print Printer View e-mail E-mail this page Bookmark Bookmark
Critical Patch Updates and Security Alerts Security Alerts Chicklet

Critical Patch Updates
Security Alerts
MetaLink Security Notes
Public Vulnerabilities Fixed
Policies
Reporting Security Vulnerabilities
References

This page lists security patches, in the form of Critical Patch Updates (CPUs) and Security Alerts, that Oracle has released. The page is updated when new Critical Patch Updates and Security Alerts are released, and it is possible to receive notification of releases by email.

Click here for instructions on how to configure email notifications.
Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices"

Critical Patch Updates

Critical Patch Updates are the primary means of releasing security fixes for Oracle products to customers with valid support contracts. They are released on the Tuesday closest to the 15th day of January, April, July and October. The next four dates are:

  • 15 July 2008
  • 14 October 2008
  • 13 January 2009
  • 14 April 2009
A pre-release announcement will be published on the Thursday preceding each CPU release.

The Critical Patch Updates released to date are listed in the following table. Please note that starting with the January 2008 CPU, the Critical Patch Update Advisory will only be posted on OTN and will no longer be posted on MetaLink or Customer Connection.

Critical Patch Update MetaLink Note ID Latest Version/Date
Critical Patch Update - April 2008 No MetaLink copy Rev 3, 20 April 2008
Critical Patch Update - January 2008 No MetaLink copy Rev 1, 15 January 2008
Critical Patch Update - October 2007 455284.1 Rev 1, 16 October 2007
Critical Patch Update - July 2007 432865.1 Rev 2, 19 July 2007
Critical Patch Update - April 2007 420055.1 Rev 2, 18 April 2007
Critical Patch Update - January 2007 403335.1 Rev 2, 5 March 2007
Critical Patch Update - October 2006 391558.1 Rev 4, 6 March 2006
Critical Patch Update - July 2006 372927.1 Rev 1, 18 July 2006
Critical Patch Update - April 2006 360044.1 Rev 1, 18 April 2006
Critical Patch Update - January 2006 343382.1 Rev 1, 17 January 2006
Critical Patch Update - October 2005 333953.1 Rev 2, 19 December 2005
Critical Patch Update - July 2005 311034.1 Rev 1, 12 July 2005
Critical Patch Update - April 2005 301040.1 Rev 2, 13 April 2005
Critical Patch Update - January 2005 293953.1 Rev 2, 15 March 2005


Security Alerts

Before 2005, Security Alerts were the primary means of releasing security fixes for Oracle products. Each Security Alert has a severity rating indicating the security risk of the vulnerabilities within the alert. The Security Alerts released to date are listed in the following table. Click here for definitions of the severity ratings.

