Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Technologies A-Z

ARCHITECTURE

Enterprise Architecture
Enterprise 2.0
Grid
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Mix
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

Oracle Critical Patch Update and Security Alerts

Frequently Asked Questions

Released January 14, 2009

This document contains the following sections:

Section 1, "Oracle Security Patching Overview"

Section 1.1, "What Are Critical Patch Updates?"
Section 1.2, "What Are Security Alerts?"
Section 1.3, "When Are Critical Patch Updates Released?"
Section 1.4, "Where Can I Find A List Of Past Oracle Security Alerts And Critical Patch Updates?"
Section 1.5, "What Happens If A Critical Flaw Is Discovered Between The Quarterly Release Dates?"

Section 2, "Patch Policies and Content"

Section 2.1, "What Types Of Bug Fixes Are Included In The Critical Patch Updates?"
Section 2.2, "In Which Support Stages Will Products Receive Critical Patch Updates?"
Section 2.3, "For Which Oracle Database And Oracle Fusion Middleware Releases Are CPU Patches Created?"
Section 2.4, "For Which PeopleSoft And JD Edwards Tools Releases Are CPU Patches Created?"
Section 2.5, "Can I Request Security Patches For Product Versions Not Addressed In The CPU?"
Section 2.6, "Will The Critical Patch Update Be Compatible With Other Patches Applied, Including One-off Patches?"
Section 2.7, "A Conflict Is Reported While Applying The Critical Patch Update Patch. What Should I Do?"
Section 2.8, "Are Previous Security Patches Included In The Critical Patch Update?"
Section 2.9, "Do Future Patch Sets and Product Releases Contain Security Fixes Released in Critical Patch Updates?"

Section 3, "Patch Installation and Patching Guidelines"

Section 3.1, "Are Critical Patch Updates Mandatory?"
Section 3.2, "How Do I Determine if I Need to Apply a Critical Patch Update?"
Section 3.3, "Is It Possible to Install Only Some Fixes From Critical Patch Updates?"
Section 3.4, "Are There Any Best Practices In This Field? How Should An Oracle DBA Manage The CPU Patch Installation?"
Section 3.5, "Is It Possible to Apply Workarounds Instead of Installing Critical Patch Updates?"

Section 4, "Critical Patch Update Documentation and Further Information"

Section 4.1, "What Documentation Is Included in the Critical Patch Update?"
Section 4.2, "Where can I get more information about vulnerabilities described in the CPU Advisories and Security Alerts?"
Section 4.3, "Is It Safe to Use Information about Oracle Security Vulnerabilities from Third-Party Sites?"
Section 4.4, "Why did Oracle start using CVE numbers in the July, 2008 CPU?"
Section 4.5, "What is the Security-In-Depth program referenced in the Credit Section of the CPU Advisory?"

Section 5, "Other Topics"

Section 5.1, "I Think I Discovered A Security Vulnerability. How Do I Report It?"

1. Oracle Security Patching Overview

1.1 What Are Critical Patch Updates?

Critical Patch Updates are patches containing fixes for security flaws in Oracle products. The Critical Patch Update program was introduced in January 2005 to provide security fixes in cumulative patches on a pre-defined schedule. More information about the program can be found on the OTN Security Vulnerability Fixing Policy and Process page at

http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

1.2 What Are Security Alerts?

Prior to the Critical Patch Update program, fixes for security vulnerabilities were created individually and released when ready. The fixes were released in "Security Alerts" for Oracle products; "Security Advisories" for BEA, PeopleSoft Enterprise and JD Edwards EnterpriseOne products; and "Technical Support Alerts" for Siebel products. Oracle will issue a Security Alert in cases where the urgency of a fix requires it to be released in advance of the next Critical Patch Update. The occasions when Oracle will release one-off security patches are described later in this document.

1.3 When Are Critical Patch Updates Released?

Oracle Critical Patch Updates are released at 1 p.m. Pacific Time on the Tuesday closest to the 15th day of January, April, July and October. Future Critical Patch Update release dates are listed in:

Oracle Technology Network http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle Critical Patch Update Advisories (Oracle Critical Patch Update April 2006 and later) Oracle Critical Patch Update announcements on My Oracle Support in the News & Notes section.

