Critical Patch Update and Security Alert Programs Frequently Asked Questions

Open all Close all

Last Updated: July 18, 2023

1. Oracle security vulnerability remediation practices overview

  • 1.1 What are Critical Patch Updates (CPUs)?

    Critical Patch Updates provide security patches for supported Oracle on-premises products. The Critical Patch Update program (CPU) was introduced in January 2005 to provide a fixed, publicly-available schedule to help customers lower their security management costs.

    More information about Oracle's security fixing policies can be found at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html

  • 1.2 What are Security Alerts?

    Oracle may issue a Security Alert in the case of a unique or dangerous threat to our customers. In this event, customers will be notified of the Security Alert by email notification. See Instructions for subscribing to email notifications of Critical Patch Updates and Security Alerts.

  • 1.3 When are Critical Patch Updates released?

    Oracle Critical Patch Updates are released quarterly. Since April 2022, Critical Patch Updates are released at around 1 p.m. Pacific Time on the third Tuesday of January, April, July, and October (They were previously released on the Tuesday closest to the 17th of the month in January, April, July, and October).

  • 1.4 Does Oracle release security patches outside of the Critical Patch Update for products such as Oracle Linux and Oracle VM Server?

    Yes. Updates for Oracle Linux and Oracle VM Server for x86 are announced in ELSA (Enterprise Linux Security Advisories) published at https://linux.oracle.com/security/ . Additionally customers can subscribe to Oracle Linux security announcements by visiting https://oss.oracle.com/mailman/listinfo/el-errata

  • 1.5 Where can I find a list of past Oracle Security Alerts and Critical Patch Updates?

    Previously-released Security Alerts and Critical Patch Updates can be found at: http://www.oracle.com/security-alerts/

  • 1.6 What happens if a critical security flaw is discovered between the quarterly Critical Patch Updates?

    In case of dangerous threat to Oracle customers, Oracle will issue a Security Alert containing information about the threat and corrective measures. If the Security Alert is released with an interim patch, the patch will be included in the next Critical Patch Update. For more information, see Security Vulnerability Fixing Policy and Process at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html

2. Patch policies and content

  • 2.1 In which support stages will products receive Critical Patch Updates?

    Oracle Lifetime Support policy is located here. It defines the period during which product releases are covered by Premier Support and Extended Support agreements. Generally, only releases in these first two stages of support are included in the Critical Patch Update program. For most products, only the latest versions within each release receive Critical Patch Update patches as stated in the "Software Error Correction Support Policy" documents on My Oracle Support.

  • 2.2 For which Oracle database and Oracle Fusion Middleware releases are CPU patches created?

    My Oracle Support Note 209768.1, "Oracle Database, Fusion Middleware, and Collaboration Suite Software Error Correction Support Policy", contains information about the support policies for Critical Patch Updates for these products. In addition, the Patch Availability Note listed in each Critical Patch Update Advisory lists the Database and Fusion Middleware platform and version combinations that are planned for the subsequent Critical Patch Update. The Patch Availability Note also includes information on the product versions and platforms that will receive patches in future Critical Patch Updates.

  • 2.3 Can I request security patches for product versions not currently covered in the CPU program?

    Oracle strongly recommends that customers using product versions not covered by the Critical Patch Update program upgrade to versions for which Critical Patch Updates are provided.

  • 2.4 What should I do when a conflict is reported while applying a Critical patch Update?

    Details for handling conflicts for any given Critical Patch Update release are found in the note titled "Critical Patch Update Availability Information for Oracle Database and Fusion Middleware Products". This note is updated with each Critical Patch Update. Furthermore, the Critical Patch Update Advisory section titled "Patch Availability Table and Risk Matrices" contains a link to the correct instance of the note for that Critical Patch Update. The steps for resolving patch conflicts can be found in the note, under the section titled "CPU Patch Conflict Resolution".

  • 2.5 Are previously-released security fixes included in the Critical Patch Update?