Security Alert Number And Description MetaLink Note ID Latest Version/Date
Alert 68, Oracle Security Update 281188.1 Rev 4, 2 March 2005
Alert 67, Unauthorized Access Vulnerabilities in Oracle E-Business Suite 274356.1 Rev 1, 3 June 2004
Alert 66, Security Vulnerabilities in Oracle Application Server Web Cache 265308.1 Rev 2, 2 April 2004
Alert 65, Security Vulnerability in Oracle9i Application and Database Servers 258997.1 Rev 4, 2 June 2004
Alert 64, Security Vulnerabilities in Oracle9i Database Server 263508.1 Rev 2, 20 May 2004
Alert 63, Security Vulnerabilities in Oracle9i Lite 263509.1 Rev 1, 18 February 2004
Alert 62, SSL Update for CERT CA-2003-26 and older SSL issues 258996.1 Rev 1, 04 December 2003
Alert 61, SQL Injection Vulnerability in Oracle9i Application Server 253982.1 Rev 3, 13 November 2003
Alert 60, Unauthorized Access to Restricted Content in Oracle Files 252706.1 Rev 1, 28 October 2003
Alert 59, Buffer Overflow in Oracle Database Server Binaries 251910.1 Rev 3, 13 November 2003
Alert 58, Buffer Overflow in the XML Database of Oracle9i Database Server 246202.1 Rev 1, 18 August 2003
Alert 57, Buffer Overflows in EXTPROC of Oracle Database Server 244523.1 Rev 2, 07 August 2003
Alert 56, Buffer Overflow Vulnerability in Oracle E-Business Suite 244335.1 Rev 1, 23 July 2003
Alert 55, Unauthorized Disclosure of Information in Oracle E-Business Suite 244294.1 Rev 1, 23 July 2003
Alert 54, Buffer Overflow in Net Services for Oracle Database Server 237172.1 Rev 2, 30 April 2003
Alert 53, Report Review Agent Vulnerability in Oracle E-Business Suite 235262.1 Rev 1, 10 April 2003
Alert 52, Security Vulnerabilities in Oracle9i Application Server 229288.1 Rev 3, 03 March 2003
Alert 51, Buffer Overflow in ORACLE executable of Oracle9i Database Server 229287.1 Rev 6, 18 April 2003
Alert 50, Buffer Overflow in Oracle9i Database Server 229286.1 Rev 6, 18 April 2003
Alert 49, Buffer Overflow in Oracle9i Database Server 229285.1 Rev 6, 18 April 2003
Alert 48, Buffer Overflow in Oracle9i Database Server 229284.1 Rev 6, 18 April 2003
Alert 47, Security Vulnerabilities in Oracle9i Application Server 224215.1 Rev 3, 23 July 2003
Alert 46, Buffer Overflow in iSQL*Plus (Oracle9i Database Server) 216775.1 Rev 3, 11 November 2002
Alert 45, Security Release of Apache 1.3.27 214356.1 Rev 6, 20 May 2004
Alert 44, Unauthorized Access Vulnerability in Oracle E-Business Suite, Release 11i 213415.1 Rev 1, 04 October 2002
Alert 43, Oracle9iApplication Server Web Cache Administration Tool Vulnerability 213413.1 Rev 1, 04 October 2002
Alert 42, Denial of Services Against Oracle Net Services 213411.1 Rev 3, 16 December 2002
Alert 41, Oracle9iApplication Server Oracle Java Server Pages Demo Vulnerability 207272.1 Rev 1, 14 August 2002
Alert 40, Oracle Net Listener Vulnerabilities 207269.1 Rev 3, 08 August 2002
Alert 39, Web Cache Oracle9i Application Server Password Vulnerability 207271.1 Rev 1, 08 August 2002
Alert 38, Oracle Net Denial of Service Security Vulnerability 207268.1 Rev 3, 08 August 2002
Alert 37, OpenSSL Buffer Overflow 206034.1 09 August 2002
Alert 36, Security Vulnerability in Apache HTTP Server of Oracle9i Application Server 200873.1 12 July 2002
Alert 35, Buffer Overflow Vulnerability in Oracle9iAS Reports Server 198531.1 05 June 2002
Alert 34, Buffer Overflow Vulnerability in Oracle Net (Oracle9i Database Server) 198544.1 05 June 2002
Alert 33, User Privileges Vulnerability in Oracle9i Database Server 185074.1 17 April 2002
Alert 32, Unauthorized Access Vulnerability in the Oracle E-business Suite 185073.1 17 April 2002
Alert 31, Oracle Configurator Cross Site Scripting Vulnerability 182244.1 01 April 2002
Alert 30, SNMP Vulnerability in Oracle Enterprise Manager, Master_Peer Agent, for Oracle9i Database 183556.1 05 March 2002
Alert 29, Vulnerability in PL/SQL EXTPROC in Oracle9i Database 175429.1 07 August 2003
Alert 28, Vulnerabilities in Oracle mod_plsql and JSP in Oracle9i Application Server 175428.1 05 July 2002
Alert 27, Vulnerabilities in Oracle9i Application Server Webcache 169628.1 28 December 2001
Alert 26, Denial of Service against Oracle9i Application Server 168862.1 04 June 2004
Alert 25, Vulnerabilities in mod_plsql 168863.1 04 June 2001
Alert 24 was never released - -
Alert 23, Oracle Database Server DBSNMP Vulnerabilities 167001.1
167004.1
167007.1		 01 May 2002
01 May 2002
01 May 2002
Alert 22, Oracle9i Application Server Default SOAP Configuration 166869.1 23 September 2002
Alert 21, Oracle Label Security Mandatory Security Patch 163726.1 18 October 2001
Alert 20, Oracle File Overwrite Security Vulnerability 163727.1 18 October 2001
Alert 19, Oracle Trace Collection Security Vulnerability 163728.1 29 November 2001
Alert 18, Oracle9iAS Web Cache Overflow Vulnerability 163729.1 18 October 2001
Alert 17, Oracle Internet Directory Buffer Overflow Vulnerability 152780.1 03 October 2001
Alert 16, Oracle SQL*Net and Net8 Malformed Packet Denial of Service Vulnerability 151260.1 05 September 2002
Alert 15, Buffer Overflow Vulnerability in the Oracle8i Listener 151259.1 05 September 2002
Alert 14, Oracle SQL*Net/Net8 Denial of Service Vulnerabilities 151261.1
151290.1
151291.1
151292.1		 03 February 2002
03 February 2002
05 September 2002
05 September 2002
Alert 13, Oracle Redirect Denial of Service Vulnerability 153289.1 21 November 2001
Vulnerability in Oracle E-Business Suite Release 11i Applications Desktop Integrator No MetaLink Note 21 May 2001
Forms Launched Insecurely from Oracle E-Business Suite No MetaLink Note 30 April 2001
Oracle JVM FilePermission Vulnerability No MetaLink Note 13 February 2001
Security Bug with JSPs and the Oracle 8.1.7 Directory Traversal Vulnerability 135885.1 03 November 2004
Unintended Execution of Oracle JSP No MetaLink Note 13 February 2001
Oracle XSQL Servlet Vulnerability No MetaLink Note 23 January 2001
Oracle Connection Manager Control SUID No MetaLink Note 31 January 2001
Oracle Internet Directory Buffer Overflows No MetaLink Note 31 January 2001
mod_plsql exclusion_list Announcement No MetaLink Note 10 January 2001
Oracle Internet Application Server No MetaLink Note 28 December 2000
Oracle Enterprise Manager Backup and Recovery 130119.1 12 April 2002
Vulnerability in the Oracle Listener 124742.1 22 July 2004
Oracle Application Server: Remote Command Execution 108139.1 04 February 2002
Unprotected Oracle Installer File No MetaLink Note 14 April 2000

