October 2006 Critical Patch Update Released
By Eric P. Maurice-Oracle on Oct 17, 2006
Hello, this is Eric Maurice, Manager for Security in Oracle's Global Technology Business Unit.
Today, Oracle released its eighth Critical Patch Update (CPUOct2006). This Critical Patch Update (CPU) addresses a total of 101 vulnerabilities affecting a range of Oracle�s products including the Oracle Database Server, Oracle Application Server, Oracle Application Express (formerly known as oracle HTML DB), Oracle Collaboration Suite, Oracle E-Business Suite, Oracle�s PeopleSoft Enterprise, and Oracle�s JD Edwards EnterpriseOne applications. More than one third of the vulnerabilities patched in this CPU are in an optional product (35 vulnerabilities for Oracle Application Express) and do not affect most customers. It is also worth noting that twenty-two of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client.
As usual, with the exception of Oracle E-Business Suite, the CPUs are cumulative. This provides a couple of strong advantages for Oracle customers:
- All the vulnerabilities identified in today�s CPU that affect a specified Oracle product on a specific OS platform are resolved through the application of a single patch; and
- The application of the appropriate patch issued with today�s CPU also resolves vulnerabilities fixed with prior CPUs.
In other words, if a customer applies today�s CPU for Oracle Database 10g on Linux, this customer gets protection against all the Database Server vulnerabilities announced in today�s CPU and all previous CPUs. This model makes it very easy for organizations that may have failed to apply past Critical Patch Updates to quickly bring their environment to current patch release level, and therefore optimize their security posture.
With this release, we also introduced significant enhancements to the CPU documentation. These enhancements include the adoption of the Common Vulnerability Scoring System (CVSS), the identification of vulnerabilities that may be exploited remotely without authentication to the targeted system, and the introduction of an executive summary. I have outlined these changes in a previous blog entry. Darius Wiles, Senior Manager, Security Alerts also recently recorded a short eSeminar that discusses the Critical Patch Update process. With a strong focus on the CPU documentation, and specifically the CPU risk matrices, this twelve-minute eSeminar is a great source of information for anyone who manages an Oracle environment and needs to periodically review the CPU documentation.
Lastly, I would like to remind you again of the recent webcast we recorded with John Heimann, Director, Security Program Management, and Roger Raj, Senior Consulting Technical Director, a month ago. Lasting about one hour, this webcast discussed some of the good practices around database security configuration and patch application. If you are faced with implementing the Critical Patch Update for the first time, then, this webcast is for you because it discusses how to develop a patch strategy in your organization and it identifies common pitfalls to avoid. You can also find additional technical resources on the Oracle Software Security Assurance page on Oracle.com.