Critical Patch Update and Security Alert Programs

Frequently Asked Questions

Last Updated: July 10, 2012

1. Oracle security vulnerability remediation practices overview


1.1 What are Critical Patch Updates (CPUs)?

Critical Patch Updates are sets of patches containing fixes for security flaws in Oracle products. The Critical Patch Update program (CPU) was introduced in January 2005 to provide security fixes on a fixed, publicly available schedule to help customers lower their security management costs. More information about the Critical Patch Update program can be found on http://www.oracle.com/us/support/assurance/remediation/index.html

More information about Oracle's security fixing policies can be found at http://www.oracle.com/us/support/assurance/fixing-policies/index.html

1.2 What are Security Alerts?

Prior to the Critical Patch Update program, fixes for security vulnerabilities were created individually and released when ready. The fixes were released in "Security Alerts" for Oracle products; "Security Advisories" for BEA, PeopleSoft Enterprise and JD Edwards EnterpriseOne products; and "Technical Support Alerts" for Siebel products. Oracle will issue a Security Alert (i.e. release of a security fix outside of the normal CPU schedule) in cases where the urgency of a fix requires it to be released in advance of the next Critical Patch Update. The occasions when Oracle will release one-off security patches are described later in this document.

1.3 When are Critical Patch Updates released?

As of January 2011, Oracle Critical Patch Updates for products other than Java Standard Edition and Enterprise Edition, are released at 1 p.m. Pacific Time on the Tuesday closest to the 17th day of the months of January, April, July and October. Upcoming Critical Patch Update release dates, for all products, including Java Standard Edition and Enterprise Edition, are listed on http://www.oracle.com/technetwork/topics/security/alerts-086861.html

1.4 Where can I find a list of past Oracle Security Alerts and Critical Patch Updates?

Previously-released Security Alerts and Critical Patch Updates can be found at: http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Siebel historical alerts can be found by searching for the term "Security Alert" on the My Oracle Support site at https://support.oracle.com/

PeopleSoft (PeopleTools/Enterprise) historical items can be found in My Oracle Support Note 805773.1 (https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=805773.1)

Historical BEA advisories can be found at http://www.oracle.com/technetwork/topics/security/beaarchive-159946.html

1.5 What happens if a critical security flaw is discovered between the quarterly Critical Patch Updates?

In case of dangerous threat to Oracle customers, Oracle will issue a Security Alert containing information about the threat and corrective measures. If the Security Alert is released with an interim patch, the patch will be included in the next Critical Patch Update. For more information, see Security Vulnerability Fixing Policy and Process at http://www.oracle.com/us/support/assurance/fixing-policies/index.html

2. Patch policies and content


2.1 In which support stages will products receive Critical Patch Updates?

Oracle Lifetime Support policy is located at http://www.oracle.com/support/lifetime-support-policy.html. It defines the period during which product releases are covered by Premier Support and Extended Support agreements. Generally, only releases in these first two stages of support are included in the Critical Patch Update program. For most products, only the latest versions within each release receive Critical Patch Update patches as stated in the "Software Error Correction Support Policy" documents on My Oracle Support. See for example: https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=209768.1&h=Y

2.2 For which Oracle database and Oracle Fusion Middleware releases are CPU patches created?

My Oracle Support Note 209768.1, "Oracle Database, Fusion Middleware, and Collaboration Suite Software Error Correction Support Policy", contains information about the support policies for Critical Patch Updates for these products. In addition, the Patch Availability Note listed in each Critical Patch Update Advisory lists the Database and Fusion Middleware platform and version combinations that are planned for the subsequent Critical Patch Update. The Patch Availability Note also includes information on the product versions and platforms that will receive patches in future Critical Patch Updates.

2.3 Can I request security patches for product versions not currently covered in the CPU program?

Oracle strongly recommends that customers using product versions not covered by the Critical Patch Update program upgrade to versions for which Critical Patch Updates are provided.

2.4 What should I do when a conflict is reported while applying a Critical patch Update?

Details for handling conflicts for any given Critical Patch Update release are found in the note titled "Critical Patch Update Availability Information for Oracle Database and Fusion Middleware Products". This note is updated with each Critical Patch Update. Furthermore, the Critical Patch Update Advisory section titled "Patch Availability Table and Risk Matrices" contains a link to the correct instance of the note for that Critical Patch Update. The steps for resolving patch conflicts can be found in the note, under the section titled "CPU Patch Conflict Resolution".

2.5 Are previously-released security fixes included in the Critical Patch Update?

Critical Patch Update patches for most products are cumulative; that is they will include all fixes for that product from the previous Critical Patch Updates. The products with cumulative Critical patch Update patches are listed on http://www.oracle.com/us/technologies/security/cpu-products-168427.pdf.

3. Patch installation and patching guidelines


3.1 Are Critical Patch Updates mandatory?

Oracle believes that the timely application of Critical Patch Updates is necessary for organizations to maintain a proper security in-depth posture. It is not mandatory to install Critical Patch Updates, but Oracle strongly recommends that they are applied to fix security vulnerabilities and minimize the risk of a successful attack.

3.2 How do I determine if I need to apply a Critical Patch Update?

Oracle strongly recommends that every Critical Patch Update be applied as soon as possible to minimize the risk of a successful attack. If this is not possible, customers should determine the risk to machines based on factors such as:

  • the severity of unfixed vulnerabilities;
  • the sensitivity of data stored; and
  • the accessibility of the machine to attackers.

Detailed recommendations are available from the technical white paper "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" available at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf

3.3 Are there any best practices related to Critical patch Updates? How should an Oracle DBA manage the CPU installation?

Oracle extensively tests the Critical Patch Update patches but cannot perform testing in a customer environment. Every customer performs some degree of customization, so it is recommended that customers test the Critical Patch Update patches on their own test environments before installing patches on production systems. For more information, see the technical white paper "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" available at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf

3.4 Is it possible to apply workarounds instead of installing Critical Patch Updates?

Oracle believes that the timely application of Critical Patch Updates is necessary for organizations to maintain a proper security in-depth posture. In certain instances, Oracle can provide specific workaround instructions if the workaround does not negatively impact other Oracle products. More generally, the information provided in the Critical Patch Update Advisory risk matrices can be used by customers to reduce or mitigate risk. For example, a security vulnerability in a product component that is unused on a particular system can be mitigated by uninstalling the component. Vulnerabilities that require an attacker to have certain privileges can be partially mitigated by restricting those privileges to trusted users. Oracle recommends that customers test workarounds or configuration changes on non-production environments before making changes to production systems.

4. Critical Patch Update documentation and more information


4.1 What documentation is included in the Critical Patch Update?

The top-level document for each Critical Patch Update is the Critical Patch Update Advisory. A list of all Critical Patch Update Advisories is maintained on the Critical Patch Updates and Security Alerts page on Oracle Technology Network at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Critical Patch Update Advisory provides information designed to help customers make decisions about which systems to patch and in what order. It contains a list of affected products and risk matrices providing information about each newly fixed vulnerability. It references a number of product-specific notes and documents that provide more detailed information, including the location of the patches.

4.2 Is it safe to use information about Oracle security vulnerabilities from third party sites? How accurate is third-party information?

The information available on non-Oracle sites is not always reviewed by Oracle. Some sites may offer misleading information by providing only a small part of the vulnerabilities information disclosed in the Oracle Critical Patch Update or Security Alert documentation. Third-party sites may suggest workarounds that are incorrect, incomplete or untested, and following such advice can lead to system outages.

Oracle strongly recommends that customers rely on information provided by Oracle, specifically the Critical Patch Update or Security Alert documentation, as the only authoritative source of information about Oracle vulnerabilities.

4.3 Why does Oracle use CVE identifiers?

Starting with the July 2008 Critical Patch Update, Oracle started using industry standard Common Vulnerabilities and Exposure (CVE) identifiers rather than the proprietary identifiers used in previous CPUs. The use of CVE identifiers was introduced to simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.

4.4 What is the Security-In-Depth program referenced in the Credit Section of the CPU Advisory?

Starting with the July 2008 Critical Patch Update, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates.

4.5 What is the On-Line Presence Security program referenced in the Credit Section of the CPU Advisory?

Starting with the July, 2011 Critical Patch Update, Oracle instituted an On-Line Presence Security program to provide credit to people for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

5. CVRF (Common Vulnerability Reporting Format)


 

5.1 What is CVRF?

CVRF (Common Vulnerability Reporting Format) is an XML interchange format that has been developed by one of the working groups of the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum comprised of leading technology vendors including Oracle. The organization’s mission is to address global, multi-product security challenges to better protect the IT infrastructures that support the world’s enterprises, governments, and citizens.

The CVRF XML format is used to interchange relevant security information pertaining to vulnerabilities. Such information include, but is not limited to: CVE# to identify vulnerability, CVSS score to rate the ease of exploitation and severity of the vulnerability, affected products/versions, and remedy.

5.2 What is Oracle’s involvement with CVRF?

Oracle is a member of ICASI and participated in the definition of CVRF. As of the July 2012 Critical Patch Update, in addition to existing text advisories, Oracle publishes the security advisories in CVRF format. The advisory in the CVRF format can be found in the “references” section of each advisory. Oracle will also provide accompanying files for formatting purposes (.css and .xsl) which allow easier viewing of the CVRF XML data in standard browsers. However, customers may choose to ignore this formatting and only download the CVRF file (in xml format). The CVRF XML files are also available via RSS.Security Alerts Chicklet

5.3 Who to contact for any CVRF related questions?

Please contact secalert_us@oracle.com for any questions related to Oracle’s advisory in CVRF format. For general CVRF related questions/suggestions, please contact contactcvrf@memberws.org.

6. Other topics


6.1 I Think I Discovered A Security Vulnerability. How Do I Report It?

If you discover a problem you believe to be a security vulnerability, please follow the process detailed at http://www.oracle.com/us/support/assurance/reporting/index.html