1.4 Where Can I Find A List Of Past Oracle Security Alerts And Critical Patch Updates?

Lists of past Security Alerts and Critical Patch Updates can be found at:

A list of Oracle Security Alerts and Critical Patch Updates is available on Oracle Technology Network at http://www.oracle.com/technology/deploy/security/alerts.htm
Siebel historical alerts can be found by searching for the term "Security Alert" on the My Oracle Support site at https://metalink3.oracle.com/
PeopleSoft (PeopleTools/Enterprise) historical items can be found at Knowledge Document 805773.1 https://metalink3.oracle.com/od/faces/secure/km/BrowseResults.jspx?fid=15949.1&h=Y

1.5 What Happens If A Critical Flaw Is Discovered Between The Quarterly Release Dates?

In the case of a unique and dangerous threat to Oracle customers, Oracle will issue a Security Alert containing information about the threat and corrective measures. The Security Alert will be issued once the information is ready and will not conform to the quarterly Critical Patch Update cycle. If the Security Alert is released with an interim patch, the patch will be included in future Critical Patch Updates. For more information, see Security Vulnerability Fixing Policy and Process at http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

2. Patch Policies and Content

2.1 What Types Of Bug Fixes Are Included In The Critical Patch Updates?

All Critical Patch Update patches contain security fixes, but patches for some products, product versions and platforms also contain non-security fixes. These non-security fixes are generally:

Prerequisites for the security fixes
Interim patches (also know as one-off patches) that conflict with the security fixes; or
Patch bundle fixes, on platforms where security fixes are delivered using the standard patching mechanism. This applies to most Windows platforms.

2.2 In Which Support Stages Will Products Receive Critical Patch Updates?

The Oracle Lifetime Support policy defines the period product releases are covered by Premier Support and Extended Support agreements. Only releases in these first two stages of support are included in the Critical Patch Update program. For most products, only the latest versions within each release receive Critical Patch Update patches. For example, Oracle Database and Oracle Fusion Middleware products release new versions as patch sets, and the policy defining the patch sets receiving Critical Patch Updates can be found in Software Error Correction Support Policy (My Oracle Support Note:209768.1). See the following questions for more details.

Currently only PeopleSoft and JD Edwards products in the Premier Support stage of Oracle Lifetime Support receive Critical Patch Updates.

For more information about the Lifetime Support Policy, see http://www.oracle.com/support/premier/lifetime-support-policy.html

Specific to Oracle Database, Oracle Fusion Middleware and Oracle Enterprise Manager products, for older product versions not covered by the Lifetime Support Policy and for which there are desupport notices, security patches will be provided to products covered by the Error Correction Support (ECS) and Extended Maintenance Support (EMS). Security patches will not be provided to products covered by Extended Support (ES). Please refer to the desupport notices of the specific product for the desupport end dates (See My Oracle Support --> "Certify" --> "Desupport Notices".)

For BEA products, the security advisories are provided as per the guidelines provided in Support policy at http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/support/supp_services/

2.3 For Which Oracle Database And Oracle Fusion Middleware Releases Are CPU Patches Created?

My Oracle Support Note:209768.1, Oracle Database, Fusion Middleware, and Collaboration Suite Software Error Correction Support Policy, contains information about support policies for Critical Patch Updates. The Patch Availability Note for each Critical Patch Update lists the Database and Fusion Middleware platform and version combinations that are planned for the subsequent Critical Patch Update. The Patch Availability Note also includes information on the product versions and platforms that will receive patches in future Critical Patch Updates. Customers can use this information to plan moves to patch sets and new releases to ensure they are always on versions covered by Critical Patch Updates.

2.4 For Which PeopleSoft And JD Edwards Tools Releases Are CPU Patches Created?

Oracle PeopleTools program, which was purchased in conjunction with an application program release, will be supported for as long as such application program release is supported. For PeopleTools, as in the past, you will need to continue to apply minor upgrades to stay current and under Premier Support. Patches and platform certifications for a PeopleTools minor release will only be created from when that release is generally available until 12 months after the next minor release is generally available.

2.5 Can I Request Security Patches For Product Versions Not Addressed In The CPU?

Oracle strongly recommends customers using product versions not covered by the Critical Patch Update program upgrade to a version for which Critical Patch Updates are provided. Please refer to the question regarding the product releases and versions that are supported for more information.

2.6 Will The Critical Patch Update Be Compatible With Other Patches Applied, Including One-off Patches?

A Critical Patch Update patch may need to update a file updated by an interim patch (also known as a one-off patch).This is known as a patch conflict and it prevents both patches being applied. Interim patches in common use are included in Critical Patch Update patches to avoid patch conflicts, the mechanism depending on the product and version, but it is sometimes necessary for customers to request that additional interim fixes are merged in to resolve patch conflicts.

