January 2011 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jan 18, 2011
Hi, this is Eric Maurice again.
Oracle released the January 2011 Critical Patch Update (CPUJan2011) today. With this Critical Patch Update (CPU), Oracle's primary security vulnerability remediation program enters its seventh year (the first Critical Patch Update was released in January 2005). The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products. CPUs are issued on a predictable schedule published a year in advance. The CPU documentation, and more specifically, the risk matrices used to provide information about the nature and criticality of the vulnerabilities fixed in each CPU are consistent across all product lines and leverage industry standards such as CVSS (to provide an indication of the criticality of each vulnerability) and CVE (to provide a unique identifier for each vulnerability). Very importantly as well, Oracle's fixing and disclosure policies are transparent and are designed to provide equal protection to all Oracle customers.
Today's Critical Patch Update (CPUJan2011) provides fixes for 66 security vulnerabilities across a wide range of products including: Oracle Database Server, Oracle Secure Backup, Oracle Audit Vault, Oracle Database Vault, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle Applications, Oracle Industry Applications, Oracle PeopleSoft Enterprise, Oracle Solaris, and Oracle Open Office.
6 of the 66 security vulnerabilities affect Oracle Database Server including Oracle Database Vault. The most severe of these 6 vulnerabilities affects Oracle Enterprise Manager Grid Control, and received a CVSS Base Score of 7.5. In addition, a fix for an Oracle Audit Vault vulnerability which has received a CVSS Base Score of 10.0 is also provided in today's CPU. As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible so that they can maintain their security in-depth posture regardless of the existence of external mitigation factors that may prevent the exploitation of these vulnerabilities (e.g. network access controls, etc.)
16 fixes were released for Oracle Fusion Middleware. The maximum CVSS score for Oracle Fusion Middleware is 10.0 for 2 separate vulnerabilities. The first, for JRockit, refers to a set of Java Runtime Environment security fixes that were previously released by Oracle. The second one affects the Node Manager component of Oracle WebLogic Server.
11 fixes were released for Oracle PeopleSoft Enterprise. The maximum CVSS Base Score for these vulnerabilities is 7.5. It is for a single vulnerability affecting PeopleSoft 8.50 and 8.51. This vulnerability was publicly disclosed accidentally earlier this month. Oracle highly recommends that PeopleSoft customers apply this Critical Patch Update as soon as possible as a result of this accidental disclosure.
This Critical Patch Update also includes fixes for 21 new vulnerabilities affecting the Oracle Sun product family and 2 new vulnerabilities affecting Oracle Open Office. The most severe vulnerability affecting the Sun Product family affects Oracle Solaris with a CVSS Base Score of 10.0.
The 2 vulnerabilities affecting Oracle Open Office received a CVSS Base Score of 9.3 and are related to exploit conditions that exist when malicious attachments are opened by unsuspecting users. Oracle reported a 9.3 CVSS Base Score for these Open Office vulnerabilities because many users, particularly Windows XP users, run with administrative privileges. However, the CVSS Base Score for these vulnerabilities falls to 6.8 when these malicious attachments are opened by users with limited privileges.
Sun customers, who wish to consult the Security Sun Alert notifications published before April 2010 can do so by visiting the "Sun Alert Archive and Mappings for Legacy SunSolve Document ID Numbers" page located at http://www.oracle.com/technetwork/topics/security/sunalertslisting-197036.html
With today's Critical Patch Update, Oracle introduces an enhancement to the Critical Patch Update documentation. As a result of customer feedback, Oracle will now publish a plain English version of the risk matrices. This document can be found at http://www.oracle.com/technetwork/topics/security/cpujan2011verbose-194110.html. This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation.
Finally, Oracle recently published a technical white paper titled "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" in an attempt to document the practices of a number of organizations, which had adopted repeatable processes to deal with the Critical Patch Updates. This white paper is located at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf, and is a good starting point for administrators who may be new to the Critical Patch Update or feel overwhelmed with the prospect of patching their systems.
For More Information:
"Inclusion Of Security Fixes For Externally Reported Security Bugs In The Critical Patch Updates", a blog entry by Clement Chen, can be found at http://blogs.oracle.com/security/2010/11/inclusion_of_security_fixes_fo.html
The Critical Patch Updates and Security Alerts page is located at : http://www.oracle.com/technetwork/topics/security/alerts-086861.html
More information about Oracle Software Security Assurance, including Oracle security fixing policies, is available on: http://www.oracle.com/us/support/assurance/index.html
Note 394487.1 (My Oracle Support subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.
Security Sun Alert notifications prior to April 2010 for Sun products are located at http://www.oracle.com/technetwork/topics/security/sunalertslisting-197036.html