Hello, this is Eric Maurice, Manager for Security in Oracle�s Global technology Business Unit.
Today, Oracle released its ninth Critical Patch Update (CPUJan2007). The January Critical Patch Update (CPU) addresses a total of 51 vulnerabilities affecting Oracle Database Server, Oracle Applications Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise Applications.
Our Critical Patch Update Pre-Release Announcement stated that 52 fixes would be issued in today�s CPU. However, an issue was detected with one of the database fixes for a number of database versions. Per our policy, which is intended to ensure that all customers have an equal security posture, we removed the fix from the January CPU. We are working to resolve this issue to release the fix on all supported database versions with the next CPU in April (CPUApr2007).
This is the second time that Oracle published the Common Vulnerability Scoring System (CVSS) scores of the vulnerabilities fixed in the CPU. Our use of CVSS has generated a lot of support from customers and genuine interest from the industry. A positive industry development was Cisco�s recent commitment to publish the CVSS scores of its vulnerabilities in its advisories. We also received a number of questions concerning how the base metrics scores were computed by Oracle�s security team. Darius Wiles, in a previous blog entry, discussed Oracle's implementation of CVSS, including the use of the Partial+ rating to provide additional information.
It may also surprise a few of you (and avid CPU documentation readers) that seven of the security flaws addressed in this CPU have a CVSS �Base Metric� score of zero. This is because this type of vulnerability represents problems that we believe are not exploitable in a default database environment (as provided by Oracle �out of the box�). Code that runs affected programs as a privileged user (e.g. custom code developed by customers, which passes input from an untrusted source) may be exploitable. In particular, it may allow malicious code to be run with administrative privileges. The CVSS guide available online is an excellent source of information to understand how CVSS scores are computed. The section on blended threats in Oracle's guide on the implementation of CVSS is also relevant to vulnerabilities with a CVSS �Base Metric� score of zero.
Our next CPU will be released on April 17, 2007. As usual, we highly recommend that customers apply all patches promptly. The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU as well as previous CPUs and Security Alerts. The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources, including security guides, how to guides and recorded technical presentations.