    As much as possible, Oracle tries to make Critical Patch Updates cumulative; that is each Critical Patch Update contains the security fixes from all previous Critical Patch Updates. In practical terms, for those products that receive cumulative fixes, the latest Critical Patch Update is the only one that needs to be applied when solely using these products, as it contains all required fixes.

    Fixes for the other products that do not receive cumulative fixes are released as one-off patches. It is necessary for these products to refer to previous Critical Patch Update advisories to find all the patches that may need to be applied.

3. Patch installation and patching guidelines

  • 3.1 Are Critical Patch Updates mandatory?

    It is not mandatory to install Critical Patch Updates, but Oracle strongly recommends that they are applied. Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

  • 3.2 How do I determine if I need to apply a Critical Patch Update?

    Oracle strongly recommends that every Critical Patch Update be applied as soon as possible to minimize the risk of a successful attack.

  • 3.3 Are there any recommended practices related to Critical patch Updates? How should an Oracle DBA manage the CPU installation?

    Oracle extensively tests the Critical Patch Update patches but cannot perform testing in a customer environment. Every customer performs some degree of customization, so it is recommended that customers test the Critical Patch Update patches on their own test environments before installing patches on production systems.

  • 3.4 Is it possible to apply workarounds instead of installing Critical Patch Updates?

    Oracle believes that the timely application of Critical Patch Updates is necessary for organizations to maintain a proper security in-depth posture. In certain instances, Oracle can provide specific workaround instructions if the workaround does not negatively impact other Oracle products. More generally, the information provided in the Critical Patch Update Advisory risk matrices can be used by customers to reduce or mitigate risk. For example, a security vulnerability in a product component that is unused on a particular system can be mitigated by uninstalling the component. Vulnerabilities that require an attacker to have certain privileges can be partially mitigated by restricting those privileges to trusted users. Oracle recommends that customers test workarounds or configuration changes on non-production environments before making changes to production systems.

4. Critical Patch Update documentation and more information

  • 4.1 What documentation is included in the Critical Patch Update?

    The top-level document for each Critical Patch Update is the Critical Patch Update Advisory. A list of all Critical Patch Update Advisories is maintained on the Critical Patch Updates and Security Alerts page on Oracle Technology Network at https://www.oracle.com/security-alerts/

    The Critical Patch Update Advisory provides information designed to help customers make decisions about which systems to patch and in what order. It contains a list of affected products and risk matrices providing information about each newly fixed vulnerability. It references a number of product-specific notes and documents that provide more detailed information, including the location of the patches.

  • 4.2 Is it safe to use information about Oracle security vulnerabilities from third party sites? How accurate is third-party information?

    The information available on non-Oracle sites is not reviewed by Oracle. Some sites may offer misleading information by providing only a small part of the vulnerabilities information disclosed in the Oracle Critical Patch Update or Security Alert documentation. Third-party sites may suggest workarounds that are incorrect, incomplete or untested, and following such advice can lead to system outages. Oracle strongly recommends that customers rely on information provided by Oracle, specifically the Critical Patch Update or Security Alert documentation, as the only authoritative source of information about Oracle vulnerabilities.

  • 4.3 Why does Oracle use CVE identifiers?

    Starting with the July 2008 Critical Patch Update, Oracle started using industry standard Common Vulnerabilities and Exposure (CVE) identifiers rather than the proprietary identifiers used in previous CPUs. The use of CVE identifiers was introduced to simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.

  • 4.4 What is the Security-In-Depth program referenced in the Credit Section of the CPU Advisory?

    In 2008, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates.

  • 4.5 What is the On-Line Presence Security program referenced in the Credit Section of the CPU Advisory?

    In 2011, Oracle instituted an On-Line Presence Security program to provide credit to people for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

5. CVRF (Common Vulnerability Reporting Format)

  • 5.1 What is CVRF?

    CVRF (Common Vulnerability Reporting Format) is an XML interchange format that has been developed by one of the working groups of the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI was a non-profit forum comprised of leading technology vendors including Oracle. The organization’s mission was to address global, multi-product security challenges to better protect the IT infrastructures that support the world’s enterprises, governments, and citizens.

