EMS logo

Products Navigation

choose your database tool

Our Partnership Status

Microsoft Certified Partner
Oracle Certified Partner
Embarcadero Technology Partner

SQL Industry News

All SQL News

04/12/2007
Oracle Critical Patch Update Pre-Release Announcement

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2007 which will be released on Tuesday, 17 April 2007.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. This Critical Patch Update contains 37 security fixes across all products.  Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS scoring (see 394486.1). The highest CVSS base score of vulnerabilities across all products is 7.0.

Supported Products Affected

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

  • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
  • Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
  • Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
  • Oracle Secure Enterprise Search 10g Release 1, version 10.1.8
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0
  • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
  • Oracle Application Server 10g (9.0.4), version 9.0.4.3
  • Oracle10g Collaboration Suite Release 1, version 10.1.2
  • Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
  • Oracle E-Business Suite Release 12, version 12.0.0
  • Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8
  • Oracle Enterprise Manager 9i, version 9.0.1.5
  • Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48
  • Oracle PeopleSoft Enterprise Human Capital Management version 8.9
  • JD Edwards EnterpriseOne Tools version 8.96
  • JD Edwards OneWorld Tools SP23
  • Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
  • Oracle9i Database Release 2, versions 9.2.0.5
  • Oracle Database 10g Release 2, version 10.2.0.1

Executive Summaries

Oracle Database Executive Summary

This Critical Patch Update contains 13 new security fixes for the Oracle Database. Additionally, 2 new security fixes for Oracle Enterprise Manager, 1 new security fix for Oracle Workflow Cartridge, and 1 new security fix for the Ultra Search component affect code bundled with the Oracle Database.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed.

The highest CVSS base score of vulnerabilities affecting Oracle Database products is 7.0.

The Oracle Database components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Advanced Queuing
  • Advanced Replication
  • Authentication
  • Change Data Capture (CDC)
  • Core RDBMS
  • Oracle Agent
  • Oracle Instant Client
  • Oracle Streams
  • Oracle Text
  • Oracle Workflow Cartridge
  • Rules Manager, Expression Filter
  • Ultra Search
  • Upgrade/Downgrade

Oracle Application Server Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Application Server. There is also 1 Oracle Workflow Cartridge fix and 1 Oracle Secure Enterprise Search fix that affect Oracle Application Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. No new fixes are applicable to client-only installations, i.e. installations that do not have Oracle Application Server installed.

Oracle Application Server products that are bundled with the Oracle Database are affected by Oracle Database vulnerabilities fixed in this CPU. Oracle Application Server 10g Release 2 (10.1.3.0.0) is not affected by Application Server specific vulnerabilities, but includes Oracle Database code that needs to be patched by applying the Oracle Application Server patch.

The highest CVSS base score of vulnerabilities affecting Oracle Application Server products is 4.2.

The Oracle Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle COREid Access
  • Oracle Discoverer
  • Oracle Portal
  • Oracle Wireless
  • Oracle Workflow Cartridge
  • Oracle WebCenter Suite - Secure Enterprise Search

Oracle Collaboration Suite Executive Summary

There is 1 new Oracle Collaboration Suite specific fix in this Critical Patch Update. There is also 1 Oracle Workflow Cartridge fix that affects Oracle Collaboration Suite. Neither are remotely exploitable without authentication.

Oracle Collaboration Suite bundles the Oracle Database. All Oracle Database fixes included in this CPU are applicable.

The highest CVSS base score of Oracle Application Server vulnerabilities affecting Oracle Collaboration Suite is 1.4.

Oracle E-Business Suite and Applications Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle E-Business Suite.  2 of these vulnerabilities may be remotely exploited without authentication, i.e. they may be exploited over a network without the need for a username and password.

Oracle E-Business Suite products include an Oracle Database which has vulnerabilities fixed in this CPU. These Oracle Database vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

Oracle Life Sciences Applications (previously known as Oracle Pharmaceutical Applications) includes Oracle Application Server components which should be patched (the documentation released with the Critical Patch Update will provide details).

The highest CVSS base score of vulnerabilities affecting E-Business Suite products is 4.2.

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Application Object Library
  • Oracle Applications Manager
  • Oracle Common Applications
  • Oracle iProcurement
  • Oracle iStore
  • Oracle iSupport
  • Oracle Report Manager
  • Oracle Sales Online
  • Oracle Trade Management
  • Oracle Workflow Cartridge

Oracle Enterprise Manager Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager, both of which may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password.

Oracle Enterprise Manager includes Oracle Database and Oracle Application components which have vulnerabilities fixed in this CPU. These Oracle Database and Application Server vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

The highest CVSS base score of vulnerabilities affecting Enterprise Manager products is 2.3.

Only the Oracle Agent component of Oracle Enterprise Manager is affected by vulnerabilities that are fixed in this Critical Patch Update.

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle PeopleSoft Enterprise PeopleTools, 1 new security fix for PeopleSoft Enterprise Human Capital Management, and 1 new security fix for JD Edwards EnterpriseOne and JD Edwards OneWorld Tools. None of the underlying security vulnerabilities may be remotely exploitable without authentication, i.e. none may be exploited over a network without the need for a username and password.

The highest CVSS base score of vulnerabilities affecting Oracle PeopleSoft Enterprise products is 2.4.

The Oracle PeopleSoft Enterprise components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • JD Edwards HTML Server
  • PeopleSoft Enterprise Human Capital Management
  • PeopleTools

Source: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

twitterfacebook