The Oracle Global Product Security Blog

Hi, this is Eric Maurice again.

The greatest external factor influencing Oracle Software Security Assurance is the feedback we receive from customers. While members of Oracle’s Global Product Security team have daily interactions with customers, security researchers, or industry analysts, the most exhaustive channel for customer feedback is the Security Customer Advisory Council that is being managed by the Program Management Office of the Global Product Security organization.

The Security Customer Advisory Council (SCAC for short) is comprised of customers from around the world and representing various industries. Moreover, SCAC members are collectively using most if not all Oracle products. The SCAC meets at least once a year to discuss emerging security topics, Oracle’s security strategy, and Oracle Software Security Assurance programs, including the Critical Patch Update and related activities. For example, the recommendations of the SCAC have previously led Oracle to adopt the Common Vulnerability Scoring System (CVSS) as a standard way to rate the severity of the vulnerabilities fixed in the CPU and to issue pre-release CPU announcements (these are issued on the Critical Patch Updates and Security Alerts page the Thursday before the CPU due date).

Most recently, the Independent Oracle User Group (IOUG) joined the Security Customer Advisory Council. This initiative was launched by the Enterprise Best Practices SIG under the leadership of Michelle Malcher, the SIG president. As a component to this initiative, Oracle and IOUG also produced a number of security training webcasts. These webcasts are available online on the Enterprise Best Practices SIG Download Page. The two most recent webcasts were particularly popular! In March, Daniel Wong (Director of Engineering the Database Security group) presented the security enhancements in Oracle Database Server 11g. Last month, Jenny Tsai-Smith (Senior Director in Curriculum Development) and Mark Fallon (Director of Software Development) recorded a webcast on how to best prevent SQL Injection attacks.

In preparation for the next Security Customer Advisory Council (to be held in October), the Enterprise Best Practices SIG of IOUG posted a security survey to try to gather information about the current security practices of its members, particularly around the application of the Critical Patch Updates and Patch Sets and to gather recommendations from members about possible process improvements that Oracle could bring to further enhance Oracle Software Security Assurance activities. Michelle and I recorded a webcast that discuss the objectives of the survey. We went through two iterations of the survey, further fine-tuning it, to come up with a shorter, simpler survey, that drill down to areas that are most likely to yield feedback from Oracle users (the current survey is titled “OSSA Security Survey II” on the IOUG web site).

We would like to encourage all Oracle users to take this survey!!! (Remember to select “OSSA Security Survey II”). A Free Associate Membership to IOUG may be required to take the survey, but completing this form should take no more than five minutes. Completing the survey itself should take no more that ten minutes (unless you decide to take advantage of the free form question at the end of the survey by writing an extensive set of recommendations for Oracle).

Information about the Security Survey:
The survey is located at http://survey.ioug.org . (Please select “OSSA Survey II”.)
The webcast explaining the objectives of the survey is located at: http://www.ioug.org/networking/SIGs/SurveyPodcastrev.mp3

Information about Oracle Software Security Assurance:
For more information about the Security Customer Advisory Council, you can e-mail: securityCAC_ww@ORACLE.COM

Information about IOUG:
IOUG web site is located at http://www.ioug.org.
For information about IOUG membership, see the IOUG membership page.
Recorded IOUG webcasts can be found at http://www.ioug.org/networking/SIGs/Archived_SIG_Webcasts.cfm

Hello, this is Eric Maurice again!

Oracle today released the July 2008 Critical Patch Update (CPUJul2008). While this is Oracle's fifteenth Critical Patch Update (CPU), and personally, my ninth CPU (I joined Oracle in time for CPUJul2006), I am still impressed with the dedication and great talent of everyone who is involved with the production of each CPU. Over the years, Oracle has introduced many enhancements to the CPU and successfully extended its scope to many products added via acquisition.

Today’s CPU is characterized by two significant developments: the adoption of the Common Vulnerabilities and Exposure (CVE) numbering scheme, and the inclusion of the BEA, TimesTen, and Hyperion product lines in the Critical Patch Update. But more on these topics later! Let’s first have a look at the content of this CPU.