    The CVRF XML format is used to interchange relevant security information pertaining to vulnerabilities. Such information include, but is not limited to: CVE# to identify vulnerability, CVSS score to rate the ease of exploitation and severity of the vulnerability, affected products/versions, and remedy.

    CVRF has been superseded by CSAF (Common Security Advisory Framework). With the publication of CSAF versions of our Critical Patch Update advisories, Oracle will stop publishing CVRF versions after the October 2023 Critical Patch Update. The CVRF XML files will not be available via RSS after October, 2023.

  • 5.2 What is Oracle’s involvement with CVRF?

    Oracle was a member of ICASI and participated in the definition of CVRF. As of the July 2012 Critical Patch Update, in addition to existing text advisories, Oracle publishes the security advisories in CVRF format. The advisory in the CVRF format can be found in the “references” section of each advisory. Oracle also provides accompanying files for formatting purposes (.css and .xsl) which allow easier viewing of the CVRF XML data in standard browsers. However, customers may choose to ignore this formatting and only download the CVRF file (in xml format).

  • 5.3 Who to contact for any CVRF related questions?

    Please contact secalert_us@oracle.com for any questions related to Oracle’s advisory in CVRF format.

6. CSAF (Common Security Advisory Framework)

  • 6.1 What is CSAF?

    CSAF (Common Security Advisory Framework) is a JSON interchange format that has been developed by the CSAF Technical Committee in OASIS. The CSAF Technical Committee in OASIS is chartered to make a major revision to the Common Vulnerability Reporting Framework (CVRF).

    The CSAF JSON format is used to interchange relevant security information pertaining to vulnerabilities. Such information include, but is not limited to: CVE# to identify vulnerability, CVSS score to rate the ease of exploitation and severity of the vulnerability, affected products/versions, and remedy.

  • 6.2 What is Oracle’s involvement with CSAF?

    Oracle participates in the CSAF Technical Committee in OASIS. As of the April 2022 Critical Patch Update, in addition to existing text and XML advisories, Oracle also publishes the security advisories in CSAF format. The advisory in the CSAF format can be found in the “references” section of each advisory. The CSAF JSON files are also available via RSS.

    Oracle will stop publishing CVRF XML format after the October 2023 Critical Patch Update.

  • 6.3 Who to contact for any CSAF related questions?

    Please contact secalert_us@oracle.com for any questions related to Oracle’s advisory in CSAF format. For general CSAF related questions/suggestions, please follow the instruction provided by CSAF Technical Committee in OASIS.

7. VEX (Vulnerability Exploitability eXchange)

  • 7.1 What is VEX?

    VEX is a CISA initiative. VEX can be used to both assert non-exploitability of third party CVEs as well as to confirm that products are subject to specific vulnerabilities associated with third party CVEs. It can also be used to provide the reason for non-exploitability. VEX defines the following statuses:

    • Not Affected
    • Affected
    • Fixed
    • Under Investigation

    When the VEX status is "Not Affected", one the following VEX status justifications can be provided:

    • Component_not_present
    • Vulnerable_code_not_present
    • Vulnerable_code_not_in_execute_path
    • Vulnerable_code_cannot_be_controlled_by_adversary
    • Inline_mitigations_already_exist

    VEX information can be provided in different documents including, but not limited to HTML, CSAF and machine readable SBOM documents.

  • 7.2 What is Oracle’s involvement with VEX?

    Oracle participates in the VEX Working group. Starting with July 2023 Critical Patch Update, Oracle publishes the VEX status justifications for third party CVEs that are not exploitable in the context of the Oracle product in both the HTML and CSAF advisories.

  • 7.3 Who to contact for any VEX related questions?

    Please contact secalert_us@oracle.com for any questions related to Oracle’s. For general VEX related questions/suggestions, please send them to SBOM@cisa.dhs.gov.

8. Other topics