July 2010 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jul 13, 2010
Hello, this is Eric Maurice again.
Oracle just released the July 2010 Critical Patch Update (CPUJul2010). This Critical Patch Update (CPU) is the second one to include fixes for the Oracle (formerly Sun) Solaris product line.
Today's CPU provides 59 new security fixes across the following product families: Oracle Database Server (including Oracle Secure Backup and Oracle TimesTen In-Memory Database); Oracle Fusion Middleware (including the WebLogic product lines, formerly from BEA); Oracle Enterprise Manager; Oracle E-Business Suite; Oracle Supply Chain Products Suite; Oracle PeopleSoft Enterprise ; and Oracle Solaris.
Of the 59 new security fixes, 6 are for Oracle Database Server. One of the newly-fixed Database Server vulnerability affects client-only deployments. The maximum CVSS Base Score for new Oracle Database Server vulnerabilities fixed in this CPU is 7.8.
2 of the new vulnerabilities fixed in this CPU are for Oracle TimesTen In-Memory Database, and 5 are for Oracle Secure Backup. The maximum CVSS Base Score for these security bugs is 10.0, and this score affects 2 vulnerabilities in Oracle Secure Backup and 1 vulnerability for Oracle TimesTen In-Memory Database. Considering the relatively high CVSS Base Score reported for these vulnerabilities, Oracle recommends that customers of these products apply the July 2010 Critical Patch Update as soon as possible.
This CPU also includes 7 new fixes for security vulnerabilities in Oracle Fusion Middleware. Note that the most critical of these Fusion Middleware fixes is related to previously-released Java security fixes, which addressed vulnerabilities affecting the Java Runtime Environment. Just like before the Sun acquisition (and the inclusion of Java in the Critical Patch Update program), Oracle refers in the Fusion Middleware risk matrix to the previously-published Java advisories applicable to JRockit. The CVSS Base Score reported in this CPU is the highest reported CVSS score for the previously published Java advisories.
As stated at the beginning of this blog entry, the July 2010 Critical Patch Update also includes 21 new fixes for the Oracle Solaris product line. We recently posted a short document on OTN, which highlights changes made by Oracle to the security vulnerability handling policies for the Solaris product line. As with previously acquired companies, Oracle aligns the security policies affecting the newly acquired product lines as closely as possible to existing Oracle Software Security Assurance policies. This alignment is designed to help maintain the security posture of our customers as well as to ensure that Oracle's policies are consistent across all products. For example, the Critical Patch Update program provides a common "look and feel" for all the security advisories for all products (the adoption of the CVSS Base Score to rate the relative severity of security vulnerabilities is a significant improvement for Sun customers), and the patches are released on the same date, thus allowing organizations to more easily provide for security patching in normal maintenance periods and reducing interruptions to their production environment.
On a separate but somewhat related subject, Oracle and the Independent Oracle User Group (IOUG) are launching a new security assurance survey. The purpose of this survey is to gather feedback from as many organizations as possible about their security patching practices and to identify which security assurance topics are most relevant to Oracle customers.
The IOUG participates in Oracle's Secure Customer Advisory Council and has worked with Oracle Global Product Security on this survey which will provide meaningful feedback to Oracle about its security programs. For example, the current survey provides respondents with a chance to give feedback about Patch Set Updates (PSUs) and the CPU documentation. Survey responses will be kept confidential, and the results will be analyzed jointly by Oracle and IOUG to evaluate Oracle's security assurance practices The survey is hosted by IOUG's Enterprise Best Practices Special Interest Group (SIG) at http://enterprisesig.oracle.ioug.org/ (free SIG membership is required to access the survey).
For more information:
- The advisory for the July 2010 Critical Patch Update can be accessed at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html
- The Critical Patch Updates and Security Alerts page is located on http://www.oracle.com/technology/deploy/security/alerts.htm
- Instructions to subscribe to Oracle security notifications are posted on: http://www.oracle.com/technology/deploy/security/securityemail.html
- Note 394487.1 (My Oracle Support subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.
- The IOUG/Oracle Software Security Assurance survey is located at http://enterprisesig.oracle.ioug.org/