Critical Patch Updates
The primary mechanism for the release of fixes for security vulnerabilities in Oracle products is the quarterly Critical Patch Updates (CPUs). CPUs are released on dates announced a year in advance and published on the Critical Patch Updates and Security Alerts page. The patches address significant security vulnerabilities and also include code fixes that are prerequisites for the security fixes.
The security updates for all products which receive CPUs are available to active Oracle Support customers on the My Oracle Support web site. Follow the links below to learn more about Oracle’s Security Fixing policies:
Security Alerts are a release mechanism for one vulnerability fix or a small number of vulnerability fixes. Security Alerts were used up until August 2004 as the main release vehicle for security fixes. In January of 2005 Oracle began releasing fixes on a fixed schedule, using the Critical Patch Updates.
Oracle may issue a Security Alert in the case of a unique or dangerous threat to our customers. In this event, customers will be notified of the Security Alert by email notification through My Oracle Support and Oracle Technology Network. The fix included in the Security Alert will also be included in the next Critical Patch Update.
Cumulative versus One-Off Patches
As much as possible, Oracle tries to make Critical Patch Updates cumulative; that is each Critical Patch Update contains the security fixes from all previous Critical Patch Updates. In practical terms, for those products that receive cumulative fixes, the latest Critical Patch Update is the only one that needs to be applied when solely using these products, as it contains all required fixes.
Fixes for the other products that do not receive cumulative fixes are released as one-off patches. It is necessary for these products to refer to previous Critical Patch Update advisories to find all the patches that may need to be applied.
Announcement of Security Fixes
It is Oracle's policy not to announce security fixes until they are available for all affected and supported product version and platform combinations. For some products, there can be more than eighty of these version-platform combinations. In certain circumstances, Critical Patch Updates for particular version-platform product combinations may consist of announced and unannounced vulnerability fixes. An unannounced vulnerability fix can be included in a given Critical Patch Update patch when some, but not all, parts of the vulnerability are fixed, or because the fix is available on some, but not all, version-platform combinations of a given product. In such an instance, Oracle will only announce the vulnerability fixes in the Critical Patch Update Advisories when they are available in ALL supported version-platform combinations.
Security Fixes and Patch Sets
Security fixes are also included in patch sets (or equivalent) and in new product releases. Oracle policy is to include all security fixes in a Critical Patch Update in subsequent patch sets and product releases. If this is not possible, due to the timing of a release, Oracle creates a patch containing the latest Critical Patch Update fixes that can be applied on top of the newly released patch set or product release.
Order of Fixing Security Vulnerabilities
In order to provide the best security posture to all Oracle customers, Oracle fixes significant security vulnerabilities in severity order. As a result, the most critical issues are always fixed first.
Fixes for security vulnerabilities are produced in the following order:
Main code line - that is the code being developed for the next major release of the product.
Next patch set for all non-terminal releases (e.g. Database Server 11gR2 but not 10gR1 version 10.1.0.5, which is terminal)
Critical Patch Updates for all supported patch sets that have not previously received the appropriate fix.
Note that security fixes may be backported for inclusion in future patch sets or product releases that are released before their inclusion in a future CPU.
As a result of this policy, systems updated with patch sets or upgraded with a new product release will receive the security fixes previously included in the patch set or release. This can be used as a means to apply security fixes, but Critical Patch Updates should remain the primary means of applying security fixes as they are released more frequently than patch sets and new product releases.
The inclusion of security fixes in upcoming patch sets and product releases allows customers more patching strategy choices (i.e. customers may choose to willingly “skip” a Critical Patch Update in favor of applying an upcoming patch set). Oracle also believes that including security fixes in patch sets and releases maximizes the protection for customers and minimizes their subsequent patching costs.
Important note: please be reminded that Oracle recommends that the Critical Patch Update be the primary means for customers to keep up with security fixes for all affected products, as Critical Patch Updates are released more frequently than patch sets or new product releases.
Critical Patch Update Documentation
Each Critical Patch Update has an advisory as its top-level document. This advisory lists the products affected and contains a risk matrix for each product suite.
The risk matrices provide information to help customers assess the risk posed by the security vulnerabilities in their specific environment. They can be used to identify the systems most at risk so they can be patched first. Each new security vulnerability fixed in a Critical Patch Update is listed in a row of the risk matrix for the product it affects.
Common Vulnerability Scoring System (CVSS)
In October 2006, Oracle switched from a proprietary method for indicating the relative severity of security vulnerabilities in the risk matrices to the Common Vulnerability Scoring System (CVSS). FIRST's web site describes CVSS as a rating system "designed to provide open and universally standard severity ratings of software vulnerabilities." CVSS is a standardized method for assessing the severity of security vulnerabilities.
For each vulnerability newly fixed in the Critical Patch Update, Oracle provides values for CVSS metrics indicating the preconditions required to exploit the vulnerability and the ease of exploit; and the impact of a successful attack in terms of confidentiality, integrity and availability (CIA) to the targeted system. CVSS uses a formula to turn this information into a Base Score between 0.0 and 10.0, where 10.0 represents the most severe vulnerability. The risk matrices are ordered using the CVSS Base Score, with the most severe vulnerability at the top. Version 2.0 of the CVSS standard has been adopted by Oracle in October 2007, and is currently being used.
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) numbers are used by Oracle to identify the vulnerabilities listed in the risk matrices in Critical Patch Update and Security Alert advisories. CVE numbers are unique, common identifiers for publicly known information about security vulnerabilities. The CVE program is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security and is managed by MITRE corporation.
Oracle is a CVE Numbering Authority (CNA), that is the company can issue CVE numbers for vulnerabilities in its products. Note that the ordering of CVE numbers in Oracle's security advisories does not necessarily correspond to dates of discovery of the vulnerabilities they reference. In other words, CVE numbers are not assigned in order of the discovery dates of vulnerabilities whose fixes will be delivered in those distributions. This is because CVE Numbering Authorities (CNAs) like Oracle periodically get sets of CVE numbers from MITRE so a separate request for a new CVE does not need to be made every time a vulnerability is discovered. CVE numbers are assigned to vulnerabilities sequentially by Oracle from the pool of CVE number assigned by the CVE organization about 3 to 4 weeks before the scheduled distribution of the fix through the Critical Patch Update program.
In order to help organizations quickly assess the importance of the potential security issues fixed in the Critical Patch Update, Oracle provides an executive summary with a high level synopsis of the security defects in each product addressed by the Critical Patch Update. This executive summary provides a "plain English" explanation of the vulnerabilities addressed in the Critical Patch Update.
Critical Patch Update Pre-Release Announcement
Oracle publishes a summary of the Critical Patch Update Documentation on the Thursday prior to each Critical Patch Update release date. This summary, called a Critical Patch Update Pre-Release Announcement, provides advanced information about the upcoming Critical Patch Update, including:
Name and version numbers of the Oracle products affected by new vulnerabilities that are fixed in the Critical Patch Update
Number of security fixes for each product suite
Highest CVSS base score for each product suite
And, potentially, any other information that may be relevant to help organizations plan for the application of the Critical Patch Update in their environment
While Oracle ensures that each Pre-Release Announcement is as accurate as possible at the time of its publication, the actual content of each Critical Patch Update may change after the publication of its Pre-Release Announcement. The Critical Patch Update Advisory should therefore be considered as the only accurate description of the actual content of the Critical Patch Update.