Secure your most important technology asset - Database

I was wondering if anybody in this community could share references to relevant material/links/documents/research projects illustrating the current status of:

(1) Risk Analysis and Management in the space of Identity Management

(2) Identity Analytics

My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.

So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.

A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …

Is anybody aware of specific research/work/solutions in this space?

CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

A PLING panel has been held at the WWW 2008 conference (Beijing 23-25 April), discussing policies and Policy-aware Web.

The list of panellists includes: Renato Iannella (Moderator), Piero Bonatti, Llana Kagal, Thomas Roessler.

The slides presented in this panel are now available online.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Biometrics has matured to the point where several technologies have been internationally standardized and incorporated into major international and national identity verification implementations across both the public and private sectors. Because these biometrics technologies are being incorporated into mainstream government to citizen (G2C) and business to consumer (B2C) identification processes, broader adoption of these technologies can be accomplished more quickly and at lower cost than was previously possible. The prospect of biometrics becoming the principle consumer and citizen identification method through incorporation into government and commercial credentials is now close enough for CISOs to begin active consideration for adopting them in their enterprise business processes.

As announced in a recent press release, HP Labs are opening research opportunities to academia:

“HP today made it possible for colleges, universities and research institutions worldwide to participate in joint research with HP Labs, the company’s central research facility, through an open and competitive process.

The new HP Labs Innovation Research Program invites the worldwide academic community to submit proposals related to current research in the areas of information explosion, dynamic cloud services, content transformation, intelligent infrastructure and sustainability.

The program is the first offering of the HP Labs Open Innovation Office, which was established earlier this year as part of HP Labs’ new approach to research. The office is responsible for deepening HP Labs’ strategic collaborations with academia, the government and the commercial sector to produce mutually beneficial, high-impact research. …

Program guidelines and the online submission tool are available at www.hpl.hp.com/open_innovation/irp. Proposals will go through an extensive review process within HP Labs. Selected winners will be notified in late 2008.”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

A new crop of financial services startups use social media tools like social lending and re-envisioned money management to enrich the experience around money management for consumers. As the quality of online financial services drives customer loyalty and advocacy, and customers of the major US banks are very active in social networks, marketers of financial institutions have a great opportunity to add community services to their portfolios. They should start with researching the needs and drivers of their target customers with ethnographic research and studying the adoption of services from the new entrants.

A new HPL Technical report, “On Identity-aware Devices: Putting Users in Control across Federated Services”, has been recently published:

“This paper describes R&D work on "Identity-aware Devices", in the context of federated services. The aim is to put users in control of their credentials and identities and enable simple, secure, trustworthy and transparent access to federated services. Current users' experience in networked and federated services is difficult and painful, especially when using mobile devices (e.g. mobile phones, laptops, PDAs, etc.): users need to contact online service providers and authenticate against them; additional credentials might be issued and required to access services; credentials need to be stored in a safe and secure place. Users have little control over the release of their identity information and related processes. A solution to address these issues is presented, based on the concept of "Identity-aware Devices" and federated "Provisioning Services". "Identity-aware Devices" leverage trusted modules and are driven by policies and users' preferences. Part of this work has been carried out in the context of a Liberty Alliance initiative, in collaboration with BT and Intel teams, aiming at driving the next generation of interoperable identity solutions. A full working prototype has been developed and successfully demonstrated in a joint project. This is work in progress. Next steps and plans are presented and discussed.”

Authors: Casassa Mont, Marco; Balacheff, Boris; Rouault, Jason; Drozdzewski, Daniel

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the April 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

 

I found a recent Wall Street Journal’s article, called “Are your Medical Record at Risk” (by Sarah Rubenstein), very interesting. It provides good insights about the trade-offs adopted by the Healthcare industry when considering privacy against Quality Care:

“When it comes to protecting the privacy of patients' computerized information, the main threat the health-care industry faces isn't from hackers, but from itself …”.

This article focuses on the US reality – but some of the points it raises can be of concern also in other countries …

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Security researcher David Litchfield has released technical details of a new type of attack that could give a hacker access to an Oracle database -  Computerworld reports.

Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday.

Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details.

In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.

Litchfield’s attack targets the Procedural Language/SQL programming language used by Oracle developers.

A noted database hacker, Litchfield is best known as the researcher who published details on the bug used in the 2003 SQL Slammer worm, which targeted Microsoft’s SQL Server database.

Litchfield wasn’t sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios.

“If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code,” he said. “The sky is not falling … but it’s certainly something that people should be made aware of.”

Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said.

Oracle did not return a call seeking comment.

Most of current work in the space of Identity Management is around “operational” identity management, i.e. systems and solutions providing security control points to be deployed within an IT infrastructure.

In addition, IdM solutions in the space of “compliance management” will also have to come to terms with the current shift towards “risk management”, where decision makers/CISOs/CIOs are more and more heavily scrutinising their security investments and making their investment bets based on priorities and actual risks.

