This is Reshma Banerjee again. In my last blog entry, I wrote about some of the things that are happening as a result of BEA’s transition into the various Oracle Software Security Assurance programs. Today, I will discuss the changes that affect the security advisories previously published by BEA.
Previously, BEA had a security advisory and patch release program similar to Oracle’s Critical Patch Update. However, as a result of the acquisition, the BEA process has been superseded by the Critical Patch Update process in order to maintain a consistent security patching and advisory experience for all Oracle customers regardless of the products they use. Some of the key changes are highlighted below.
The Critical Patch Updates are released on a quarterly basis, on dates provided a year in advance, thus providing customers a predictable security patching schedule. This predictability was not provided by BEA’s security advisory and patch release program, and it will be of great interest to BEA customers who will now be able to include security patching in their normal maintenance cycles.
Adding further to this predictability, Oracle publishes a summary of the Critical Patch Update Documentation on the Thursday prior to the release of each Critical Patch Update. The BEA advisories were included for the first time in the July 2008 Pre-Release Announcement. As for all other Oracle products, the Critical Patch Update Pre-Release Announcements for BEA products will provide advanced information about the upcoming Critical Patch Updates, including:
- Name and version numbers of the products affected by new vulnerabilities that are fixed in the Critical Patch Update
- Number of security fixes for each product suite
- Highest CVSS base score for each product suite
- And, potentially, any other information that may be relevant to help organizations plan for the application of the Critical Patch Update in their environment
The Critical Patch Update Pre-Release Announcements are posted on the Critical Patch Updates and Security Alerts page on Oracle’s web site, and are replaced on the day of the release of the Critical Patch Update with the actual Critical Patch Update Advisory document.
Obviously, the use of a common process for advising customers of security updates across all Oracle products results in bringing consistency to customers, who often have to deal with managing multiple Oracle products in an otherwise heterogeneous technical environment. The advance notification makes customers aware of the key security issues addressed in the CPU and whether they are affected by them. This advance notification also provides customers with the ability to assess the criticality of the vulnerabilities fixed in the CPU and allows them to prioritize their patching effort.
Another area of change will be with the content of the security advisories for BEA products. The Critical Patch Update documentation includes risk matrices for each product suite that receives new fixes in the CPU. These risk matrices are designed to help customers assess the risk posed by each newly-fixed security vulnerability in their specific environment. The risk matrices provide the following information:
- affected versions of the product,
- affected component and protocol,
- required packages/privileges and
- CVSS Base Score rating of the vulnerability
These risk matrices are designed to provide enough information to allow customers to assess the exploitability and impact of the vulnerability and to determine which components/product versions are affected for testing purposes. Vulnerabilities are listed in order of severity in the risk matrices, and as a result, customers can easily identify the vulnerabilities most critical to them. The risk matrices can also be used to single out the systems most at risk in a customer’s environment so that these systems can be patched first.
In the past, BEA advisories used an alternate form of risk assessment, which would be at times redundant to the type of information disclosed in the Oracle CPUs. In order to maintain consistency in the CPU documentation, this alternate form of risk assessment will no longer be provided. In addition, BEA used to provide specific information about the types of vulnerabilities fixed in the advisory. Under Oracle’s policies, this information is deemed too specific and potentially harmful as it could result in empowering malicious attackers. This kind of detailed information will therefore no longer be provided.
In addition, starting with the April CPU, patch availability information for the security advisories for former BEA products will be made available exclusively through Metalink. This is also consistent with the practices for most other Oracle products.
The adoption of Oracle Software Security Assurance also results in changes in how we communicate with security researchers. Prior to the acquisition, BEA used secalert@bea.com for any email communication with security researchers. This address will now be replaced by secalert_us@oracle.com which is the address used for all other Oracle products. Note that BEA did not use encrypted emails for communicating with security researchers, however Oracle encourages the use of encryption for such communication (Oracle’s encryption key can be found at http://www.oracle.com/technology/deploy/security/encryptionkey.html).
Finally, like the now obsolete BEA security site, the Oracle Critical Patch Updates and Security Alerts site supports RSS feeds. Anyone can subscribe to these feeds and be notified on changes made to the page (including when the Pre-Release Announcements are published). Note that BEA customers, who were previously subscribed to the BEA RSS feeds, will need to re-subscribe to the Oracle RSS feed on http://www.oracle.com/technology/deploy/security/alerts.htm.
I feel that the adoption of the various Oracle Software Security Assurance programs have contributed to make the security advisory program for BEA products more predictable and useful to customers. In my opinion, Oracle and BEA teams put in a tremendous effort to align the processes to provide a consistent and positive experience to ALL Oracle customers.
