Oracle patches DB, apps

Oracle patches DB, apps

Summary: Oracle on Tuesday delivered 41 patches--including two that are rated the highest risk--for a wide range of products.According to the Oracle security team blog:This Critical Patch Update (CPU) addresses a total of 41 vulnerabilities affecting Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.

SHARE:

Oracle on Tuesday delivered 41 patches--including two that are rated the highest risk--for a wide range of products.

According to the Oracle security team blog:

This Critical Patch Update (CPU) addresses a total of 41 vulnerabilities affecting Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.  Fifteen of these vulnerabilities are specific to Oracle Database Server (an additional two affects Application Express).  Note however that a number of these Database Server vulnerabilities affect optional Database Server components, and only one of these Database Server vulnerabilities can be remotely exploitable without authentication.

Specifically, the patch haul, which was expected, covers the following products:

  • Oracle Database 11g, version 11.1.0.6
  • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
  • Oracle Database 10g, version 10.1.0.5
  • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
  • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
  • Oracle Application Server 10g (9.0.4), version 9.0.4.3
  • Oracle Collaboration Suite 10g, version 10.1.2
  • Oracle E-Business Suite Release 12, version 12.0.4
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09
  • Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0
  • Oracle Siebel SimBuilder versions 7.8.2, 7.8.5

All the details are on Oracle's patch roundup. Good luck with it: Oracle's approach isn't the most user friendly on the planet. The risk matrix is especially complicated. Oracle's outline of patches makes Microsoft's grid look easy.

Topics: Software, Data Centers, Data Management, Enterprise Software, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Oracle Critical Patch Update Risk Matrix & CVSS

    Hi Larry! This is Eric Maurice of Oracle.

    An important document for Oracle customers, the Critical Patch Update (CPU) Advisory lists vulnerabilities addressed in the CPU as well as provides other information related to the patches (affected platforms, technical requirements, place to download the patchsets, etc.). It is important to note that the CPUs address vulnerabilities across many Oracle products including database server, application server, business applications, etc.

    The risk matrices in the advisory are designed to provide the necessary information for customers to assess the severity of each new vulnerability addressed in the CPU without disclosing technical information that could help a malicious attacker develop exploit code for these vulnerabilities.

    The risk matrices list the vulnerabilities in order of severity (most severe first), and then provide the following for each vulnerability:
    1)Information about the affected component
    2)Affected protocol
    3)Package or privilege required
    4)Whether the vulnerability is remotely exploitable without authentication (to the targeted system)
    5)The CVSS 2.0 Base Score
    6)The CVSS 2.0 values for Access Vector, Access Complexity, Authentication, and the CVSS 2.0 impact values for Confidentiality, Integrity, and Availability
    7)Lastly, the last affected patch set (affected supported release information)

    Oracle was one of the first software vendors to adopt the Common Vulnerability Scoring System (CVSS) standard to disclose the severity of the vulnerabilities in its products (in October 2006 we introduced the use of CVSS in the CPU documentation. At the time, version 1.0 of the standard was used). The adoption of CVSS came as a result of customers? feedback: we moved from a proprietary reporting scheme to a well-recognized and extensively documented standard. The complete documentation for CVSS 2.0 is available online at http://www.first.org/cvss/cvss-guide.html. Oracle also recorded a short webcast explaining how to interpret the risk matrices; this webcast is available on http://www.oracle.com/pls/ebn/live_viewer.main?p_direct=yes&p_shows_id=5041060. A few months ago, I also previously posted a blog series discussing how the CVSS scoring system works. The first entry of this series is available at http://blogs.oracle.com/security/2007/11/02#a157.

    I think that --to a large extent-- many critics of the CPU risk matrices do not fully understand the CVSS standard, hence the confusion. Shouldn?t a vendor be commended for its use of a standard severity scoring system instead of using a proprietary system? Enterprise customers have to deal with patching heterogeneous environments, and the feedback we received from customers is that the use of CVSS results in simplifying their analysis (as opposed to trying to interpret each vendors? proprietary vulnerability documentation).
    eric.maurice@...