Oracle patches DB, apps

TalkBack 1 of 1:

• Thread View
• Flat View

Oracle Critical Patch Update Risk Matrix & CVSS

Hi Larry! This is Eric Maurice of Oracle.

An important document for Oracle customers, the Critical Patch Update (CPU) Advisory lists vulnerabilities addressed in the CPU as well as provides other information related to the patches (affected platforms, technical requirements, place to download the patchsets, etc.). It is important to note that the CPUs address vulnerabilities across many Oracle products including database server, application server, business applications, etc.

The risk matrices in the advisory are designed to provide the necessary information for customers to assess the severity of each new vulnerability addressed in the CPU without disclosing technical information that could help a malicious attacker develop exploit code for these vulnerabilities.

The risk matrices list the vulnerabilities in order of severity (most severe first), and then provide the following for each vulnerability:
1)Information about the affected component
2)Affected protocol
3)Package or privilege required
4)Whether the vulnerability is remotely exploitable without authentication (to the targeted system)
5)The CVSS 2.0 Base Score
6)The CVSS 2.0 values for Access Vector, Access Complexity, Authentication, and the CVSS 2.0 impact values for Confidentiality, Integrity, and Availability
7)Lastly, the last affected patch set (affected supported release information)

Oracle was one of the first software vendors to adopt the Common Vulnerability Scoring System (CVSS) standard to disclose the severity of the vulnerabilities in its products (in October 2006 we introduced the use of CVSS in the CPU documentation. At the time, version 1.0 of the standard was used). The adoption of CVSS came as a result of customers? feedback: we moved from a proprietary reporting scheme to a well-recognized and extensively documented standard. The complete documentation for CVSS 2.0 is available online at http://www.first.org/cvss/cvss-guide.html. Oracle also recorded a short webcast explaining how to interpret the risk matrices; this webcast is available on http://www.oracle.com/pls/ebn/live_viewer.main?p_direct=yes&p_shows_id=5041060. A few months ago, I also previously posted a blog series discussing how the CVSS scoring system works. The first entry of this series is available at http://blogs.oracle.com/security/2007/11/02#a157.

I think that --to a large extent-- many critics of the CPU risk matrices do not fully understand the CVSS standard, hence the confusion. Shouldn?t a vendor be commended for its use of a standard severity scoring system instead of using a proprietary system? Enterprise customers have to deal with patching heterogeneous environments, and the feedback we received from customers is that the use of CVSS results in simplifying their analysis (as opposed to trying to interpret each vendors? proprietary vulnerability documentation).

Posted by: eric.maurice@...   Posted on: 04/16/08 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the costs of maintain ever larger data centers?or building ... Download Now
• CDW Services Overview: Unified Communications CDW Businesses that utilize unified communications solutions empower employees ... Download Now
• Server Consolidation and Containment With Virtual Infrastructure VMware To meet the constant demand to deploy, maintain and grow a broad array of ... Download Now