The Oracle Global Product Security Blog

Hi, this is Eric Maurice again!

Following the release of the October CPU (CPUOCT2007), it became clear that there was still a certain level of confusion and misunderstanding about CVSS and how it was implemented by Oracle.  Given this situation, I thought it might be helpful to further talk about CVSS, and specifically, the vulnerability scoring metholodgy implemented in the standard. 

The Common Vulnerability Scoring System (CVSS), initially announced in February 2005 on the U.S. Department of Homeland Security�s web site, is designed to �provide open and universally standard severity ratings of software vulnerabilities�.  Oracle was one of the first software vendors to adopt CVSS to provide a standard-based indication of the severity of the vulnerabilities fixed in its products.  Oracle has provided CVSS Base Scores in the risk matrices of the CPU documentation since the October 2006 Critical Patch Update (CPUOct2006).  In June 2007, FIRST (Forum of Incident Response and Security Teams) published the second version of the standards: CVSS 2.0, which was implemented by Oracle with the October 2007 Critical Patch Update (CPUOct2007).  Note that in this discussion, we will address the new CVSS 2.0 Scoring System if not otherwise noted

Since Oracle implemented CVSS, we periodically receive questions about how the CVSS base metrics scores are calculated.  Specifically, some people find it surprising that vulnerabilities deemed to be particularly critical receive a CVSS base score between 6.5 and 7.5 out of an absolute scale of 10.0.  Understanding the CVSS scoring system requires going back to the objectives of CVSS, and understanding the formulas behind the scores themselves.  In the first part of this blog series, we will be discussing the objectives of CVSS and how it affected the scoring of vulnerabilities

The CVSS web site states that the objective of CVSS is to provide a severity rating for all software vulnerabilities. 

This means that CVSS is designed to provide a numeric value (the score) indicative of the relative criticality of a given vulnerability regardless of the type of software it affects, whether it is an Operating System, antivirus, database, mail server, desktop or business application, etc.  As a result of this wide scope of applicability, the standard is intentionally designed to require a complete compromise at the Operating System layer for a given vulnerability to be given a base score of 10.0.  In other words, a vulnerability with a CVSS Base Score of 10.0 typically signifies a complete compromise of the system, that typically results in allowing the attacker full control, including administrative or �root� privileges at the OS layer.  An example of the impact of such a vulnerability in a third party product is reported on the National Vulnerability Database as �The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.� 

Due to the nature of the Oracle bugs, vulnerabilities that could result in a complete compromise of the underlying server are rather rare.  In fact, since the CVSS scoring was implemented by Oracle, the highest-ever CVSS Base Score assigned by Oracle to a vulnerability addressed in the CPU would have been 7.5 if it had been scored under the CVSS 1.0 scoring system.  Note however that CVSS deals with single vulnerabilities, and does not completely account for �blended threats�, that is the combination of attack methods/vectors that could ultimately result in such a very extensive compromise.  It is therefore very important for organizations to patch all vulnerabilities as soon as possible, as leveraging various vulnerabilities across IT layers may result in a more complete compromise of the targeted system.

The CVSS system includes three types of score � Base, Temporal and Environmental.  Each is designed to measure different attributes of the vulnerability.  Oracle provides the �Base Score� in the CPU documentation.  It is characterized by the following aspects:

-         The Base Score is specific to a given vulnerability.

-         It does not change over time.  This is where the �Temporal Metrics� come into play to measure, for example, additional exposure resulting from the availability of exploit code. 

-         It is not specific to a customer�s technical IT environment.  This is where the �Environmental Metrics� come into play, to measure, for example, the likelihood of collateral damages to other systems and applications.

The CVSS documentation states that computing the Temporal and Environmental Metrics scores is optional.  While computing all three scores can provide a granular risk rating (specific to a given vulnerability in a specific environment at one point in time), most customers find this process to be too cumbersome, and they rely exclusively on the Base Score to assess the criticality of vulnerabilities and the priority given to patching them. 

Next week, we will be looking into more details on how the Base Score is computed using the �Base Equation� of CVSS.

