Oracle’s Security Vulnerability Remediation Practices
The Critical Patch Update (CPU) is the primary mechanism for the backport of all security bug fixes for all Oracle products. Critical Patch Updates are released quarterly on the Tuesday closest to the 17th of the month in January, April, July, and October. In addition, Oracle retains the ability to issue out of schedule patches or workaround instructions in case of particularly critical vulnerabilities and/or when active exploits are reported “in the wild.” This program is known as the Security Alert program. Information about all previously released Security Alerts and Critical Patch Updates, along with the links to download security patches, is posted on the Security Alerts and Critical Patch Updates page.
- Maximum Security—Vulnerabilities are remediated by Oracle in order of the risk they pose to users. This process is designed to patch the security holes with the greatest associated risk first in the Critical Patch Update, resulting in optimizing the security posture of all Oracle customers.
- Lower Administration Costs—A fixed CPU schedule takes the guesswork out of patch management. The schedule is also designed to avoid typical “blackout dates” during which customers cannot typically alter their production environments.
- Simplified Patch Management—Patch updates are cumulative for many Oracle products. This provides customers the ability to quickly “catch up” to the current security release level, since the application of the latest cumulative CPU resolves all previously addressed vulnerabilities.
- Identification of architectural vulnerabilities—Security evaluations can lead to the identification of architectural vulnerabilities