Oracle has just released its scheduled Critical Patch Update (CPU), on January 18th, 2011. The CPU is released four times a year by Oracle and contains code patches for various security vulnerabilities unearthed by Oracle. This particular CPU contains 66 code patches, ranging over various Oracle products – the database, WebLogic Server, Oracle Database Vault, Oracle E-Business and other Oracle products.
As Oracle users know, the CPUs are Oracle’s primary mechanism of providing security vulnerability fixes to users with valid support licenses. Just to get an idea as to what these CPUs contain, here’s a summary of the CPU fixes for the Oracle database server:
5 security fixes, of which one addresses a security vulnerability that may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle provides a security matrix for each of its products in each CPU documentation and classifies the potential risks according to the access mode (local versus network), complexity, authentication, confidentiality, integrity and authentication. It also assigns a summary base score (ranging fro 1 to 10, with 10 being the highest amount of risk) for each vulnerability discovered by Oracle and the product it endangers. In this CPU release, some products such as Oracle Audit Vault and Oracle WebLogic Server have received a base score of 10.0 for some of the vulnerabilities.
Oracle users are aware of the importance of the CPUs – however, companies have different strategies for implementing the CPU fixes. For example, some IT groups have a standing policy wherein the Oracle DBAs have to schedule the testing of the CPU patches ASAP, and schedule them for implementation on all production databases right away once the tests are successful. Other IT shops have no such policy, preferring to apply these cumulative CPU patches once a year or even more infrequently.
Since none of the CPUs impact any application functionality or even affect the performance of the database itself, companies should make it an Oracle best practice to implement CPUs as they’re released by Oracle (every quarter), in order to enhance the security of their databases. Some of the CPUs over the years have fixed some major security vulnerabilities which provided easy access to hackers.