Today’s CPU include fixes for 45 new security vulnerabilities across a wide range of products: Oracle Database Server, Oracle Application Server (including Hyperion Peformance Suite), Oracle TimesTen, Oracle Enteprise Manager, Oracle EBusiness Suite, Oracle PeopleSoft Enterprise, and Oracle WebLogic Server. Eleven of these vulnerabilies affect Oracle Database Server, and none of these Database Server vulnerabilities are remotely exploitable without authentication. The criticality for these 45 new vulnerabilities fixed in the CPU range between the CVSS base scores of 1.5 to 6.8 (on a scale of 10). See our previous blog entry series for more information about CVSS and an explanation of the CVSS base scoring formula. Finally note that none of these 45 fixes affect client-only installations.

As mentioned earlier in this blog, this CPU is also characterized by the adoption of the Common Vulnerabilities and Exposure (CVE) system. As explained on the CVE program web site, “CVE Identifiers (also called "CVE-IDs," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.” Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention that was previously used in the CPU risk matrices. As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier. This change was made possible because Oracle became a “Candidate Naming Authority” under the CVE program. Note that while the CPU documentation is the only authoritative source of information about vulnerabilities in Oracle products, and as such should remain the primary source of information about such vulnerabilities, the use of unique CVE identifiers should result in simplifying how Oracle vulnerabilities are identified in external security reports such as those produced by security researchers and vulnerability management systems. The use in the CPU documentation of CVE identifiers, along with the publication of the Common Vulnerability Scoring System (CVSS) base scores, is further evidence of Oracle’s customer focus in its vulnerability disclosure practices.

Finally, this Critical Patch Update also marks the inclusion of the BEA, TimesTen, and Hyperion product lines in the CPU process.

The inclusion of BEA in the CPU was particularly rapid because of the similarities that existed between the current CPU process at Oracle and the patching procedures previously in use at BEA. Furthermore, all involved in the CPU process have grown skilled with dealing with newly acquired companies, products (and people). The skillset with which Oracle successfully integrates acquisitions extends to all involved with Oracle Software Security Assurance.

Today, the CPU process provides a cohesive program for the patching of hundreds of Oracle products across many various platforms. Developed with customers in mind, the Critical Patch Update provides a predictable patching schedule that is designed to fall outside of typical blackout dates experienced by most customers (such as end of fiscal year, end of calendar year, etc.) As a result of this predictability (CPUs are issued on the Tuesday closest to the 15th of the months of January, April, July, and October), Oracle customers can leverage normal maintenance windows for deploying security updates to Oracle products, thus reducing interruptions to their production environment.

For More Information:

Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html

Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm

The CVE web site is located at: http://cve.mitre.org/

Hi, this is Eric Maurice.

Oracle today issued a Security Alert for a vulnerability affecting the Apache plugin for Oracle WebLogic (formerly BEA WebLogic). It is the first Security Alert since the introduction of the Critical Patch Update process in January 2005. Issuing this alert was required because the vulnerability and associated exploit codes have been posted in various public forums. This vulnerability has received the CVE identifier CVE-2008-3257. The CVSS score for this vulnerability is 10.0. It is remotely exploitable without authentication (i.e. it may be exploited over the network without the need for a username and password), and it can result in compromising the confidentiality, integrity, and availability of the targeted system.

When Oracle became aware of this issue, our security and development teams worked diligently to develop an effective workaround to prevent a successful exploitation of the vulnerability. Detailed instructions for this workaround have been posted on the eSupport site, and Oracle has already issued a Security Alert to all WebLogic customers to let them know about this workaround. In addition, Oracle will also issue an out-of-cycle security patch for this vulnerability as soon as the fix has been produced for all supported version-platform combinations. We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability. In the meanwhile, we recommend that all customers implement the recommended workaround.

Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update.

For More Information:

Workaround instructions are posted on https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html

The Security Alert for this vulnerability is posted on http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html

Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html

Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm