Pete Finnigan's Oracle Security Weblog

There are 47 security bugs fixed in this Critical Patch Update and these are spread across quite an array of Oracles products. The database is affected for versions 8.0.6, 8i Release 3, 9i release 1 and 2 and 10g Release 1. This time Enterprise manager Grid Control 10g, 10g Database Control and Application Server Control 9.0.4.0(1) are affected. Oracle 9i Application server 9i release 1 and 2 and 10g are affected as are Collaberation Suite release 2 and E-Business Suite and applications 11.0 and 11i. Finally Workflow 11.5.1 to 11.5.9.5, Forms and Reports 4.5.10.22 and 6.0.8.25, JInitiator, versions 1.1.8, 1.3.1, Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2 and Express Server, version 6.3.4.0.

There are no vulnerabilities affecting installed clients that are not accompanied by a database server install. This CPU July 2005 does not need to be installed on client only installations if a previous CPU has been applied or alert #68.

There is a pre-installation note and risk matrix for each group of products. It is interesting to note that Oracle says it has tested each vulnerability in isolation and has not tested for blended attacks using more than one of the reported vulnerabilities.

Quite a few people are credited with discovering bugs. These include Alex Kornbrust, Esteban Mart�nez Fay�, Gerhard Eschelbeck, Stephen Kost , David Litchfield, http://www.ncircle.com/ - (broken link) Michael Murray, Aaron C. Newman and http://www.rigelksecurity.com - (broken link) Mike Sues. There are a few new names that we have not normally seen in the recent times of Oracle Security bugs.

It is also quite interesting that this time there are no PeopleSoft fixes included in this patch update.

There are then five sections detailing the bugs found. There is not a great deal of detail as usual. Only sparse mention of components and packages that are vulnerable. Sometimes this is enough to get an idea of the type of bug involved.