Last Updated: April 27, 2022
Critical Patch Updates are sets of security patches for Oracle products. The Critical Patch Update program (CPU) was introduced in January 2005 to provide a fixed, publicly-available schedule to help customers lower their security management costs.
More information about Oracle's security fixing policies can be found at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html
Oracle may issue a Security Alert in the case of a unique or dangerous threat to our customers. In this event, customers will be notified of the Security Alert by email notification through My Oracle Support and Oracle Technology Network.
Oracle Critical Patch Updates are released quarterly. Since April 2022, Critical Patch Updates are released at around 1 p.m. Pacific Time on the third Tuesday of January, April, July, and October (They were previously released on the Tuesday closest to the 17th of the month in January, April, July, and October).
Yes. Updates for Oracle Linux and Oracle VM Server for x86 are announced in ELSA (Enterprise Linux Security Advisories) published at https://linux.oracle.com/security/ . Additionally customers can subscribe to Oracle Linux security announcements by visiting https://oss.oracle.com/mailman/listinfo/el-errata
Previously-released Security Alerts and Critical Patch Updates can be found at: http://www.oracle.com/security-alerts/
In case of dangerous threat to Oracle customers, Oracle will issue a Security Alert containing information about the threat and corrective measures. If the Security Alert is released with an interim patch, the patch will be included in the next Critical Patch Update. For more information, see Security Vulnerability Fixing Policy and Process at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html
Oracle Lifetime Support policy is located here. It defines the period during which product releases are covered by Premier Support and Extended Support agreements. Generally, only releases in these first two stages of support are included in the Critical Patch Update program. For most products, only the latest versions within each release receive Critical Patch Update patches as stated in the "Software Error Correction Support Policy" documents on My Oracle Support.
My Oracle Support Note 209768.1, "Oracle Database, Fusion Middleware, and Collaboration Suite Software Error Correction Support Policy", contains information about the support policies for Critical Patch Updates for these products. In addition, the Patch Availability Note listed in each Critical Patch Update Advisory lists the Database and Fusion Middleware platform and version combinations that are planned for the subsequent Critical Patch Update. The Patch Availability Note also includes information on the product versions and platforms that will receive patches in future Critical Patch Updates.
Oracle strongly recommends that customers using product versions not covered by the Critical Patch Update program upgrade to versions for which Critical Patch Updates are provided.
Details for handling conflicts for any given Critical Patch Update release are found in the note titled "Critical Patch Update Availability Information for Oracle Database and Fusion Middleware Products". This note is updated with each Critical Patch Update. Furthermore, the Critical Patch Update Advisory section titled "Patch Availability Table and Risk Matrices" contains a link to the correct instance of the note for that Critical Patch Update. The steps for resolving patch conflicts can be found in the note, under the section titled "CPU Patch Conflict Resolution".
As much as possible, Oracle tries to make Critical Patch Updates cumulative; that is each Critical Patch Update contains the security fixes from all previous Critical Patch Updates. In practical terms, for those products that receive cumulative fixes, the latest Critical Patch Update is the only one that needs to be applied when solely using these products, as it contains all required fixes.
Fixes for the other products that do not receive cumulative fixes are released as one-off patches. It is necessary for these products to refer to previous Critical Patch Update advisories to find all the patches that may need to be applied.
It is not mandatory to install Critical Patch Updates, but Oracle strongly recommends that they are applied. Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
Oracle strongly recommends that every Critical Patch Update be applied as soon as possible to minimize the risk of a successful attack.
Oracle extensively tests the Critical Patch Update patches but cannot perform testing in a customer environment. Every customer performs some degree of customization, so it is recommended that customers test the Critical Patch Update patches on their own test environments before installing patches on production systems.
Oracle believes that the timely application of Critical Patch Updates is necessary for organizations to maintain a proper security in-depth posture. In certain instances, Oracle can provide specific workaround instructions if the workaround does not negatively impact other Oracle products. More generally, the information provided in the Critical Patch Update Advisory risk matrices can be used by customers to reduce or mitigate risk. For example, a security vulnerability in a product component that is unused on a particular system can be mitigated by uninstalling the component. Vulnerabilities that require an attacker to have certain privileges can be partially mitigated by restricting those privileges to trusted users. Oracle recommends that customers test workarounds or configuration changes on non-production environments before making changes to production systems.
The top-level document for each Critical Patch Update is the Critical Patch Update Advisory. A list of all Critical Patch Update Advisories is maintained on the Critical Patch Updates and Security Alerts page on Oracle Technology Network at https://www.oracle.com/security-alerts/
The Critical Patch Update Advisory provides information designed to help customers make decisions about which systems to patch and in what order. It contains a list of affected products and risk matrices providing information about each newly fixed vulnerability. It references a number of product-specific notes and documents that provide more detailed information, including the location of the patches.
The information available on non-Oracle sites is not reviewed by Oracle. Some sites may offer misleading information by providing only a small part of the vulnerabilities information disclosed in the Oracle Critical Patch Update or Security Alert documentation. Third-party sites may suggest workarounds that are incorrect, incomplete or untested, and following such advice can lead to system outages. Oracle strongly recommends that customers rely on information provided by Oracle, specifically the Critical Patch Update or Security Alert documentation, as the only authoritative source of information about Oracle vulnerabilities.
Starting with the July 2008 Critical Patch Update, Oracle started using industry standard Common Vulnerabilities and Exposure (CVE) identifiers rather than the proprietary identifiers used in previous CPUs. The use of CVE identifiers was introduced to simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.
In 2008, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates.
In 2011, Oracle instituted an On-Line Presence Security program to provide credit to people for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.
CVRF (Common Vulnerability Reporting Format) is an XML interchange format that has been developed by one of the working groups of the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum comprised of leading technology vendors including Oracle. The organization’s mission is to address global, multi-product security challenges to better protect the IT infrastructures that support the world’s enterprises, governments, and citizens.
The CVRF XML format is used to interchange relevant security information pertaining to vulnerabilities. Such information include, but is not limited to: CVE# to identify vulnerability, CVSS score to rate the ease of exploitation and severity of the vulnerability, affected products/versions, and remedy.
Oracle is a member of ICASI and participated in the definition of CVRF. As of the July 2012 Critical Patch Update, in addition to existing text advisories, Oracle publishes the security advisories in CVRF format. The advisory in the CVRF format can be found in the “references” section of each advisory. Oracle will also provide accompanying files for formatting purposes (.css and .xsl) which allow easier viewing of the CVRF XML data in standard browsers. However, customers may choose to ignore this formatting and only download the CVRF file (in xml format). The CVRF XML files are also available via RSS.
If you discover a problem you believe to be a security vulnerability, please follow the process detailed at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html