MetaLink Security Notes

Between October 2002 and March 2003, Oracle published some security advisory information as MetaLink Security Notes. These notes are listed in the following table.

Security Note Description MetaLink Note ID Latest Version/Date
Security Vulnerability in E-Business Suite Release 11i 229257.1 03 March 2003
Security Weakness in Business Intelligence Reports 222438.1 04 December 2002
Vulnerability in Oracle9iAS Portlet Repository 216501.1 29 October 2002
Vulnerability in Oracle9iAS Portal and Single Sign-on Server 216493.1 29 October 2002
Unified Messaging/OID Default Access Control Policies Vulnerability 212934.1 02 October 2002
Oracle9iR2 ALTER SESSION Privilege Vulnerability 210317.1 09 October 2002

Public Vulnerabilities Fixed

The Map of Public Vulnerability to Advisory/Alert indicates which public vulnerabilities are fixed in each Critical Patch Update and Security Alert.


Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the severity of the CPU or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.

Oracle's policy and process for fixing security vulnerabilities explains the security vulnerability fixing lifecycle, including the correlation between Critical Patch Updates, patch sets and new releases.

MetaLink Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products.


Reporting Security Vulnerabilities

If you are an Oracle customer or an Oracle partner, please use MetaLink to submit a Service Request on any potential Oracle product security vulnerability. Otherwise, please email secalert_us@oracle.com with your discovery. We encourage people who wish to contact Oracle Security to employ email encryption, using our encryption key.


References
E-mail this page
Printer View Printer View
Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Privacy