April 2011 Critical Patch Update Released
By Eric P. Maurice on Apr 19, 2011
Hello, this is Eric Maurice.
Oracle released the April 2011 Critical Patch Update (CPUApr2011) today. As a reminder, note that security fixes for Java SE and Java for Business continue to be released on a separate schedule as the "normal" Critical Patch Update because of commitments made to customers prior to Oracle's acquisition of Sun. The next release date for the Java SE and Java for Business Critical Patch Update is June 7th 2011.
Today's Critical Patch Update provides fixes for 73 new vulnerabilities across a large number of product families including: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite and Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle JDEdwards EntepriseOne, Oracle Siebel CRM, Oracle Industry Applications, Oracle Sun products suite, and Oracle OpenOffice Suite.
The most severe vulnerabilities addressed in this Critical Patch Update have received a CVSS Base Score of 10.0. The first CVSS 10.0 vulnerability affects Oracle JRockit, and refers to a vulnerability (CVE-2010-4452) that was previously addressed with the February 2011 Critical Patch Update for Java SE and Java for Business. The second vulnerability affects Oracle Sun GlassFish Enteprise Server / Sun Java Systems Application Server.
Among these 73 new fixes, Oracle Database Server receives 6 new fixes, including 2 fixes for Oracle Database Vault (each with a CVSS Base Score of 3.6). In addition, 3 non-database fixes are also applicable to Oracle Database Server deployments: these are for vulnerabilities affecting Oracle Enterprise Manager Grid Control and Oracle Fusion Middleware. The highest CVSS Base Score for these Database Server vulnerabilities is 6.5. Note that we recently published a blog entry explaining Oracle's application of the CVSS standard.
18 out of the 73 fixes in this Critical Patch Update are for the Oracle Sun products suite, and an additional 8 are for Oracle OpenOffice. The highest CVSS Base Score for vulnerabilities affecting the Oracle Sun products suite is 10.0. The highest CVSS Base Score for vulnerabilities affecting the Oracle OpenOffice Suite is 9.3.
In recent years, I have often been asked to describe the Oracle organization that produces the security fixes included in the Critical Patch Updates. Today's Critical Patch Update provides a good opportunity to discuss this aspect of the program. A key aspect of Oracle's security model is that it is largely decentralized.
A core product security group under Oracle's Chief Security Officer, Mary Ann Davidson, is responsible for managing the security programs, ensuring compliance with Oracle Secure Coding Standards across development organizations, and managing internal (ethical hacking) and external (Common Criteria, FIPS) security assessments.
Each development team is responsible for the production of the security fixes for their specific products. However, the responsibility of ensuring the effectiveness of the fix is shared across organizations: the Oracle Software Security Assurance team makes sure that the fix provides effective remediation and that, potentially, all other related bugs are addressed as well. Other development teams will test the fix to ensure that it doesn't introduce regressions with their products (i.e. we test our fixes to ensure that each product across the stack continues to perform as expected). Technical Support also tests the fixes, and will also ensure that the documentation for the fix is accurate, etc. For more information, a detailed description of Oracle's practices for the testing of Critical Patch Update fixes is included in the white paper "Recommendations for leveraging the Critical Patch Update & maintaining a proper security posture" available on the Oracle Software Security Assurance web site.
This decentralized approach has several benefits. Code ownership is maintained and, as a result, development organizations quickly gain from the knowledge of past mistakes. Furthermore, Oracle's product portfolio is very diverse, and from a security perspective, it is important to retain some level of specialization: the concerns of web application developers may not be altogether the same as the ones of OS developers (e.g. focus on cross site scripting and SQL injections, as opposed to buffer overflows). Finally, another great benefit of this approach is that no single organization can be a bottleneck for the timely production of security fixes. As a result, the Critical Patch Update program, with some customization (e.g. separate schedule for the security fixes for Java SE and Java for Business), was able to adapt to the inclusion of additional product lines over the years.
For More Information:
The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html