July 2011 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jul 19, 2011
Hi, this is Eric Maurice.
Oracle just released the July 2011 Critical Patch Update. This Critical Patch Update provides fixes for 78 new security vulnerabilities in a wide range of product families including: Oracle Database Server, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle Sun Products.
Out of these 78 vulnerabilities, 13 affect Oracle Database Server, including one affecting Oracle Database Vault and 2 affecting client-only deployments. The CVSS Base Scores for these Database Server vulnerabilities range between 1.3 and 7.1.
This Critical Patch Update also provides fixes for 3 security flaws affecting Oracle Secure Backup. The highest CVSS Base Score for the vulnerabilities affecting Secure Backup is 10.0. Oracle Secure backup customers are therefore urged to apply this Critical Patch Update as soon as possible.
In addition, 7 fixes are provided for Oracle Fusion Middleware. The highest CVSS Base Score for vulnerabilities affecting Oracle Fusion Middleware is 10.0. This CVSS Base Score is related to previously released Java SE security fixes applicable to JRockit. Note again that Java SE security fixes continue to be issued on a separate Critical Patch Update schedule (the schedule for the Critical Patch Updates for Java SE and all other Oracle products is posted at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).
18 security fixes are provided for Oracle Enterprise Manager Grid Control. The CVSS Base Scores for the Enterprise Manager Grid Control vulnerabilities fixed in this Critical Patch Update range between 4.3 and 6.8.
23 new security fixes are provided for the Oracle Sun Product Suite, including Oracle OpenSSO, Solaris, Oracle GlassFish Server, etc. The CVSS Base Scores for the Oracle Sun Product Suite vulnerabilities fixed in this Critical Patch Update range between 1.7 and 10.0.
With the addition of the Sun products, Oracle Software Security Assurance programs extend to the software components of hardware products, including firmware. Firmware and other hardware-related security fixes are included in the Critical Patch Updates. But the application of Oracle Software Security Assurance by the former hardware divisions of Sun does not end with the Critical Patch Update and Security Alert programs!
While, before the acquisition, there were differences between the security practices of the various hardware security groups at Sun (e.g. differences between Solaris, Development Tools, Volume Systems, Enterprise Systems, Disk Storage divisions, etc.), these security practices are now integrated under Oracle Software Security Assurance guidance. For example, security release criteria (i.e. security items in the mandatory checklist before allowing a software product to become GA) are applied uniformly across all Hardware Systems divisions. Also, the development teams across the Hardware Systems division have access to a broader set of security tool sets, including static analysis tools. These changes will help further strengthen the security quality of the code produced by these groups.
Oracle Software Security Assurance programs affect ALL Oracle products (and their respective development organizations) and help ensure consistency in coding practices, security reporting, etc. resulting in effective information sharing between Oracle groups. This is particularly important because customers will reap security benefits when purchasing Oracle-engineered systems (e.g. Exadata, Exalogic, , etc.) as opposed to getting multi-vendor bundles (or attempting to integrate complex systems from multiple vendor by themselves.) For example, the existence of consistent and extended security checklists when bringing Oracle solutions together help ensure security integrity across the solution stack being offered to customers, as customers need not rely upon the consistency of multiple vendors’ security assurance programs.
As always, Oracle recommends that customers review the risk matrices included in the Critical Patch Update Advisory to determine whether these fixes are relevant to them and, if so, determine the potential risk these vulnerabilities create in their environment, and ultimately determine their patching priority. As a reminder, Oracle recently started to issue a plain-English version of the risk matrices to help customers who may not yet be familiar with CVSS get accustomed to the Standard. In addition, a technical white paper is available on Oracle’s web site to help customers come up with a repeatable process to deal with security patches in their environment.
For more Information:
· The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
· More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html