For more information, see:

-         Oracle MetaLink Note 394487.1 (subscription to MetaLink required) explains Oracle's implementation of the CVSS standard

-         Oracle MetaLink Note 394486.1 (subscription to MetaLink required) provides a detailed explanation of Oracle�s risk matrices

-         The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about previously released CPUs and Security Alerts

-         The Guide to the Common Vulnerability Scoring System version 2.0 is available online, and it includes the scoring formulas set forth by the standard.

Hi, this is Eric Maurice again! Last week, we discussed the objectives of CVSS and how it impacted the scoring philosophy of the standard.  Today, we are going to take a closer look at the formula vendors use to compute CVSS Base Scores.

The CVSS Base Score is computed from six criteria, known collectively as the �Base Metrics�, representing �the most fundamental, immutable qualities of a vulnerability�.  These criteria are:

1.      Access Vector.  This measures �how remote an attacker can be to attack a target�.  The possible Access Vector values are Local, Adjacent Network, and Network;

2.      Access Complexity.  This measures �the complexity of attack required to exploit the vulnerability once an attacker has gained access to the target system�.  The possible Access Complexity values are High, Medium and Low;

3.      Authentication.  This measures �the number of times an attacker must authenticate to the target system in order to exploit the vulnerability�.  The possible Authentication values are Multiple, Single, and None;

4.      Confidentiality Impact.  This measures �the impact on confidentiality of a successful exploit of the vulnerability on the target system�, that is to say, improper information disclosure.  The possible Confidentiality Impact values are None, Partial, and Complete;

5.      Integrity Impact. This measures �the impact on integrity of a successful exploit of the vulnerability on the target system�, that is to say, data corruption.  The possible Integrity Impact values are None, Partial, and Complete;

6.      Availability Impact.  This measures �the impact on availability of a successful exploit of the vulnerability on the target system�, that is to say, denial of service.  The possible Availability Impact values are None, Partial, and Complete.

A numerical value is assigned to each of the three possible answers for each of the six criteria.  Then a formula, known as the �Base Equation�, is used to assign weight to each of the criteria, combine the weighted values, and derive the Base Score.  The application of the Base Equation formula yields in a maximum score of 7.5 for vulnerabilities typically found in Oracle products (it would be extraordinary if an Oracle security bug would result in a complete compromise of the underlying operating system).  Note that the National Vulnerability Database considers CVSS scores between 7.0 and 10.0 to be �high�. 

The National Institute of Standards and Technology (NIST) hosts a CVSS 2.0 calculator online.  This neat utility provides the ability to compute the score without necessarily manually dealing with the Base, Temporal, or Environmental equations.  Let�s take one of the vulnerabilities addressed in the October 2007 CPU (CPUOct2007); the vulnerability DB01 had the following particularities:

-         Exploitability Metrics:

o       Related exploit range (AccessVector): Network

o       Attack complexity (AccessComplexity): Low

o       Level of authentication needed (Authentication): Single Instance

-         Impact Metrics:

o       Confidentiality impact (ConfImpact): Partial

o       Integrity impact (IntegImpact): Partial

o       Availability impact (AvailImpact): Partial

When entering these values, the calculator provides the score of 6.5 as reported in the CPU documentation.

Oracle quickly realized some limitations of the CVSS base scoring system.  One is that CVSS does not distinguish between, for example, the disclosure of only a single database record and the disclosure of all data in a database.  Oracle therefore introduced the �Partial+� rating to denote such rare situations where the impact of the vulnerability can result in widespread impacts while partial means only limited impact.  Note that Oracle uses the Partial numeric value assigned by CVSS for both Partial and Partial+, so that Oracle does not deviate from the standard.

For more information, see:

-         Oracle MetaLink Note 394487.1 (subscription to MetaLink required) explains Oracle's implementation of the CVSS standard.

-         Oracle MetaLink Note 394486.1 (subscription to MetaLink required) provides a detailed explanation of Oracle�s risk matrices.

-         The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about previously released CPUs and Security Alerts.

-         The Guide to the Common Vulnerability Scoring System version 2.0 is available online, and it includes the scoring formulas set forth by the standard.