2.7 A Conflict Is Reported While Applying The Critical Patch Update Patch. What Should I Do?

Details for handling conflicts for any given Critical Patch Update release are found in the note titled "Critical Patch Update Availability Information for Oracle Database and Fusion Middleware Products". A new instance of this note is created for each Critical Patch Update to reflect the different content in each update. The Critical Patch Update Advisory section titled "Patch Availability Table and Risk Matrices" contains a link to the correct instance of the note for that Critical Patch Update. The steps for resolving patch conflicts can be found in the note, under the section titled "CPU Patch Conflict Resolution".

2.8 Are Previous Security Patches Included In The Critical Patch Update?

Critical Patch Update patches for most products are cumulative; patches for any product included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates.

Oracle E-Business Suite Applications Release 11i patches are not cumulative, so Oracle E-Business Suite Applications customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply. Oracle Collaboration Suite patches were cumulative up to and including the fixes provided in the April 2007 Critical Patch Update. From the July 2007 Critical Patch Update on, Oracle Collaboration Suite security fixes are delivered using the one-off patch infrastructure normally used by Oracle to deliver single bug fixes to customers.

Security patches for other products, including Oracle E-Business Suite Release 12, contain fixes from previous Oracle Critical Patch Updates and Security Alerts. If a previous security fix was a workaround rather than a code change, instructions on the steps required will be included in all future Critical Patch Update documentation.

PeopleSoft PeopleTools and JD Edwards EnterpriseOne Tools patches are cumulative and include all fixes from previous Critical Patch Updates. PeopleSoft and JD Edwards patches for non-tools products are not cumulative and customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply.

For products with cumulative patches, only the latest Critical Patch Update needs to be applied. It will contain all security fixes that are required.

Security advisory patches for BEA products are not cumulative (unless otherwise stated), so BEA customers should refer to previous Security Advisories to identify previous security fixes they want to apply. BEA Maintenance Packs are cumulative and thus include all fixes for that product from the previous Security Advisories.

2.9 Do Future Patch Sets and Product Releases Contain Security Fixes Released in Critical Patch Updates?

Critical Patch Update content is included in future (though not necessarily the next) patch sets, except for releases for which the terminal patch set has been issued, e.g. patch set 9.2.0.8 for Oracle Database 9i Release 2.

For more information, see Security Vulnerability Fixing Policy and Process at http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

3. Patch Installation and Patching Guidelines

3.1 Are Critical Patch Updates Mandatory?

It is not mandatory to install Critical Patch Updates, but Oracle strongly recommends that they are applied to fix security vulnerabilities and minimize the risk of a successful attack.

3.2 How Do I Determine if I Need to Apply a Critical Patch Update?

Oracle strongly recommends that every Critical Patch Update is applied as soon as practicable, to minimize the risk of a successful attack. If this is not possible, customers should determine the risk to machines based on factors such as:

the severity of unfixed vulnerabilities;
the sensitivity of data stored; and
the accessibility of the machine to attackers.

The Critical Patch Update Advisory risk matrices use the Common Vulnerability Scoring System (CVSS) to rate the severity of vulnerabilities. The risk matrices list the CVSS base score, which captures vulnerability characteristics that are constant with time and across user environments. Customers can refine the base score with CVSS environmental factors to provide a more accurate severity rating for their environment. More information on interpreting CVSS scores and environmental scores can be found in the notes linked from the References section of the latest Critical Patch Update Advisory.

3.3 Is It Possible to Install Only Some Fixes From Critical Patch Updates?

Critical Patch Update patches are provided as a single patch for most products, making it impossible to install a subset of fixes. Oracle E-Business Suite Release 11i fixes are typically provided individually, making it possible to install only those that are required. Patches for Oracle Database 10g Release 2 from patch set 10.2.0.3 on, and for Oracle Database 11g are composed of a number of molecules. Each molecule contains one, or a small number, of fixes. Although it is technically possible to apply only a subset of molecules, Oracle strongly recommends that this is not done unless a patch conflict is encountered.

3.4 Are There Any Best Practices In This Field? How Should An Oracle DBA Manage The CPU Patch Installation?

Oracle extensively tests the Critical Patch Update patches but cannot perform testing in a customer environment. Every customer performs some degree of customization, so it is recommended that customers test the Critical Patch Update patches on their own test environments before installing patches on production systems. Oracle recommends applying Critical Patch Update patches to all products in a system as a single activity.Oracle's On Demand group runs several hundred Oracle systems on behalf of customers. Their guidelines for installing Critical Patch Updates can be found in their white paper on Oracle Technology Network: http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf .

3.5 Is It Possible to Apply Workarounds Instead of Installing Critical Patch Updates?

Oracle provides specific workaround instructions if the workaround does not negatively impact other Oracle products. More generally, the information provided in the Critical Patch Update Advisory risk matrices can be used to reduce or eliminate risk. For example, a security vulnerability in a product component that is unused on a particular system can be mitigated by uninstalling the component. Vulnerabilities that require an attacker to have certain privileges can be partially mitigated by restricting those privileges to trusted users. Oracle recommends that customers test workarounds or configuration changes on non-production environments before making changes to production systems.

4. Critical Patch Update Documentation and Further Information

4.1 What Documentation Is Included in the Critical Patch Update?

The top-level document for each Critical Patch Update is the Critical Patch Update Advisory. A list of all Critical Patch Update Advisories is maintained on the Critical Patch Updates and Security Alerts page on Oracle Technology Network http://www.oracle.com/technology/deploy/security/alerts.html

The Critical Patch Update Advisory provides information for customers to make decisions about which systems to patch and in what order. It contains a list of affected products and risk matrices providing information about each fixed vulnerability. It references a number of product-specific notes and documents that provide more detailed information, including the location of the patches. Each patch contains detailed guidance on installing the patch.

Each Critical Patch Update Advisory references a My Oracle Support Note titled Critical Patch Update Documentation Map. This note references the high level documentation for each Critical Patch Update.

4.2 Where can I get more information about vulnerabilities described in the CPU Advisories and Security Alerts?

The level of information provided in the Critical Patch Update Advisory is designed to give customers sufficient outstanding of the vulnerabilities being fixed to make patching decisions, without giving attackers enough information to easily mount an attack. Oracle provides no more detailed information about security vulnerabilities than is provided in the Critical Patch Update documentation. My Oracle Support notes explaining the information in the risk matrices, as linked from the advisory "References" section, help to get the most from the information provided.

4.3 Is It Safe to Use Information about Oracle Security Vulnerabilities from Third-Party Sites?

The information available on non-Oracle sites is not approved by Oracle. Some sites offer misleading information by providing only a small part of the vulnerabilities covered by the Oracle Critical Patch Update or Security Alert. Third-party sites may suggest workarounds that are incorrect, incomplete or untested and following such advice can lead to system damage.

Oracle strongly recommends that customers rely only on information provided by Oracle, specifically the Critical Patch Update documentation.

4.4 Why did Oracle start using CVE numbers in the July, 2008 CPU?

Starting with the July 2008 Critical Patch Update, Oracle started using industry standard Common Vulnerabilities and Exposure (CVE) identifiers rather than the proprietary identifiers used in previous CPUs. The use of CVE identifiers was adopted to simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.

4.5 What is the Security-In-Depth program referenced in the Credit Section of the CPU Advisory?

Starting with the July 2008 Critical Patch Update, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates. This program was instituted as a result of requests from Oracle's customers that very low severity security issues not be included in Critical Patch Updates.

Examples of submissions that might result in Security-In-Depth recognition rather than Critical Patch Update released fixes might include, but not be limited to, the following:

Reports of SQL injection issues in functions that only appear to be callable by SYS privileged users but where an attack might be launched from a SYS "definer's rights" procedure, implemented in some future date, that might call such functions with unchecked parameters.
Certain types of configuration disclosure where there is no known attack that would rely on or be enhanced by the disclosed information.

5. Other Topics

5.1 I Think I Discovered A Security Vulnerability. How Do I Report It?

If you discover a problem you believe to be a security vulnerability and you are a customer or a partner, please let us know using the same process as for a non-security problem. For more information, see Oracle Security Vulnerability Fixing Policy and Process at http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

If you discover a problem you believe to be a security vulnerability and you are not a customer or a partner, please send email to secalert_us@oracle.com with your information. When contacting Oracle Security regarding possible security vulnerabilities we encourage the use of email encryption, using our encryption key.

6. Modification History

Date Modification

15-Apr-2008 Released

15-Jul-2008 Formatting changes. Additions of sections 4.4 and 4.5.

13-Jan-2009 Update PeopleSoft Links

7. Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

TTY Access to Oracle Support Services

Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, 7 days a week. For TTY support, call 800.446.2398. Outside the United States, call +1.407.458.2479.

E-mail this page

Printer View

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy