The Oracle Global Product Security Blog

Hello, my name is Eric Maurice. I am a Manager for Security in Oracle's Global Technology Business Unit. I assist the Office of the Chief Security Officer with the definition of Oracle's product security strategy and vulnerability and incident responses procedures.

There are a lot of discussions in the security industry about how to best handle vulnerability disclosures and patch issuance in commercial software. I thought this blog would be a good opportunity to have a high-level discussion about the various approaches to vulnerability disclosure throughout the industry and briefly introduce Oracle's practice in this area.

It is not a surprise to find that there is a wide range of opinions about what constitutes an appropriate policy for the disclosure of security vulnerabilities. Opinions really range between two extremes: full disclosure (typically favored in the open source community) to no disclosure at all!

Proponents of the full disclosure approach believe vulnerabilities should be disclosed as early as they are discovered. The problem with full immediate unrestricted disclosure is that it can lead to exposing vulnerable environments to attacks. Such attacks can potentially result in serious break-ins and catastrophic economic impacts as proven by the various malware oubreaks of the past few years.

The challenge for software vendors is that, in addition to having sound secure development practices, they need to disclose vulnerabilities and issue patches in order to make sure that their customers' environments remain secure. Yet, a vendor's disclosure of the existence of a security vulnerability in its product can also lead to undue level of attention by potential attackers. For example, recent events have shown again that, shortly after the disclosure of the existence of software vulnerabilities in conjunction with the release of the appropriate security patches, exploit codes were available for download on the Internet and exploit methods were discussed on public hacking sites. One shouldn't be surprised that attack codes are created even when the vendor of the affected solution has addressed the existence of the vulnerability by issuing a patch. This is because attackers are very aware that a significant amount of time can exist between the availability of a security patch and its application by users. This "time to patch" delay is made worse in large desktop environments, or when the patch has to be applied against a business-critical server application.

What would happen if a vulnerability disclosure took place before a patch or workaround was available?

Early disclosure (prior to patch availability) provides attackers with the ability to quickly develop exploits while the systems are most vulnerable because a patch or workaround is not available. In other words, the early disclosure of a exploitable vulnerability would amount to providing malicious attackers a technical opportunity and much of the required knowledge to execute attacks with a high probability of success.

Hello, this is Eric Maurice, Manager for Security in Oracle's Global Technology Business Unit.

Today, Oracle released its seventh Critical Patch Update (CPUJul2006).  As previously introduced by Darius Wiles in his blog entry in April, the Critical Patch Update Process, initiated in early 2005, provides for Oracle to release patches for all of its products on a quarterly basis. 

The Critical Patch Update Process is part of Oracle�s Software Security Assurance, a comprehensive program, which reflects Oracle�s ongoing commitment to security for all its products in all phases of development and support.  Did you know, for example, that every day, we run hundreds of thousands of various tests against Oracle�s products?  The results of these tests often contribute to enhance our development best practices (Oracle�s Secure Coding Standards), which are enforced across our entire development organization.

Today�s Critical Patch Update includes sixty-five new fixes for various versions of Oracle Database, Database Client, Application Server, Collaboration Suite, E-Business Suite and Applications, Enterprise Management, JD Edwards and PeopleSoft.  Siebel has not yet been migrated into the Critical Patch Update Process, but we expect Siebel will be included in the next patch update on October 17, 2006.

It is worth mentioning that this Critical Patch Update also introduces changes to the documentation structure for Oracle Server Technology products; namely, the Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle Enterprise Manager Grid Control.

Previously, Critical Patch Update advisories linked to Pre-Installation Notes (PINs) for each product suite.  Each PIN listed the patch or patches that were required for each combination of product version and operating system, and the known issues for all patches.

Starting with today�s Critical Patch Update, the patch lists for the Oracle Server Technology products will be consolidated into a single document called the "Critical Patch Update Availability for Oracle Server and Middleware Products".  The known issues have been moved into the README files that are bundled in the patches. Each README file only contains information relevant to the patch in which it is bundled, e.g. the Oracle Database 10.2.0.2 for Linux README only contains information relevant to the Oracle Database 10.2.0.2 for Linux patch.

This change was introduced to make it easier to access information that is relevant to specific product version and operating system.  MetaLink Note 372928.1 (subscription to MetaLink is required to access this document) provides a roadmap to the Oracle Critical Patch Update July 2006 documentation.

As usual, detailed information about the vulnerabilities addressed in this Critical Patch Update can be found on the Risk Matrices available with the CPU advisory on Oracle Technology Network at http://www.oracle.com/technology/deploy/security/alerts.htm. 

Timely patch application is a critical component of good security management practices regardless of platforms and technical environments.  Some time ago, Oracle posted a good white paper titled �Learn Critical Patch Update Implementation Best Practices� on http://www.oracle.com/security/index.html under the �Learn More� section.  This technical white paper provides tips and guidelines for IT staff specifically as it relates to the planning and implementation of updates in an Oracle environment.  This white paper is a good starting point for those who are new to Oracle�s Critical patch Update process or have questions related to how to best deal with updating their Oracle systems.