Tuesday Jan 15, 2013

January 2013 Critical Patch Update Released

Hi, this is Eric Maurice.

Today, Oracle released the January 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.  As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication.  5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.  The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.  Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments. 

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0. 

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.  As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.  As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.  The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux). 

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture. 

For More Information:

The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html. 

 

 

Tuesday Jan 17, 2012

January 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle just released the January 2012 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities affecting a wide range of Oracle products families including: Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Virtualization, Oracle Sun product suite, and Oracle MySQL.  Note again that security fixes for Java SE continue to be released on a different schedule because of commitments made before the completion of the Sun acquisition.

Out of the 78 new fixes, 2 affect the Oracle Database.  The maximum CVSS Base Score for the Database vulnerabilities fixed in this Critical Patch Update is 5.5, however Oracle considers these fixes to be important.  In a previous blog entry, we discussed how CVSS Base Scores are computed, and we highlighted the fact that the CVSS Base Score scale is designed to rate the severity of vulnerabilities ranging up to complete exploitation of the affected system down to the Operating System layer (CVSS Base Score greater than 7.5). 
One of the database vulnerabilities fixed in this Critical Patch Update has received a CVSS Base Score of 5.0.  It is a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it).  In other words, this vulnerability could allow an unauthenticated attacker to carry a denial of service attack against the targeted database, for example if it were to be exposed to the Internet.

Though not remotely exploitable without authentication, the other database fix provided in this Critical Patch Update is also important.  This database bug, which was also reported to Oracle by InfoWorld, may have wider non-security related consequences for a small number of customers.  Database customers are therefore strongly encouraged to apply this Critical Patch Update and consult My Oracle Support Note 1376995.1 for additional instructions.

11 of the 78 new fixes provided by this Critical Patch Update are for Oracle Fusion Middleware.  The highest CVSS Base Score for these Oracle Fusion Middleware bugs is 6.4. 

An additional 17 fixes affect the Oracle Sun product suite, including Solaris, Glassfish Enterprise Server, and OpenSSO.  The highest CVSS Base Score for these Sun product suite vulnerabilities is 7.8.

3 new fixes affect Oracle virtualization.  The maximum CVSS Base Score for these vulnerabilities is 3.7.  This score is related to a vulnerability affecting Oracle VM VirtualBox.

Finally, Oracle MySQL receives 27 fixes.  The maximum CVSS Base Score for these MySQL vulnerabilities is 5.5.  One of these vulnerabilities is remotely exploitable without authentication.  Note that this is the first time that MySQL fixes are being included in the Critical Patch Update.

Oracle continues to recommend that customers apply all security patches and keep up with newer releases as a means to continue to preserve their security posture.  As highlighted in this Critical Patch Update, the decreasing number of fixes produced for the most mature product lines in recent Critical Patch Updates should not be construed as an indication that Critical Patch Updates are becoming less important to the security posture of Oracle customers.  Furthermore, security research continues to show that unpatched systems remain an attractive target for malicious hackers.  Fortunately, Oracle customers can leverage a number of tools, including My Oracle Support, to keep up with recommended security and non-security releases.

 

For More Information:

Wednesday Dec 14, 2011

Keeping Up With Newer Releases is Good Security Practice

Hi, this is Eric Maurice again.

On October 18th 2011, Oracle released the October 2011 Critical Patch Update.  As usual, this Critical Patch Update included a number of fixes across a wide range of products, including the Oracle Database.  In the blog entry summarizing the Critical Patch Update, I highlighted the fact that the number of fixes released for the Oracle Database were expected to remain low and made the following statement:

“As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments.”

In today’s follow-up, we are going to discuss the various patching options available to Oracle Database customers and go over the security benefits resulting from keeping up with the most recent releases (patch sets and major releases) of the Oracle Database.  Note that many of the concepts discussed in this blog are also applicable for Oracle Fusion Middleware and Oracle Enterprise Manager products.

In order to provide the best security posture to all Oracle customers, Oracle’s security fixing policies generally require Oracle to fix security vulnerabilities in severity order: in other words, Oracle tries to fix the most severe vulnerabilities first.

Oracle provides Database security and non-security fixes in major releases, Patch Sets, and Patch Set Updates (PSUs), whereas traditional Critical Patch Update patches (not PSUs) include only security fixes (more details about the content of each of these types of patches follow). 

Let’s have a more detailed look into the content that goes in the different types of Oracle patches and updates and how this content might affect an organization’s patching strategy.

Traditional Critical Patch Update patches include only security vulnerability related content.  They generally provide fixes for higher risk security vulnerabilities.  Oracle’s focus with these patches is to address higher risk issues while ensuring that customers’ environments remain stable after patch application.  These patches include fixes for vulnerabilities, which can be directly exploitable, e.g. buffer overflows, and which could ultimately result in the takeover of the targeted system. 

Traditional Critical Patch Update patches typically do not address issues that cannot be directly exploited (e.g. as violation of least privilege policy and other security in depth fixes) unless they could aggravate the impact of another directly exploitable issue.  They also do not provide fixes for issues for which there are no exploits but which are otherwise against safe secure coding principles.  For example, we routinely fix issues such as specific uninitialized variables, which have no known security exploits, but for which we are concerned that someone might find a way to exploit.  

Traditional Critical Patch Update patches also do not include fixes for certain exploitable issues that have very low risk when the fixes could result in customer applications failing to work properly without modification.  They also do not include fixes for exploitable issues that are very low risk (such as when the exploitation window is very narrow, for example when limited to a short period during installation).  In addition, Critical Patch Updates typically do not include fixes that require large scale code modification or for which there is no reasonable patching mechanism.