I believe that an important “next step” in the Identity Management space is going to be towards “Identity Analytics” and related “Identity Risk Management”.

Here are a few interesting research questions in the “Identity Analytics” space:

• What are the basic principles that underpin and characterize enterprise’s identity & privacy management processes (and related human behaviors) and their impact on organizations?
• How to abstract them with models and ways to generate predictions (e.g. with simulation tools) that can be leveraged by decision makers/CISOs/CIOs?
• How to enable decision makers/CISOs/CIOs to better understand (in advance) the impact and implications of their decisions in terms of security risks, costs and potential losses, impact on reputation, etc.?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Hi, this is Eric Maurice again.

 

A number of publications recently reported about a ?new way to hack Oracle databases.?  These articles were in fact referring to a recently published paper by David Litchfield, titled ?Lateral SQL Injection: A New Class of Vulnerability in Oracle?. 

 

SQL Injections are a very well known class of attacks, which can affect virtually any relational databases when no or insufficient input validation has been implemented. 

 

In simple terms, SQL Injection attacks are designed to leverage improper coding of database-powered applications that, in the absence of proper input validation, allow a malicious attacker to insert string input to an application.  In such scenario, an attacker can ?inject? or pass on harmful SQL commands, which will then be executed by the back-end database.  The consequences of successful SQL Injections can be severe:  an attacker could gain access to sensitive data, manipulate database information, and in some instances, change the structure of the database, deny legitimate access to it, or grant unauthorized privileges to himself or to others.  Web applications are particularly at risk because -- exposed to the Internet -- they often allow an attacker to perpetrate SQL injection attacks without being authenticated to the targeted database or application. 

 

An important aspect of Oracle Software Security Assurance is sharing security information and recommended practices with customers so that they can optimize their security posture.  We recently posted a SQL Injection tutorial online that demonstrates how to properly implement input validation controls and prevent this kind of attacks. 

 

In his paper, David explains that in certain circumstances, SQL Injections can also take place in procedures that are not intended to take user input.  Note however, that in such a scenario, setting up the attack requires that the attacker had been previously granted a database account with necessary privileges.  David concludes that it is doubtful that this kind of attacks becomes:?exploitable? in the ?normal? sense.

 

While some may consider the topic of Lateral SQL Injections as mostly academic, and relevant only for the security researchers community, I think this paper has the merit of further raising the awareness of database administrators and programmers to SQL Injections.  SANS and others have flagged this class of attacks as a primary threat for database-driven sites and applications.  In my opinion, proper input validation constitutes a required security practice that needs to be extended to all functions and procedures, whether they are expected or not to take user input.  Furthermore, as expressed in the SQL Injection training and in the Oracle documentation, bind variables should be used as much as possible.

 

As discussed above, SQL injection happens when a dynamic SQL statement is constructed from user input.  In the case of the attack discussed in David?s paper, the dynamic SQL statement is being constructed from data stored in the database.  The values are then being converted into character strings based on a template provided by the system.  It is this template, as opposed to the stored value, that controls what will be injected.

 

When bind variables are properly used, the bind variable name is physically part of the SQL statement, but this bind variable is used as a reference to the rendered value.  As a result, the rendered value is never interpreted directly as part of the SQL statement; therefore no SQL Injection can take place.

 

In some instances, like DDL operations where a database object needs to be constructed, Oracle administrators do not have the option of using a bind variable.  In this instance, the DBMS_ASSERT package should be used to correctly handle the rendered value, either ENQUOTE_LITERAL when it is going to be used as a literal or ENQUOTE_NAME when it is going to be used as the name of a SQL object.

 

For more information, see the online tutorial Defending Against SQL Injection Attacks.  Information on Oracle Software Security Assurance is available on Oracle.com. 

Looks like another mass SQL Injection attack is making the rounds. The attackers likely used Google...

Looks like another mass SQL Injection attack is making the rounds. The attackers likely used Google...

Companies are adopting a more data-centric approach to security, but they're finding that some protection still needs to reside in the infrastructure. Infrastructure-centric measures ease the transition from today's largely infrastructure-based security model to tomorrow's more data-centric vision and provide permanent measures to protect the infrastructure itself. To enable data-centric security, organizations will redeploy existing measures like firewalls and virtual private networks (VPNs), as well as implement new technologies, like virtual desktop infrastructures.

Security and risk management professionals need to create a structured way of involving the business in the information risk management process. This presentation provides some basic tools for the business to provide input into the risk assessment process through a series of structured questions and answers that can help identify the biggest information risks to your organization.

This community might be interested in knowing that the Call-for-Paper for the 24^th Annual Computer Security Application Conference (ACSAC 2008) is now available online – the submission deadline is June, 1st:

“ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. Papers offering novel contributions in any aspect of computer and application security are solicited. Papers may present technique, applications, or practical experience, or theory that has a clear practical impact. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application.

