Category Archives: CPU

Oracle released CPU / PSU January 2013

Leave a reply

As announced in my post about Oracle’s pre-release announcement of last week, Oracle has now released the first Critical Patch Updates for 2013. Overall this CPU contains 86 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For products like Oracle Database Mobile it does contain quite some critical security fixes with a CVSS Rating of 10. On the other hand there’s just one security fix for regular oracle database servers. This security fix relates merely to the SPATIAL option. For a variety of Oracle database server, which do not use the spatial option, this CPU is not so critical. It’s probably worth waiting for the CPU april 2013.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 16 April 2013
  • 16 July 2013
  • 15 October 2013
  • 14 January 2014

References

Links all around Critical Patch Update:

Oracle CPU / PSU Pre-Release Announcement January 2013

1 Reply

Today Oracle has published the Pre-Release Announcement for the first CPU Patch in 2013. This Critical Patch Update contains 86 new security vulnerability fixes for several Oracle products. From the Oracle database point of view it is quite a small update. There is only one security fix for the Oracle Database Server and no for client-only installations.

Although the CVSS rating of this vulnerability is 9.0, it looks that there is no hurry to install this security fix on most of the database environments. This is because only the spatial is affected. If this is true, we’ll see next Tuesday when Oracle is officially releasing CPU / PSU January 2013. Next week I’ll have a closer look.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle CPU / PSU Pre-Release Announcement October 2012

Today Oracle has published the Pre-Release Announcement for the october CPU Patch. This Critical Patch Update contains 109 new security vulnerability fixes for several Oracle products. 5 of these fixes are just for the Oracle Database Server including 2 fixes for client-only installations. What frighten me a bit, is the CVSS Base Score of 10 for the core RDBMS. Oracle apparently has to close another big security issue. The core RDBMS is by the way the only component which has to be patched by this CPU. In combination with this severity everybody will have to patch. SCN flaw, TNS poisoning, Oracle Password Hashing Algorithm Weaknesses, etc obviously it’s the oracle-year of critical issues. Any way we will see it next week in detailed. As mentioned just the following Database Server Products are affected.

  • Core RDBMS

So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release 1 (11.2.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5).

The official release for the CPU / PSU is planned for next week 16 October 2012. More details about the patch will follow soon on the Oracle Security Pages.

Important links around the Oracle CPU / PSU April 2012

I’ve been out of office when the April CPU / PSU has been officially released by Oracle and missed to write a blog post. Nevertheless I’ll now take the chance to put a few information and links around the latest CPU together.
The current CPU / PSU patches are available for 10g and 11g, whereby the download of 10g patches is only possible with a corresponding Extended Support contract.
Overall Oracle addressed 88 vulnerabilities for several Oracle products in this security advisory. 6 of these fixes are just for the Oracle Database Server and one for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 9.0, which is quite high. But the big bang are not security fixes with a CVSS of 9.0 but old vulnerabilities which are not fixed. oracle addressed them with a dedicated alert Oracle Security Alert for CVE-2012-1675. The alert is related to an issue identified by Joxean Koret somewhen in 2008 and known as TNS Poison I’ll post a few comments on this later this week.

Affected database component according to the Database Server Risk Matrix:

  • Core RDBMS (mainly Oracle Net)
  • OCI
  • Application Express
  • Enterprise Manager Base Platform

The Database Server Patch’s are available for Oracle Database 11g Release 2 (11.2.0.2, 11.2.0.3), Oracle Database 11g Release (11.1.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5). There is no patch available for Oracle Database 10g Release 1 (10.1.0.5).

A bunch of useful links around the current CPU / PSU:

As well as a few generic links about CPU / PSU:

Update: Oracle released CPU / PSU January 2012

As I mentioned in a previous post Oracle CPU / PSU Pre-Release Announcement Januar 2012 the CPU / PSU patches are available for 10g and 11g. Whereby the download of 10g patches is again possible without a corresponding Extended Support contract. I assume this is related to the SCN flaw. This Critical Patch Update contains 78 new security vulnerability fixes for several Oracle products. 2 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 5.5, which seams to be not critical. On the other hand it look like one of this bug fix is related to the Oracle SCN flaw. I’ll post a few comments on this later this week.

  • Core RDBMS (related to the SCN flaw)
  • Listener

The Database Server Patch’s are available for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release (11.2.0.7), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). It looks like that the first CPU in 2012 is as well the first one for 11.2.0.3.

A bunch of useful links around the current CPU / PSU:

As well as a few generic links about CPU / PSU:

Oracle CPU / PSU Pre-Release Announcement Januar 2012

Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 78 new security vulnerability fixes for several Oracle products. 2 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 5.5, which seams to be not critical. But on the other hand Oracle mention that 1 of this 2 fixes can may be remotely exploitable without authentication. If this is true, I would expect a higher CVSS rating. We will see it next week in detailed. Nevertheless the following Database Server Products are affected.

  • Core RDBMS
  • Listener

So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release (11.2.0.7), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). It looks like that the first CPU in 2012 is as well the first one for 11.2.0.3.

The official release for the CPU / PSU is planned for next week 17 Januar 2012. More details about the patch will follow soon on the Oracle Security Pages:

Update: Oracle released CPU / PSU October 2011

Oracle has just officially released the CPU / PSU Patches for october 2011. In contrast to the previously announced 56 bug fixes, there are now 57 bug fix. It looks like another bug fix for databases has been added to the CPU / PSU bundle. Never the less none of them is remote exploitable without authentication. None of these fixes are applicable to client-only installations. The maximum CVSS rating for the database vulnerabilities is still 6.5.

The following Database Server Products are affected.

  • Application Express
  • Core RDBMS
  • Database Vault
  • Oracle Text

As I mentioned in a previous post Oracle CPU / PSU Pre-Release Announcement October 2011 the CPU / PSU patches are available for 10g and 11g. Whereby the download of 10g patches is only possible with a corresponding Extended Support contract. Brief overview of the available versions

A bunch of useful links around the current CPU / PSU:

As well as a few generic links about CPU / PSU: