From the blog of Steven Chan,
The Critical Patch Update (CPU) for October 2012 was released on October 16, 2012. Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.
Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.
Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at the following location:
The next four Critical Patch Update release dates are:
Note ID:
This Critical Patch Update (CPU) knowledge document applies to Oracle E-Business Suite Releases 11i and 12. This document lists patches that address security vulnerabilities in Oracle E-Business Suite. It also provides references to My Oracle Support Knowledge documents that contain information about Oracle Database and Oracle Fusion Middleware patches related to Oracle E-Business Suite.
To enable the highest level of support to be provided, Oracle recommends that customers on older releases of Oracle E-Business Suite should upgrade to the latest relevant release for them (12.1, 12.0, or 11.5.10 CU2, as applicable) as soon as possible.
Having identified the Critical Patch Update patches needed for each Oracle home, you should apply them to one Oracle product at a time in that Oracle home, and then move on to the next Oracle home. Depending on your configuration, you may need to apply multiple Oracle Database and Oracle Fusion Middleware patches.
It is recommended that you patch your Oracle environment in the following order:
When applying patches, ensure that all tiers are at the correct release level, and all processes run from a particular Oracle home are shut down before patching that Oracle home. If you have multiple Oracle product installations, the Critical Patch Update requires the application (middle) tier to be patched immediately after the database tier. This allows the database post-installation scripts to be run before starting and using the application tier.
If assistance is required from Oracle Support, you should provide complete information about the products being patched. Because you are administering one Oracle product, one Oracle home at a time for its own Critical Patch Update patch, there will generally need to be one Support service request per Oracle home.
Table 1 lists the Oracle E-Business Suite Database home critical update patches. To identify the database releases certified with your Oracle E-Business Suite Release, see Certifications in My Oracle Support.
Table 1: Information on patches to apply to Oracle E-Business Suite Database Oracle home
Table 2: Information on patches to apply to Oracle Fusion Middleware homes for Release 12 and Oracle Application Server home for Release 11i
Table 3
lists the Oracle E-Business Suite Developer Suite home critical update
patches. Note that these patches are only supported for use with Oracle
E-Business Suite.
Table 3: Information on patches to apply to Oracle Developer Suite for Release 11i
Footnote 1
This patch contains the security fix for CVE-2012-0073 delivered in CPUJan2012.
Table 4: Oracle E-Business Suite critical update patches
The Critical Patch Update (CPU) for October 2012 was released on October 16, 2012. Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.
Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.
Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at the following location:
The next four Critical Patch Update release dates are:
- January 15, 2013
- April 16, 2013
- July 16, 2013
- October 15, 2013
- Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2012) (Note 1486535.1)
Note ID:
| Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2012) [ID 1486535.1] | |||||
| Modified 16-OCT-2012 Type BULLETIN Status PUBLISHED | |||||
This Critical Patch Update (CPU) knowledge document applies to Oracle E-Business Suite Releases 11i and 12. This document lists patches that address security vulnerabilities in Oracle E-Business Suite. It also provides references to My Oracle Support Knowledge documents that contain information about Oracle Database and Oracle Fusion Middleware patches related to Oracle E-Business Suite.
Note: This document may be updated after initial release. Any changes are listed in Section 4, Document Modification History.
If you print this document, periodically check to ensure you have the
most recent version. The current version of this document can be
obtained in My Oracle Support Knowledge Document 1486535.1.
Customers on any of the following Oracle E-Business Suite code levels
are supported for October 2012 Critical Patch Update (CPUOct2012), and
can apply the patches listed in this document:- Release 12.1 - 12.1.1 and higher with ATG 12.1.3 (R12.ATG_PF.B.Delta.3)
- Release 12.0 - 12.0.6 and higher
- Release 11i - Minimum Baseline for Extended Support on Oracle E-Business Suite 11.5.10
- My Oracle Support Knowledge Document 1195034.1, Oracle E-Business Suite Error Correction Support Policy
- My Oracle Support Knowledge Document 883202.1, Minimum Baseline Patch Requirements for Extended Support on Oracle E-Business Suite 11.5.10
- My Oracle Support Knowledge Document 1199724.1, Oracle E-Business Suite 11.5.10 Minimum Patch Level and Extended Support Information Center
To enable the highest level of support to be provided, Oracle recommends that customers on older releases of Oracle E-Business Suite should upgrade to the latest relevant release for them (12.1, 12.0, or 11.5.10 CU2, as applicable) as soon as possible.
Note: Only the explicitly listed releases are
tested for vulnerabilities addressed by this critical patch update.
Customers on a release prior to the earliest release specified in the
tables must upgrade to a supported release before applying any of the
patches listed.
