critical Patch Update therefore also includes a fix for a vulnerability (CVE-2010-0073) that was the subject of a Security Alert issued by Oracle on February 4, 2010. Customers, who have not applied the previously-released patch, should apply today's Critical Patch Update as soon as possible.
As stated at the beginning of this blog, it is also noteworthy to highlight that this Critical Patch Update provides 16 new fixes for the Sun product line. As we move forward, we are going to align the security vulnerability remediation programs for the Sun product lines with Oracle's: security bug fixes should be addressed primarily through the Critical Patch Update program (quarterly release) or, by exception, through the Security Alert program (for unscheduled release to address very critical flaws). However, a third program, specific to the Sun product line, will also be implemented to deal with vulnerabilities in third-party components that are included in Sun's product distributions. For these third-party products, Oracle will publish the relevant CVE number, CVSS score, product component affected, CWE information, version and patch location information when the security patches are made available by their respective providers. Generally speaking, this information will be obtained from the third party provider (e.g. the reported CWE will be the one reported by the third party and not necessarily verified by Oracle).
The rapid inclusion of Sun product lines in the Critical Patch Update and the extension of Oracle Software Security Assurance to Sun technologies are evidence of the flexibility of Oracle's security assurance programs. These should also result in tangible security benefits for the users of the Oracle hardware and software stack (such as a predictable patching schedule for all Oracle products).