This page lists security patches, in the form of Critical Patch Updates (CPUs) and Security Alerts, that Oracle
has released. The page is updated when new Critical Patch Updates and Security Alerts are released, and it is possible
to receive notification of releases by email.
Click here for instructions on how to configure email notifications. Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices"
Critical Patch Updates
Critical Patch Updates are the primary means of releasing security fixes for
Oracle products to customers with valid support contracts. They are released on the Tuesday
closest to the 15th day of January, April, July and October. Starting 2011, the scheduled dates for the release of Critical Patch Updates will be on the Tuesday closest to the 17th
day of January, April, July and October. The next four dates are:
13 July 2010
12 October 2010
18 January 2011
19 April 2011
A pre-release announcement will be published on the Thursday preceding each CPU
release.
The Critical Patch Updates released to date are listed in the following table. Starting April 2010, the Critical Patch Update includes Sun Solaris vulnerabilities. Please note that starting in March of 2010, an additional table for "Java for SE and Java for Business" is now being included. Please also note that
starting with the January 2008 CPU, the Critical Patch Update Advisory will only be posted on OTN and will no longer
be posted on My Oracle Support.
Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for
distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed
in the following table.
Click here for Security Alerts released before 2006.
Policy Statement on Information Provided in
Critical Patch Updates and Security Alerts
Oracle conducts an analysis of each security vulnerability
addressed by a Critical Patch Update (CPU) or a Security Alert. The
results of the security analysis are reflected in the severity of the
CPU or Security Alert and the associated documentation describing, for
example, the type of vulnerability, the conditions required to exploit
it and the result of a successful exploit. Oracle provides this
information, in part, so that customers may conduct their own risk
analysis based on the particulars of their product usage.
As a matter of policy, Oracle will not provide additional information
about the specifics of vulnerabilities beyond what is provided in the
CPU or Security Alert notification, the pre-installation notes, the
readme files, and FAQs. Oracle provides all customers with the same
information in order to protect all customers equally. Oracle will
not provide advance notification or "insider information" on CPU or
Security Alerts to individual customers. Finally, Oracle does not
develop or distribute active exploit code (or "proof of concept code")
for vulnerabilities in our products.
If you are an Oracle customer or an Oracle partner, please use
My Oracle Support
to submit a Service Request on any potential Oracle product security vulnerability.
Otherwise, please email
secalert_us@oracle.com
with your discovery. We encourage people who wish to contact Oracle Security to employ
email encryption, using our
encryption key.