Review to the following documents for general information related
to the Oracle CPU Program, Critical Patch Updates for other Oracle
products related to Oracle E-Business Suite, or previous Oracle Security
Alerts:- My Oracle Support Knowledge Document 1475931.1, Oracle Critical Patch Update October 2012 Documentation Map
- My Oracle Support Knowledge Document 1477727.1, Patch Set Update and Critical Patch Update October 2012 Availability Document
- Oracle Technology Network Advisory: Critical Patch Updates, Security Alerts and Third Party Bulletin
- Oracle Technology Network FAQ: Critical Patch Update and Security Alert Programs - Frequently Asked Questions
In This Document
- Section 1: Preparing to Apply Oracle E-Business Suite Critical Patches
- Section 2: Patches to Apply to Oracle E-Business Suite Oracle homes
- Section 3: Patches to Apply to Oracle E-Business Suite
- Section 4: Document Modification History
- Section 5: Documentation Accessibility
Section 1: Preparing to Apply Oracle E-Business Suite Critical Patches
To help you determine which Oracle E-Business Suite, Oracle Fusion Middleware, and Oracle Database patches to apply, you should make a list of all Oracle products installed in your system, together with their full versions.Having identified the Critical Patch Update patches needed for each Oracle home, you should apply them to one Oracle product at a time in that Oracle home, and then move on to the next Oracle home. Depending on your configuration, you may need to apply multiple Oracle Database and Oracle Fusion Middleware patches.
Note: CPU patches listed in this knowledge document for Oracle E-Business Suite, Oracle Database, and Oracle Fusion Middleware are cumulative, and therefore include fixes from previous Oracle security alerts and Critical Patch Updates.
After you have reviewed the relevant Oracle E-Business Suite
documentation, collected the product information and examined related
Critical Patch Update documentation, rank your business systems in the
order of risk. First, apply updates to any systems that have the
highest risk. For example, start with systems that are external to a
firewall before updating systems within an internal network.It is recommended that you patch your Oracle environment in the following order:
- Any separate or remote Oracle Fusion Middleware or Oracle HTTP Server Database home, including a separate Metadata Repository home.
- Oracle E-Business Suite Database home.
- Identity Management and Infrastructure homes.
- Oracle Fusion Middleware Application tier home.
- Oracle E-Business Suite applications.
Note: Ensure that you successfully complete patching a given area before continuing to the next.
Patches are available from My Oracle Support.
Before downloading patches, review all patches to be applied, and the
releases to which those patches apply. For an Oracle E-Business Suite
Oracle home, also look for any release notes or instructions specific
for the home type.. Before installing a patch, unzip and read its
supporting documentation, including any specific instructions for your
particular Oracle home installation. In particular, review relevant Known Issues sections before starting the installation.When applying patches, ensure that all tiers are at the correct release level, and all processes run from a particular Oracle home are shut down before patching that Oracle home. If you have multiple Oracle product installations, the Critical Patch Update requires the application (middle) tier to be patched immediately after the database tier. This allows the database post-installation scripts to be run before starting and using the application tier.
If assistance is required from Oracle Support, you should provide complete information about the products being patched. Because you are administering one Oracle product, one Oracle home at a time for its own Critical Patch Update patch, there will generally need to be one Support service request per Oracle home.
Section 2: Patches to Apply to Oracle E-Business Suite Oracle homes
This section describes the Critical Patch Update documentation and patches for the Oracle Database, Oracle Fusion Middleware, and Oracle Developer Suite Oracle homes used by Oracle E-Business Suite.
Note: Oracle Database, Oracle Fusion Middleware and Oracle Developer Suite critical patches are cumulative, and therefore include all previous CPU content.
- Oracle E-Business Suite Release 12 installs three Oracle homes -
one each for the Oracle Database, Oracle Fusion Middleware 10.1.3
(Java), and Oracle Fusion Middleware 10.1.2 (Tools).
- Oracle E-Business Suite Release 11i installs three Oracle homes - one each for the Oracle Database, Oracle Application Server (Oracle HTTP Server), and Oracle Developer 6i.
Table 1 lists the Oracle E-Business Suite Database home critical update patches. To identify the database releases certified with your Oracle E-Business Suite Release, see Certifications in My Oracle Support.
Table 1: Information on patches to apply to Oracle E-Business Suite Database Oracle home
| Oracle E-Business Suite Database Oracle home | Latest CPU | My Oracle Support Reference |
|---|---|---|
| 11.2.0.3 | October 2012 | Knowledge Document 1477727.1, Patch Set Update and Critical Patch Update October 2012 Availability Document. |
| 11.2.0.2 | October 2012 | Knowledge Document 1477727.1 , Patch Set Update and Critical Patch Update October 2012 Availability Document (see Footnote 1). |
| 11.2.0.1 | July 2011 | Knowledge Document 1315202.1, Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (July 2011). |
| 11.1.0.7 | October 2012 | Knowledge Document 1477727.1 , Patch Set Update and Critical Patch Update October 2012 Availability Document (see Footnote 2). |
| 10.2.0.5 | October 2012 | Knowledge Document 1477727.1 , Patch Set Update and Critical Patch Update October 2012 Availability Document. |
| 10.2.0.4 | April 2012 | Knowledge Document 1406263.1, Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (April 2012). |
| 10.2.0.3 | October 2012 |
|
When applying this CPU patch, if you encounter
conflict between 12400751 and 14107384, apply merge patch 14167060 to
resolve the conflict and then apply the 11.2.0.2 CPU patch again.