Topics of interest include, but are not limited to:

- Access control

- Applied cryptography

- Audit and audit reduction

- Biometrics

- Boundary control devices

- Certification and accreditation

- Database security

- Defensive information warfare

- Denial of service protection

- Distributed systems security

- Electronic commerce security

- Enterprise security

- Forensics

- Identification and authentication

- Identity management

- Incident response planning

- Information survivability

- Insider threat protection

- Integrity

- Intellectual property rights protection

- Intrusion detection

- Malware

- Mobile and wireless security

- Multimedia security

- Operating systems security

- Peer-to-peer security

- Privacy and data protection

- Product evaluation criteria and compliance

- Risk/vulnerability assessment

- Secure location services

- Security engineering and management

- Security in IT outsourcing

- Service Oriented Architectures

- Software assurance

- Trust management

- Virtualization security

- VoIP security”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

As digital industrial control systems (ICS) become increasingly interconnected both with each other and with enterprise information technology infrastructures, the risks of unauthorized access to and manipulation of these systems become unacceptably high. Because ICS are frequently central to critical infrastructure systems, such as electricity distribution, oil and gas production, and transportation systems, federal regulators have begun mandating cyber security requirements for them. For example, the Federal Energy Regulatory Commission (FERC) has mandated eight Critical Infrastructure Protection (CIP) standards for electricity distributors. Cyber security standards for ICS are still in the early stages of development, but there are publications to guide security and risk professionals in both developing such standards and implementing ICS cyber security controls in the interim.

Mobile contactless systems based on Near Field Communication (NFC) offer a much faster way to initiate payments with a mobile phone than SMS or other mobile network-based technologies, providing a clear improvement over earlier mobile payment systems. Mobile contactless systems, like Japan's Osaifu-Keitai, will generate plenty of interest and hype over the next five years. But technology isn't the main barrier to wider mobile payment adoption in developed markets. Mobile contactless payment systems based on the NFC standard face many of the same adoption hurdles as other new payment systems. Product managers at mobile operators, banks, and payment networks will need to collaborate to overcome hurdles like application setup and merchant acceptance and to develop a clear business case.

Applications that allow users to run code in an authenticated context (IIS, SQL Server) could be at ...

Applications that allow users to run code in an authenticated context (IIS, SQL Server) could be at ...

The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations.  The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.

I presented 3 sessions between IOUG and OAUG, which were all well attended with over 150 people per session.  I guess security is really starting to become ingrained at many organizations.  I was somewhat surprised at the number of organizations relatively current with CPU patches based on the informal and highly unscientific "show of hands" surveys.

The PowerPoint presentations from my 3 sessions can be downloaded here -

Oracle Applications Users Group (OAUG)

Oracle E-Business Suite Critical Patch Updates: Insight and Understanding

Independent Oracle Users Group (IOUG)

Oracle Database Critical Patch Updates: Unwrapped

Real-life Database Security Mistakes

 

Consumer concern for the environment has risen considerably over the past few years. Consumers consider not only their own practices but also the actions of companies with which they interact. Piles of unread catalogs and credit card offers make direct marketing an easy target for criticism. To understand how direct marketers are affected by green concerns, we surveyed 55 direct marketers about their current practices. We found that most largely neglect green issues and rarely consider their environmental impact. And yet, as lawmakers consider legislation to cut down on direct mail, direct marketers want to self-regulate.

We receive numerous client inquiries from infrastructure and operations professionals who are considering building new data centers or leasing space from collocation providers. There are many architectural considerations when designing a new data center, but selecting the appropriate site is among the most critical. The right site can reduce the number of threats to your uptime and control the costs of real estate, power, and labor. This checklist is meant to help you understand the most important selection criteria to consider when evaluating potential data center sites.

A recent press release issued by Liberty Alliance announced the first of three webcasts from its 2008 Privacy in Perspective series:

“Taking place at 8:00am US PT (3:00 UTC) on Wednesday, April 16, the public event is hosted by Robin Wilton, Corporate Architect for Federated Identity, Sun Microsystems and co-chair of the Liberty Alliance Public Policy Group. The webcast will review findings and next steps from the ongoing series of global Liberty Alliance privacy summits held so far in Basel, Berlin, Brussels, London and Washington DC.

The Liberty Alliance privacy summits bring privacy stakeholders from the global commercial, academic, legal and public sectors together to address privacy concerns and discuss possible solutions," said Wilton. "The April 16 webcast will showcase lessons learned during the summits to help organizations remove obstacles to a productive, multi-stakeholder discussion about privacy issues.””

The registration site for this privacy summit is available here.

Published findings from previous Liberty Alliance’s Privacy Summits are available here.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Hello, this is Eric Maurice! 

