I’ve been out of office when the April CPU / PSU has been officially released by Oracle and missed to write a blog post. Nevertheless I’ll now take the chance to put a few information and links around the latest CPU together.
The current CPU / PSU patches are available for 10g and 11g, whereby the download of 10g patches is only possible with a corresponding Extended Support contract.
Overall Oracle addressed 88 vulnerabilities for several Oracle products in this security advisory. 6 of these fixes are just for the Oracle Database Server and one for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 9.0, which is quite high. But the big bang are not security fixes with a CVSS of 9.0 but old vulnerabilities which are not fixed. oracle addressed them with a dedicated alert Oracle Security Alert for CVE-2012-1675. The alert is related to an issue identified by Joxean Koret somewhen in 2008 and known as TNS Poison I’ll post a few comments on this later this week.
Affected database component according to the Database Server Risk Matrix:
- Core RDBMS (mainly Oracle Net)
- Application Express
- Enterprise Manager Base Platform
The Database Server Patch’s are available for Oracle Database 11g Release 2 (220.127.116.11, 18.104.22.168), Oracle Database 11g Release (22.214.171.124) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5). There is no patch available for Oracle Database 10g Release 1 (10.1.0.5).
- Oracle Database 126.96.36.199 => normal CPU/PSU
- Oracle Database 188.8.131.52 => normal CPU/PSU
- Oracle Database 184.108.40.206 => normal CPU/PSU
- Oracle Database 10.2.0.x => normal CPU/PSU
A bunch of useful links around the current CPU / PSU:
- Oracle Critical Patch Update Advisory – April 2012
- Oracle Critical Patch Update April 2012 Documentation Map [1395797.1]
- Patch Set Update and Critical Patch Update April 2012 Availability Document[1406574.1]
- The security alert after the critical patch update advisory Oracle Security Alert for CVE-2012-1675. I’ll write a bit more information in a separate post.
As well as a few generic links about CPU / PSU:
- Critical Patch Updates and Security Alerts
- Release Schedule of Current Database Releases [ID 742060.1]
- Risk Matrix Glossary – terms and definitions for Critical Patch Update risk matrices [ID 394486.1]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ID 394487.1]
- DB, FMW, EM Grid Control, and OCS Software Error Correction Support Policy [ID 209768.1]