If you encounter any of the following conflicts when applying this CPU patch, apply the appropriate merge patch shown in Table 1A and then apply the 11.1.0.7 CPU patch again.
| To Resolve Conflict Between: | Apply Merge Patch: |
|---|---|
| 8855577 and 8940108 | 9304416 |
| 14145193, 14488890 with 9554727 or 14215241 | 14683097 |
| 7111245 and 14141297 | 14184215 |
| 14461976 and 14488890 | 14608818 |
| Oracle E-Business Suite Fusion Middleware home Release Version | Latest CPU | My Oracle Support Reference or Patch Reference |
|---|---|---|
| 10.1.3.5 | July 2012 | Knowledge Document 1455387.1, Patch Set Update and Critical Patch Update July 2012 Availability Document. |
| 10.1.3.4 | January 2010 | Knowledge Document 985520.1, Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2010). |
| 10.1.3.3 | July 2009 | Knowledge Document 836258.1, Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (July 2009). |
| 10.1.2.3 | October 2011 |
Knowledge Document 1354842.1, Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2011).
|
| 10.1.2.2 | January 2009 | Knowledge Document 738923.1, Oracle E-Business Suite Critical Patch Update Note January 2009. |
| Oracle9i Application Server 1.0.2.2.2 | October 2012 | Apply Oracle Fusion Middleware Patch 14510576. |
Table 3: Information on patches to apply to Oracle Developer Suite for Release 11i
| Oracle Developer Suite Release | Latest CPU Patch | My Oracle Support Reference |
|---|---|---|
| Oracle Developer Suite 6i Patchset 19 (Release 6.0.8.28) | 13384700 (see Footnote 1) |
Knowledge Document 125767.1, Upgrading Developer 6i with Oracle E-Business Suite 11i. Also refer to Knowledge Document 1082747.1
for any relevant actions.
|
This patch contains the security fix for CVE-2012-0073 delivered in CPUJan2012.
Note: Oracle E-Business Suite customers using
Oracle SSO 10.1.4.3.0 should apply CPU patch 14491148 and ensure that
they follow the README instructions in the patch to whitelist the
E-Business Suite host as a valid logout landing page.
Note that Oracle SSO will end Extended Support at the end of 2012 - see the Oracle Lifetime Support Policy for Oracle Fusion Middleware Guide.
Note that Oracle SSO will end Extended Support at the end of 2012 - see the Oracle Lifetime Support Policy for Oracle Fusion Middleware Guide.
Section 3: Patches to Apply to Oracle E-Business Suite
This section lista the October 2012 Critical Patch Update patches for Oracle E-Business Suite.
Note: Oracle E-Business Suite Release Critical Patch Update patches are cumulative, and therefore include all previous CPU content.
As stated in the introductory section, customers on any of the
following Oracle E-Business Suite code levels are supported for October
2012 Critical Patch Update (CPUOct2012), and can apply the patches
listed in this document:- Release 12.1 - 12.1.1 and higher with ATG 12.1.3 (R12.ATG_PF.B.Delta.3)
- Release 12.0 - 12.0.6 and higher
- Release 11i - Minimum Baseline for Extended Support on Oracle E-Business Suite 11.5.10
- My Oracle Support Knowledge Document 1195034.1, Oracle E-Business Suite Error Correction Support Policy
- My Oracle Support Knowledge Document 883202.1, Minimum Baseline Patch Requirements for Extended Support on Oracle E-Business Suite 11.5.10
- My Oracle Support Knowledge Document 1199724.1, Oracle E-Business Suite 11.5.10 Minimum Patch Level and Extended Support Information Center
Table 4: Oracle E-Business Suite critical update patches
| Oracle E-Business Suite Release | Patch to Apply |
|---|---|
| 12.1.1 and higher with ATG 12.1.3 (R12.ATG_PF.B.Delta.3) | 14321237 |
| 12.0.6 and higher | 14321239 |
| Minimum Baseline for Extended Support on 11.5.10 with 11i.ATG_PF.H.delta.7 (RUP7) | 14321240 |
| Minimum Baseline for Extended Support on 11.5.10 with 11i.ATG_PF.H.delta.6 (RUP6) | 14321241 |