 

Oracle today released the April 2008 Critical Patch Update (CPUApr2008).  This Critical Patch Update (CPU) addresses a total of 41 vulnerabilities affecting Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.  Fifteen of these vulnerabilities are specific to Oracle Database Server (an additional two affects Application Express).  Note however that a number of these Database Server vulnerabilities affect optional Database Server components, and only one of these Database Server vulnerabilities can be remotely exploitable without authentication.

 

While none of the Oracle Database Server fixes requires patching the database client-only installations, this CPU includes one fix for Oracle Application Server client-only installations.  As with the previously released January 2008 CPU, this CPU includes an Application Server client fix to address a vulnerability affecting JInitiator, a web browser extension that enables end users to run Oracle Forms Services applications within their browser.  This vulnerability only affects version 1.3.1.14 and earlier versions of JInitiator.  Just like the previously fixed JInitiator vulnerabilities, this vulnerability has a CVSS score of 9.3 because it could allow an attacker to gain full control of the targeted client (e.g. workstation) at the Operating System level, but it cannot result in a compromise of the server component. 

 

This fourteenth CPU also marks another milestone!  For the first time, the CPU includes fixes for Oracle?s Siebel CRM Applications.  As a matter of policy, Oracle tries to synchronize the release of the security patches of acquired product lines with the CPUs, and ultimately ensure that new product lines join the CPU process (in the way that PeopleSoft, JD Edwards, and now Siebel have). 

 

The CPU fixes for Siebel CRM Applications will be cumulative for the product line in which they apply (There are currently four supported product lines).  This will allow customers who have previously skipped security patches to quickly catch up by applying the most current CPU. 

 

The inclusion of Siebel Enterprise products in the CPU process provides former Siebel customers with a number of benefits.  Under the Siebel model, security fixes were typically included, along with non-security fixes, in the ?Fix Packs?.  The most significant vulnerabilities could also be fixed with dedicated ad hoc (unscheduled and non-cumulative) fixes.  The inclusion of Siebel Enterprise products in the CPU process therefore provides customers enhanced visibility to security fixes.  In addition, customers benefit from the predictability of the CPU schedule, thus potentially reducing the cost of security management in their environment.

 

The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts.  Oracle Technology Network also hosts additional information about Oracle?s implementation of the CVSS 2.0 standard and a glossary of the terms used in the Risk Matrices in the CPU Advisory.  The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources.

 

With many financial services firms looking to build online advice tools, it's important to understand consumer appetite for them. To help eBusiness professionals, we asked online investors in seven European countries which online investment tools or features they consider important — and which ones they currently use. When it comes to online retirement and investment planning advice tools, it is clear that consumers don't understand their value. eBusiness executives need to build effective online advice tools and show people how the tools can help them achieve their financial goals.

Here is a brief analysis of the pre-release announcement for the upcoming April 2008 Oracle Critical Patch Update (CPU) -

• Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for Siebel.
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x

The major CPU version support changes for April 2008 are -

• Database version 10.2.0.2 is only supported for Solaris x86 and VMS
• Oracle E-Business Suite 11i will require ATG RUP5 or RUP6

Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the January 2008 CPU note (Metalink Note ID 466757.1), patches for database version 10.1.0.5 on several platforms will be available only upon request for the April 2008 CPU.  For the Oracle Application Server, many platforms have "On Request" patches across all versions, especially 9.0.4.3.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database

• There are 17 database vulnerabilities and two are remotely exploitable without authentication.  Since APEX, Net Services, Authentication, and UltraSearch are included as affected components, it will be very interesting to see where the remotely exploitable vulnerabilities lie.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.6, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• According to the January 2008 CPU notes, there is very limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the April 2008 CPU: Solaris X86 and VMS.

Oracle Application Server

• There are 3 new Oracle Applications vulnerabilities, all of which are remotely exploitable without authentication.  Two impact the Oracle Application server components Oracle Dynamic Monitoring Service and Oracle Portal.  The third vulnerability is in Oracle Jinitiator, which is a client installed product.
  

Oracle E-Business Suite 11i and R12

• 7 of the 11 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework and AOL, so all implementations should consider most of these patches as important.
  

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.

In the Oracle pre-release announcement for the April 2008 Critical Patch Update, one line in particular did catch my attention. I know Oracle has purchased many companies in the past few years.  So how many products does Oracle have?  Well, the CPU pre-release announcement states that --

"This Critical Patch Update contains 41 security fixes across hundreds of Oracle products."

I am assuming every Oracle E-Business Suite module counts as a separate product and potentially every database component, so there would be several hundred.  I wonder if Oracle has an official count of products somewhere.  There are 642 products listed in the Bug Search in Metalink.

Just something to think about when you are reviewing a CPU as it includes fixes for over 600 Oracle products.