Again, Oracle’s focus with the traditional Critical Patch Update patches is to address higher risk issues while ensuring that their application will not cause customers to experience significant impact in production.

Patch Set Updates (PSUs) are another type of bundled patches distributed under the Critical Patch Update program.  In addition to containing all the fixes contained in the traditional Critical Patch Update bundles, PSUs also contain non-security fixes for issues that have been reported by multiple customers. 

These non security PSU fixes are designed to provide high-reward / low-risk fixes, and are an expression of Oracle’s overall proactive support strategy.  Before their inclusion in a PSU, Oracle will have determined that these non-security fixes have already been installed at a number of customer sites with no reported negative effects.  A Patch Set Update is denoted by incrementing the 5th place in the version string (e.g. Oracle Database Server 11.2.0.3.1). 

Next, let’s have a look at Patch Sets.  A Patch Set release is identifiable by the 4th place in the version string (For example, 11.2.0.2.0, 11.2.0.3.0).  Patch Sets contain all the PSU fixes as well as additional content.  This additional content includes reworked security PSU fixes to make them more extensive or to cover more in-depth issues.  It can also include additional fixes for security in-depth issues, including fixes for issues such as uninitialized variables, and other issues related to unsafe coding practices, which are not known to be exploitable but nevertheless have been fixed by Oracle to prevent their use in case they were ever discovered by an attacker. 

Major releases (denoted by the number before and the digit after the “dot” in the version number, e.g. for Oracle Database 11g Release 1 the major release would be the "11.1" in the patch set 11.1.0.7) contain all the above Patch Set fixes as well as additional reworked security fixes to make them more extensive or to cover more in-depth issues.  Major releases also contain many additional fixes for security in-depth issues as well as major architectural fixes that improve security in a comprehensive manner.  In addition to providing new product features, major releases will also contain fixes that were not delivered in Patch Sets or PSUs because of Oracle’s concerns about negative impact on existing applications without code or significant configuration changes.

Note again that because of Oracle’s policies governing the sequencing of the security fixes, it is possible that certain security fixes will be included in Patch Sets or product releases distributed before the relevant Critical Patch Update.  In other words, in some instances the fix for a given vulnerability may be included in a Patch Set or a product release, before the vulnerability is fixed in a consequent Critical Patch Update.  Furthermore, though we try to avoid such a situation, there are instances where security fixes cannot be backported to previous but still supported releases because the nature of the fix is too complex, may require an in-depth re-engineering of the code, or may require extensive code or configuration changes by the customers.  In such instances, the security fixes may only be available through a patchset or more likely through a major release.

Oracle recommends that, to optimize their security posture, as well as to fully take advantage of Oracle’s proactive support model (through the release of low risk fixes for commonly encountered issues), customers have a plan that includes regular patch sets and release upgrades coupled with quarterly patch set updates.  Such upgrades are provided without additional charge to customers with Oracle Premier Support

These upgrades provide not only critical security benefits, even in instances where customers apply ALL the Critical Patch Updates in a timely fashion, but also provide tangible production benefits as customers on recent releases are less likely to experience production issues, that have been reported by other customers, and for which Oracle produced a fix.

For more information:

Tuesday Oct 18, 2011

October 2011 Critical Patch Updates Released

Hello, this is Eric Maurice.

Oracle just released the October 2011 Critical Patch Update and the Critical Patch Update for Java SE.  As explained in previous blogs, because of commitments made before the completion of the Sun acquisition, the security patches for Java SE are typically released on a different schedule than other Oracle products. However, today, the release date of the Critical Patch Update for Java SE coincided with the regular Critical Patch Update release schedule.

The October 2011 Critical Patch Update for Java SE provides fixes for 20 new security vulnerabilities.  The highest CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0, and it is applicable to 6 vulnerabilities.  In addition, one of these 20 new fixes is for the “BEAST” exploit.  “BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic.  This exploit was recently demonstrated at a security conference.  The vulnerability related to this exploit is CVE-2011-3389, and it has a CVSS Base Score of 4.3.  Note also that beginning with this Critical Patch Update, security fixes for Oracle JRockit will no longer be released with the Oracle Fusion Middleware fixes but instead will be released along with Java SE fixes in the Critical Patch Update for Java SE.  The primary benefit of this change is that Oracle JRockit will now receive Java-related fixes as soon as these fixes are released by Oracle (JRockit fixes were previously distributed with other Oracle Fusion Middleware fixes in the next Critical Patch Update that followed the Critical Patch Update for Java SE).

The October 2011 Critical Patch Update provides fixes for 57 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Linux and Virtualization, and Oracle Sun product suite.  None of the 57 new fixes are applicable for client-only deployments. 

Of the 57 new fixes, 5 are for Oracle Database Server.  None of the Oracle Database Server vulnerabilities addressed in this Critical Patch Update are remotely exploitable without authentication.  The most severe vulnerability affecting the Oracle Database Server products suite affects Oracle Application Express (APEX), and it has received a CVSS Base Score of 6.5.  None of these fixes are applicable to client-only deployments.

As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments. 

22 out of the 57 fixes provided with this Critical Patch Update are for the Oracle Sun product suite.  The most severe of these vulnerabilities affect the LDAP Library in Sun Solaris (CVE-2011-3508) and has received a CVSS Base Score of 9.3.  Oracle recommends that Solaris customers apply this Critical Patch Update as soon as possible.


Finally, please note that this Critical Patch Update lists a fix for Oracle Linux.  Starting with this Critical Patch Update, security fixes in proprietary components of Oracle Linux will be listed in the Critical Patch Update advisory.    However, the security fixes for the code generated by the Linux community, as well as those for proprietary Oracle components will continue to be released through the El-errata documentation, in the same fashion as before.

For more information:

 

 

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today