The Oracle Global Product Security Blog

Hi, this is Eric Maurice!

Today Oracle released the January 2009 Critical Patch Update (CPUJan2009).

The Critical Patch Update (CPU) includes fixes for 41 new security vulnerabilities across several product families, including: Oracle Database Server, Oracle Times Ten, Oracle Secure Backup, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, and Oracle WebLogic.

Ten of the 41 vulnerabilies affect Oracle Database Server, and none of the ten are remotely exploitable without authentication. Two of the Oracle Database Server fixes are for the SQL*Plus Windows GUI; as such they impact client-only installations.

This Critical Patch Update also addresses nine vulnerabilities in Oracle Secure Backup, a stand-alone solution for centrally managing backup tapes. Four of the Oracle Secure Backup vulnerabilities were reported on the CPU documentation with a CVSS Base Score of 10.0. Note however that this CVSS Base Score of 10.0 only affects the Windows platform. For Linux, Unix, and other platforms, these vulnerabilities would yield a relatively lower severity score of 7.5. This differentiation in CVSS Base Scores is due to operating system differences, which allow a successful exploitation of one of the vulnerabilities to result in a take over of the operating system in a Windows environment, but not on other platforms (Linux, Unix, etc.). A 10.0 CVSS Base Score denotes instances where a complete takeover of the underlying platform where a compromised application executes is possible (causing an attacker to “own” the targeted machine). A 7.5 CVSS Base Score denotes instances where the compromise is somewhat limited to the compromised application. Finally, note that none of the vulnerabilities fixed in this Critical Patch Update affect the most recent release of Oracle Secure Backup (10.2.0.3).

This Critical Patch Update also addresses five new vulnerabilities in the Oracle Weblogic suite of products. One of these five vulnerabilities also received a CVSS Base Score of 10.0, and it affects the WebLogic Server Plugins for Apache, Sun and IIS web servers. The WebLogic plugin component has already been the subject of a couple of serious vulnerabilities. Two CVSS 10.0 vulnerabilities were recently fixed in this component: one with the most recent October 2008 Critical Patch Update and the other with an out of cycle Security Alert in August 2008. The discovery of these vulnerabilities has resulted in bringing a lot of attention on the WebLogic Server Plugin, and as a result, this component has been going through significant review, including an in-depth review by our ethical hacking team (a.k.a. “White Hat Hackers”), and of course various communications with Security Researchers who brought some of these issues to light. Finally, note that the fixes for the WebLogic plugins are cumulative, in other words, the most recent fix includes all previously released fixes.

In many ways, the remediation of severe vulnerabilities in the context of today’s Critical Patch Update with Oracle Secure Backup and the Oracle Weblogic Server plugins highlight the effectiveness of an ongoing Security Assurance effort, which involves the entire development organization, as well as internal security teams, and trusted Security Researchers. When looking back at the Critical Patch Updates, since January 2005, we can see that the most mature product lines (in term of their inclusion in Oracle Software Security Assurance programs, including the Critical Patch Update) are experiencing less critical vulnerabilities, and even, in some instances, a decrease in the number of vulnerabilities typically fixed in each Critical Patch Update. (Note that the size of the Critical Patch Update remains somewhat constant despite the continuously growing number of products that have joined the CPU process as a result of newly acquired product lines.) Of course, security professionals can never fully rest on their laurels because such progress can always be negated by the discovery of new attack methods, which would result in a “spike” in the number of fixes issued to address them.

As usual, I try to highlight the most notable content of the current Critical Patch Update in this blog. However, as indicated at the beginning of this blog, the current Critical Patch Update also includes new fixes for other product lines (Oracle EBusiness Suite, Oracle TimesTen, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle JDEdwards Enterprise One). Customers should therefore refer to the CPU Release Documentation to find more information about these patches. Oracle strongly encourages all customers to apply this CPU as soon as possible.

For More Information:

Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html

For more information about Oracle’s use of the CVSS standard, see: http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm

Hello, I am Bruce Lowenthal, Director of the Oracle Security Alerts Group. My group is responsible for all communication with external researchers regarding Oracle product vulnerabilities and is also responsible for coordinating the creation and distribution of fixes for product vulnerabilities via Oracle's Critical Patch Update program.

On January 12th, SANS issued a report detailing the Top 25 Most Dangerous Programming Errors. I, as the Oracle representative, was one of many contributors to this paper. In this BLOG I wanted to discuss some of the reasons why a top 25 list of most dangerous programming errors is important to the software development industry.

First, a summary of the paper. The SANS paper contains a list of top 25 programming errors, or really categories of errors, that have resulted in security vulnerabilities where security vulnerabilities are program defects that could allow attackers to read, create, delete or modify data without proper authorization, or to cause a denial of service to resources that provide computing services. These categories were determined by a long list of collaborators including private consultants, members of governmental and security organizations and members of industry like me.

Each of the SANS programing errors is described, its consequences noted and methods to prevent and mitigate each error are provided.

An illustrative example from the SANS list is "Improper Input Validation," which is the class of errors resulting from a lack of validation of input parameter to functions, procedure and applications. A good example from this class is the "buffer overflow" error, where the size of an input parameter exceeds the size of the buffer that was allocated to contain it. Buffer overflows can often be exploited to allow takeover of the application or even the host system. I believe that Improper Input Validation is the leading cause of security vulnerabilities in software.

Why is this list important?

One reason is that it alerts programmers to common programming errors that lead to security vulnerabilities. Just by knowing about such problems, a programmer is more likely to avoid them. The list also includes both "tactical" and architectural advices regarding how to prevent or mitigate such problems. For example, the use of input validation frameworks, such as Struts, is an architectural recommendation to avoid "Improper Input Validation" errors. For tactical advice, the SANS document recommends that programmers avoid using "blacklist" validation of input since common mistakes in defining blacklists can lead to not detecting malicious input. In addition, the SANS list provides mitigation advice. For example, it is recommended that "least privileges" be used so that if a compromise occurs, the potential damage is limited. Of course this advice should be heeded when developing software for any type of application.

Thus, the list of the top 25 programming errors can be used to directly improve the security of programs by providing programmers with an understanding of common vulnerabilities, by setting forth both architectural and tactical recommendations for avoiding vulnerabilities due to these errors, and by recommending methods of mitigating successful exploits of such vulnerabilities. The SANS List may have other effects as well. For example, new publicly available tools for finding, mitigating and avoiding such errors may be developed for general use as a result of this list. Also, people who audit or review programs may use the top 25 list to help them assess software products.

I expect that the SANS top 25 list of programming errors will have a significant effect on the software industry. Software development organizations that review this list and quickly take appropriate action to reduce and eliminate the errors described in the list should have a considerable advantage over competitors that do not.

For More Information:
The SANS Top 25 Most Dangerous Coding Errors is available at http://www.sans.org/top25errors/