Oracle Critical Patch Updates: Insight and Understanding. Stephen Kost Integrigy Corporation

Transcription

1 Oracle Critical Patch Updates: Insight and Understanding Stephen Kost Integrigy Corporation

2 Introduction Stephen Kost Chief Technology Officer of Integrigy Corporation 11 years experience with Oracle Applications as Applications DBA, architect, and application administrator Found more than 5 security bugs fixed in CPUs Integrigy Corporation Only firm that is dedicated to Oracle E-Business Suite Security Services Oracle Applications Security Assessments Products AppSentry and AppDefend

3 Agenda Background of Critical Patch Updates Vulnerabilities Certification vs. Certification Patches Patching Strategy Questions

4 Oracle Critical Patch Updates Fixes for security bugs in all Oracle products Released quarterly on a fixed schedule Tuesday closest to the 15th day of January, April, July and October Next CPUs = April 15, 8 and July 15, 8 Thirteen CPUs released to date starting with Jan security bugs fixed (average is 53 bugs per CPU) 36 bugs in the Oracle Database 153 bugs in the Oracle E-Business Suite 11i

5 Security Bugs per CPU (all products) Jan 5 Apr 5 July 5 Oct 5 Jan 6 Apr 6 July 6 Oct 6 Jan 7 Apr 7 July 7 Oct 7 Jan 8 Open

6 Bug reported Elapsed time on average is 18 months Bug fixed Security Bug Process Customer or security researcher reports security bug to Oracle Currently, 1- open bugs reported by a number of independent security researchers Oracle researches bug and develops bug fix Finder not allowed to test fix or even notified about fix Oracle may include fix in new releases No notification of security fixes to customers Oracle includes fix in quarterly CPU From initial report to security patch release is 3 months to 3 years

7 Types of Oracle Security Bugs Buffer Overflow SQL Injection Cross-site Scripting (XSS) Parameter Tampering Permission Issues Information Disclosure

8 % of Bugs Exploitable with No Auth For the CPUs January 7 through January 8 (3 of 81 database bugs)

9 % of Bugs PUBLIC Exploitable For the CPUs January 7 through January 8 (36 of 81 database bugs

10 % of Published Exploits PUBLIC Exploitable For the CPUs January 7 through January 8 (16 of 18 database bugs

11 Who can exploit a PUBLIC bug? APPLSYSPUB/PUB and anyone else with a database account

12 Database Vulnerabilities (Jan8/11i) Supported PUBLIC Other Privileges No Default Privileges Database (i.e., APPLSYSPUB) (CREATE VIEW) Version DB4 SDO_CATALOG DB6 Oracle Spatial DB4 SDO_CATALOG DB6 Oracle Spatial DB7 Oracle Spatial 1.../ DB SDO_CATALOG DB7 Oracle Spatial DB1 XML DB DB - DBMS_PRVTAQIM DB3 - DBMS_PRVTAQIP DB1 XML DB DB - DBMS_PRVTAQIM DB3 - DBMS_PRVTAQIP DB1 XML DB DB - DBMS_PRVTAQIM

13 Oracle Applications 11i Baseline Critical Patch Updates require an Oracle Applications 11i minimum RUP level Starting in July 7, must be RUP(n) or RUP(n-1) ATG_PF.H and RUP4, RUP5, RUP6 for all versions through April 8 most likely will be RUP5 and RUP6 only

14 Certification and Certification Applications Certification!= CPU Certification CPUs only certified with latest two patch sets released in the past 1 months Apps Database App Developer JInitiator ATG_PF Version Server (WinXP) (Apache) x* (P15)* ATG_PF.H* 9...5* (1.3.1) 6..8.x (P16-P17) ATG_PF.H RUP * or (1.3.19) (P18) ATG_PF.H RUP or ATG_PF.H RUP6 Desupported Certified, No CPU Support Certified for CPU * Fresh Install Version

15 9...x 1.1..x 1...x 5 Jan Apr Jul Oct Jan Apr Jul Oct Jan Apr Jul Oct Jan

16 CPU Certification Changes for Jan 8 Oracle Applications 11i No support for Jinitiator x must be upgraded to Oracle Database 1... = Limited operating system support Oracle Application Server No changes

17 CPU Certification Changes - Future Oracle Applications 11i April 8 = probably RUP5 and RUP6 only July 8 = no as Premier Support ends June 8 Oracle Database April 8 = 1... no support Oracle Application Server No changes anticipated

18 Database Patches Database patches are cumulative for all previous Critical Patch Updates Database patches include non-security fixes Windows patches are really version upgrades Testing should be similar to a version upgrade (i.e., to 9...8) Some Integrigy clients now only do minimal testing Database patches provide the greatest security benefit Apply them ASAP Apply database patches now, other patches later Otherwise, enable Managed SQL*Net Access feature

19 Oracle Applications Patches (Jan8) Patches Scope/ Risk Patch Complexity Vulnerability Description and Testing Medium Low CRM Technology Foundation (JTF) Cross Site Scripting (XSS) in the jtflogin.jsp page No testing required Mandatory for all implementations External access blocked by URL Firewall Oracle Application Library (AOL/FND) RUP5/ RUP High Low Cross Site Scripting (XSS) in the AppsChangePassword.jsp page Test basic functionality of the reset password page Mandatory for all implementations Not blocked by the URL Firewall and is required

20 Apr Jul Oct Jan Apr Jul Oct Jan Apr Jul Oct Jan Database Jan Current = P14 Current = Upgrade to App Server 5719 P Oracle Applications RUP 5

21 Oracle Applications R1 (Jan8/Unix) Oracle Database 1... = ETA (Cumulative) = , , and (Cumulative) Oracle Application Server (Forms) = (Cumulative) (Forms) = (Cumulative) (OCJ4) = (Cumulative) Oracle Applications R1 Cumulative CPU Patch = (5.7 MB) 1..4 Release Update Pack (RUP) = 6435 (1.8 GB) 1.. was only 765 MB, 1..3 was 1.5 GB

22 Patching Strategy General advice Apply the Database patch cumulative for all CPUs and previous security alerts Apply Oracle Applications patches not cumulative, must apply all patches from all previous CPUs Evaluate the effort to apply Developer 6i, Application Server, and JInitiator patches depending on risk and effort, delaying these patches may be warranted Specific advice Integrigy releases guidance for each CPU on our website Each CPU has unique issues and requirements, thus need to be evaluated independently

23 References Integrigy, Oracle Critical Patch Update October 7 E- Business Suite Impact, Integrigy, Oracle Jinitiator Buffer Overflow Vulnerability Analysis, Oracle, Oracle Critical Patch Update January 8 Advisory, Oracle Corporation, Oracle E-Business Suite Critical Patch Update Note January 8, Metalink Note ID Oracle Corporation, Rebaselined Oracle Applications Technology Components for Releases , , , and , Metalink Note ID

24 Integrigy Contact Information Stephen Kost Chief Technology Officer Phone: Integrigy Corporation Integrigy Corporation P.O. Box Chicago, Illinois /54-48 Website: Sales: Development: Support: Security Alerts: Copyright 8 Integrigy Corporation. All rights reserved.

25 Questions?