October 2010 and Java Critical Patch Updates Released
By Eric P. Maurice on Oct 12, 2010
Hello, this is Eric Maurice.
Security fixes for Java SE and Java for Business are included in a separate Critical Patch Update because the publication schedule of the Java fixes is not the same as the publication schedule of the Critical Patch Update for other Oracle products. These different schedules are due to commitments made to Java customers prior to the Sun acquisition. In 2011, 3 separate Critical Patch Updates for Java will be issued. Only one of these Java Critical Patch Updates should be released on the same day as the normal Critical Patch Update (on October 18, 2011).
Today's Critical patch Update for Java includes fixes for 29 new security vulnerabilities. 15 of these 29 vulnerabilities yield a CVSS Base Score of 10.0 affecting multiple components of Java. Oracle therefore recommends that Java customers apply this Critical Patch Update as soon as possible.
The October 2010 CPU (CPUOct2010) provides 85 new security fixes, 31 of which are for Oracle Sun products (i.e., former Sun product lines). The following product families are affected: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite and Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Primavera, Oracle VM, and as previously discussed, the Oracle Sun product line (including OpenOffice).
7 of the new vulnerabilities fixed in the October 2010 CPU are for Oracle Database Server, and only one of these vulnerabilities is remotely exploitable without authentication. The maximum CVSS score for these vulnerabilities is 6.5. Oracle continues to recommend that Database customers apply this Critical Patch Update as soon as possible in order to maintain their defense in depth posture. Database customers should also familiarize themselves with the patching options provided to them, and consider the use of Patch Set Update patches as opposed to traditional CPU patches (when applicable). See the following blog entry to learn more about the benefits of the Patch Set Update format of patches.
Note that the Oracle Enterprise Manager Grid Control vulnerability only affects Application Server and Database Server Control deployments. The exposure to these products depends on the version that has been deployed. Oracle therefore recommends that customers apply this patch and refer to My Oracle Support Note 1159443.1 for more information.
A significant portion of the newly fixed vulnerabilities in this Critical Patch Update affect Oracle Sun products. While the continuous inclusion of new product lines in the Critical Patch Update program affects the identification of any kind of meaningful trends in overall CPU size, it demonstrates the flexibility of the program. It also demonstrates a conscious desire to simplify as much as possible the security patch management tasks for its customers. From a customer perspective, there are strong advantages in getting all security patches for related products across all supported platforms and versions combinations on a single day, whose date is announced with a year notice.
The Oracle Sun products affected by the 31 new vulnerabilities fixed in this CPU include Oracle Solaris and OpenSolaris, Oracle OpenOffice, Sun Convergence, and Oracle Sun Directory Server Enterprise Edition. With a CVSS Base Score of 10.0. and 9.0, the two most critical vulnerabilities for products other than OpenOffice affect Solaris and OpenSolaris respectively.
This CPU includes 5 new fixes for OpenOffice, to address vulnerabilities that have all received a CVSS Base Score of 9.3 to reflect deployment scenarios when OpenOffice is used by a user with root or administrator privileges. When OpenOffice is used by a user with limited OS privileges, the CVSS Base Score is 6.8, reflecting the fact that a successful exploitation of one of these vulnerabilities cannot result in a full compromise down to the OS when the application is run with limited (i.e. non root or administrative) privileges. OpenOffice customers can get these security patches now, without waiting for the next automated update, by using the "check for updates" feature in OpenOffice.
For more information:
- The Critical Patch Updates and Security Alerts page is located at : http://www.oracle.com/technetwork/topics/security/alerts-086861.html
- A short document describing the changes in security policies for the Sun product lines is available at : http://www.oracle.com/technetwork/topics/security/changesforsunsecuritypolicies-162219.html
- More information about Oracle Software Security Assurance, including Oracle security fixing policies, is available on: http://www.oracle.com/us/support/assurance/index.html