Critical Patch Update for April 2007 Now Available

I was startled by the results of an informal survey taken in an Apps security-related session at Collaborate 07 last week.  The majority of session attendees indicated that they were two or more Critical Patch Updates (CPU) behind the latest release.


I'll just underline the obvious:  Critical Patch Updates deliver critical security-related fixes for all of your Oracle technology stack components, including patches for E-Business Suite Release 11i and 12. 

It's also important to note that Critical Patch Updates for the E-Business Suite are generally not cumulative.  Apps sysadmins need to apply all of the released CPUs to their E-Business Suite environment to get all of the latest security-related fixes.

I would strongly recommend adding these patches to your regular E-Business Suite maintenance cycle.  The CPU release dates are published in advance, which should help you schedule their application proactively.

Critical Patch Update for April 2007 now available

The Critical Patch Update Advisory is the starting point for relevant information. It includes the list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities for each product suite, and links to other important documents. Supported products that are not listed in the "Supported Products and Components Affected" section of the advisory do not require new patches to be applied.

Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The next four Critical Patch Update release dates are:
  • July 17, 2007
  • October 16, 2007
  • January 15, 2008
  • April 15, 2008

Comments:

Steven,

Great note.

Just FYI to you - Our experience with a large number of clients from small to large and across all industries shows that most of them do NOT have regular maintenance scheduled for their E-Business environments unless there are statutory requirements to do so (HRMS, FDA Part 11, etc).

It's a constant battle that we have with most organizations especially on the technical side who feel that the old saying "if it ain't broke, don't fix it" applies to ERP environments. :-(

We try to educate the business owners as well as the technical staff but regular maintenance seems to fall lower on the list of things to do especially when there is no immediate "perceived" benefit even though everyone agrees that these are "critical" patches. You would be amazed to hear how many environments don't even have ATG H or any of the ATG Rollups applied.

Time and time again we've heard that this is just another way to keep the "consulting" and testing hours up. We encourage clients that ERP environments require maintenance just like your car and the client needs to perform proper "care and feeding" to get the maximum return for their investment.

Keep up the great work on the blog. Notes and information that you post help us to educate E-Business users that these are required activites and your logic is always faultless and irrefutable. :-)

thx,
John

Posted by John Stouffer on April 26, 2007 at 01:38 AM PDT #

Maybe for the CPUs, you could consider releasing more of your own internal test scritps and design docs for the patches? Or concurrently release a list of early adopter references that have already applied the patches?

As long as the critical patches still look and feel the same as the (very, very, frequent) non-critical patches, it's hard for us to put in a unique process to expedite them as they really should be.

Posted by Jim Cassella on April 27, 2007 at 01:31 AM PDT #

Thanks for your comments, John.  I've circulated them amongst our ATG management team with my own thoughts.I plan a follow-up article on the wisdom of keeping up to date on patches in a future article.  This is motherhood and apple pie, but like you, it's surprising how many times I hear comments like this from the field.Regards,Steven 

Posted by Steven Chan on April 27, 2007 at 08:07 AM PDT #

Steven,

Jim has a great point. I realize that it's impossible to test all possible combinations but it would be nice if Oracle could provide something like Integrigy does about the impact of the CPUs.

http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_April_2007_Analysis.pdf

For your consideration.

thx,
John

Posted by John Stouffer on April 30, 2007 at 02:45 AM PDT #

John, Jim,Thanks for your comments.  I've circulated them internally to our Security team, so this thread has gotten very high visibility in Apps Development.  We're having a lively discussion about reasons why Apps customers don't apply CPUs as frequently as anyone might like, and your comments will add additional impetus to this.  We're looking at ways that we can make the CPU process a bit more user-friendly right now.  I'll post more updates here as soon as possible.Regards,Steven 

Posted by Steven Chan on May 01, 2007 at 04:23 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today