Last Updated: July 10, 2012
Critical Patch Updates are sets of patches containing fixes for security flaws in Oracle products. The Critical Patch Update program (CPU) was introduced in January 2005 to provide security fixes on a fixed, publicly available schedule to help customers lower their security management costs.
More information about Oracle's security fixing policies can be found at http://www.oracle.com/us/support/assurance/fixing-policies/index.html
Prior to the Critical Patch Update program, fixes for security vulnerabilities were created individually and released when ready. The fixes were released in "Security Alerts" for Oracle products; "Security Advisories" for BEA, PeopleSoft Enterprise and JD Edwards EnterpriseOne products; and "Technical Support Alerts" for Siebel products. Oracle will issue a Security Alert (i.e. release of a security fix outside of the normal CPU schedule) in cases where the urgency of a fix requires it to be released in advance of the next Critical Patch Update. The occasions when Oracle will release one-off security patches are described later in this document.
As of January 2011, Oracle Critical Patch Updates for products other than Java Standard Edition and Enterprise Edition, are released at 1 p.m. Pacific Time on the Tuesday closest to the 17th day of the months of January, April, July and October. Upcoming Critical Patch Update release dates, for all products, including Java Standard Edition and Enterprise Edition, are listed on http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Previously-released Security Alerts and Critical Patch Updates can be found at: http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Siebel historical alerts can be found by searching for the term "Security Alert" on the My Oracle Support site at https://support.oracle.com/
PeopleSoft (PeopleTools/Enterprise) historical items can be found in My Oracle Support Note 805773.1 (https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=805773.1)
Historical BEA advisories can be found at http://www.oracle.com/technetwork/topics/security/beaarchive-159946.html
In case of dangerous threat to Oracle customers, Oracle will issue a Security Alert containing information about the threat and corrective measures. If the Security Alert is released with an interim patch, the patch will be included in the next Critical Patch Update. For more information, see Security Vulnerability Fixing Policy and Process at http://www.oracle.com/us/support/assurance/fixing-policies/index.html
Oracle Lifetime Support policy is located at http://www.oracle.com/support/lifetime-support-policy.html. It defines the period during which product releases are covered by Premier Support and Extended Support agreements. Generally, only releases in these first two stages of support are included in the Critical Patch Update program. For most products, only the latest versions within each release receive Critical Patch Update patches as stated in the "Software Error Correction Support Policy" documents on My Oracle Support. See for example: https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=209768.1&h=Y
My Oracle Support Note 209768.1, "Oracle Database, Fusion Middleware, and Collaboration Suite Software Error Correction Support Policy", contains information about the support policies for Critical Patch Updates for these products. In addition, the Patch Availability Note listed in each Critical Patch Update Advisory lists the Database and Fusion Middleware platform and version combinations that are planned for the subsequent Critical Patch Update. The Patch Availability Note also includes information on the product versions and platforms that will receive patches in future Critical Patch Updates.
Oracle strongly recommends that customers using product versions not covered by the Critical Patch Update program upgrade to versions for which Critical Patch Updates are provided.
Details for handling conflicts for any given Critical Patch Update release are found in the note titled "Critical Patch Update Availability Information for Oracle Database and Fusion Middleware Products". This note is updated with each Critical Patch Update. Furthermore, the Critical Patch Update Advisory section titled "Patch Availability Table and Risk Matrices" contains a link to the correct instance of the note for that Critical Patch Update. The steps for resolving patch conflicts can be found in the note, under the section titled "CPU Patch Conflict Resolution".
As much as possible, Oracle tries to make Critical Patch Updates cumulative; that is each Critical Patch Update contains the security fixes from all previous Critical Patch Updates. In practical terms, for those products that receive cumulative fixes, the latest Critical Patch Update is the only one that needs to be applied when solely using these products, as it contains all required fixes.
Fixes for the other products that do not receive cumulative fixes are released as one-off patches. It is necessary for these products to refer to previous Critical Patch Update advisories to find all the patches that may need to be applied.
Oracle believes that the timely application of Critical Patch Updates is necessary for organizations to maintain a proper security in-depth posture. It is not mandatory to install Critical Patch Updates, but Oracle strongly recommends that they are applied to fix security vulnerabilities and minimize the risk of a successful attack.
Oracle strongly recommends that every Critical Patch Update be applied as soon as possible to minimize the risk of a successful attack. If this is not possible, customers should determine the risk to machines based on factors such as:
Detailed recommendations are available from the technical white paper "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" available at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf
Oracle extensively tests the Critical Patch Update patches but cannot perform testing in a customer environment. Every customer performs some degree of customization, so it is recommended that customers test the Critical Patch Update patches on their own test environments before installing patches on production systems. For more information, see the technical white paper "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" available at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf
Oracle believes that the timely application of Critical Patch Updates is necessary for organizations to maintain a proper security in-depth posture. In certain instances, Oracle can provide specific workaround instructions if the workaround does not negatively impact other Oracle products. More generally, the information provided in the Critical Patch Update Advisory risk matrices can be used by customers to reduce or mitigate risk. For example, a security vulnerability in a product component that is unused on a particular system can be mitigated by uninstalling the component. Vulnerabilities that require an attacker to have certain privileges can be partially mitigated by restricting those privileges to trusted users. Oracle recommends that customers test workarounds or configuration changes on non-production environments before making changes to production systems.
The top-level document for each Critical Patch Update is the Critical Patch Update Advisory. A list of all Critical Patch Update Advisories is maintained on the Critical Patch Updates and Security Alerts page on Oracle Technology Network at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
The Critical Patch Update Advisory provides information designed to help customers make decisions about which systems to patch and in what order. It contains a list of affected products and risk matrices providing information about each newly fixed vulnerability. It references a number of product-specific notes and documents that provide more detailed information, including the location of the patches.
The information available on non-Oracle sites is not always reviewed by Oracle. Some sites may offer misleading information by providing only a small part of the vulnerabilities information disclosed in the Oracle Critical Patch Update or Security Alert documentation. Third-party sites may suggest workarounds that are incorrect, incomplete or untested, and following such advice can lead to system outages.
Oracle strongly recommends that customers rely on information provided by Oracle, specifically the Critical Patch Update or Security Alert documentation, as the only authoritative source of information about Oracle vulnerabilities.
Starting with the July 2008 Critical Patch Update, Oracle started using industry standard Common Vulnerabilities and Exposure (CVE) identifiers rather than the proprietary identifiers used in previous CPUs. The use of CVE identifiers was introduced to simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.
Starting with the July 2008 Critical Patch Update, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates.
Starting with the July, 2011 Critical Patch Update, Oracle instituted an On-Line Presence Security program to provide credit to people for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.
CVRF (Common Vulnerability Reporting Format) is an XML interchange format that has been developed by one of the working groups of the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum comprised of leading technology vendors including Oracle. The organization’s mission is to address global, multi-product security challenges to better protect the IT infrastructures that support the world’s enterprises, governments, and citizens.
The CVRF XML format is used to interchange relevant security information pertaining to vulnerabilities. Such information include, but is not limited to: CVE# to identify vulnerability, CVSS score to rate the ease of exploitation and severity of the vulnerability, affected products/versions, and remedy.
Oracle is a member of ICASI and participated in the definition of CVRF. As of the July 2012 Critical Patch Update, in addition to existing text advisories, Oracle publishes the security advisories in CVRF format. The advisory in the CVRF format can be found in the “references” section of each advisory. Oracle will also provide accompanying files for formatting purposes (.css and .xsl) which allow easier viewing of the CVRF XML data in standard browsers. However, customers may choose to ignore this formatting and only download the CVRF file (in xml format). The CVRF XML files are also available via RSS.
If you discover a problem you believe to be a security vulnerability, please follow the process detailed at http://www.oracle.com/us/support/assurance/reporting/index.html