The Critical Patch Update (CPU) is the primary mechanism for the backport of security bug fixes for all Oracle on-premises products. Critical Patch Updates are available to customers with valid support contracts. Critical Patch Updates are released quarterly. Critical Patch Updates are released on the third Tuesday of January, April, July, and October. In addition, Oracle retains the ability to issue out of schedule patches or workaround instructions in case of particularly critical vulnerabilities and/or when active exploits are reported in the wild. This program is known as the Security Alert program. Information about all previously released Security Alerts and Critical Patch Updates, along with the links to download security patches, is posted on the Security Alerts and Critical Patch Updates page.
Maximum security | Vulnerabilities are remediated by Oracle in order of the risk they pose to users. This process is designed to patch the security defects with the greatest associated risk first in the Critical Patch Update, resulting in optimizing the security posture of all Oracle customers. |
Lower administration costs | A fixed CPU schedule helps organizations plan their security maintenance windows. The CPU schedule is designed to avoid typical blackout dates during which customers cannot typically alter their production environments. |
Simplified patch management | Patch updates are cumulative for many Oracle products. This provides customers the ability to catch up quickly to the current security release level, since the application of the latest cumulative CPU resolves all previously addressed vulnerabilities. |
The Oracle Cloud operations and security teams regularly evaluate Oracle’s Critical Patch Updates and Security Alerts as well as relevant third-party security updates as they become available and apply the relevant patches in accordance with applicable change management processes.