The Oracle Global Product Security Blog

Hi, this is Darius Wiles.

Software vendors aim to release defect-free products. Earlier posts have discussed Oracle Software Security Assurance (OSSA) program and its processes that aim to get us as close to this goal as possible. Automated testing is an important part of OSSA as it helps catch problems missed in earlier stages of the development lifecycle and gives us the opportunity of improving our processes to prevent similar problems in future.

When I joined Oracle a number of years ago, we relied almost exclusively on internally-developed testing tools and common freely available penetration testing tools. We had tried many of the commercial tools that were available at that time but concluded they were not useful to us due to their inability to cope with the volume and complexity of code we needed to test. In addition, these commercial tools did not always work correctly with our products (e.g. web application tools could not test web sites protected with Oracle Single Sign-On), and other tools were not able to statically analyze all the programming languages we use. However, the leading commercial scanners have improved significantly over the past few years, and we are now increasingly building them into our standard development and testing processes.

The increasing use of automated tools by Oracle is having an impact on the proportion of security defects that are discovered internally versus those reported by external sources. For reporting and tracking purposes, we categorize security defects into groups based on who found them, namely internal, customer and external. Andy Webber's recent blog post talked about an unexpected internal source of defect reports, but generally, internally-discovered security defects are found as a result of security testing performed by the development, quality assurance, and ethical hacking teams.

The increasing use of automated tools by Oracle is allowing us to find more security defects internally. Of all defects found in 2009 (so far), 87% have been found internally, 10% have been reported by customers, and 3% were found externally. Note that the external group consists of defects reported to us by security researchers, Oracle-specific defects posted directly to the Internet, and problems in third party products/code that we include with our products. One should be wary in drawing comparisons based on this data, especially to compare the effectiveness of these different groups in finding security bugs. The raw statistics provide a slightly unbalanced comparison as many of the internal defects are unlikely to be exploitable in practice: static source code analysis tools tend to err on the side of caution when reporting potential problems and we prefer to add validation checks to likewise be cautious unless we are absolutely sure a potential problem is a false positive. Conversely, most of the customer and external defects have been analyzed in enough detail to weed out the false positives. Additionally, an increasing number of potential defects are being found and fixed during product development, reducing the opportunity for defects to find their way into released products and for people outside Oracle to find them. However, we are using these figures as a guide in tracking our progress in finding an increasing percentage of problems internally.

In a blog posting earlier this year, Reshma Banerjee discussed the inclusion of BEA into OSSA. A lot of good ideas are exchanged between security teams in Oracle and newly-acquired companies. Although many companies have solved the same security challenges in surprisingly similar ways, the variations are always worth exploring as more effective techniques can be shared across the whole company. This includes the use of security testing techniques and commercial testing tools. I expect the continuous improvement in OSSA processes to continue to increase the percentage of internally found defects, relative to the other two categories, and get us closer to the goal of defect-free products.

For more information, a number of Oracle OpenWorld sessions will be dedicated to Oracle Software Security Assurance:

• On Sunday October 11 at 3:30PM: Oracle Software Security Assurance Town Hall with IOUG (panel discussion with Bruce Lowenthal, John Heimann, Mark Fallon, Robert Armstrong, and Hiran Patel)


• On Tuesday October 13 at 11:30AM: Governance and Security Assurance with John Heimann


• On Thursday October 15 at 9:00AM: Software Vulnerabilities: Preventing & Protection with Bruce Lowenthal


• Also on Thursday, at 3:00PM: Critical Patch Update: A Year in Review with Bruce Lowenthal & Eric Maurice

Hello, this is Eric Maurice. Oracle released the October 2009 Critical Patch Update (CPUOct2009) today. In a previous blog entry, I explained why this Critical Patch Update had been moved.

Today's Critical Patch Update (CPU) provides 38 new security fixes across a number of product groups including: Oracle Database Server, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle JD Edwards Tools, Oracle WebLogic and Oracle JRockit (formerly from BEA), and Oracle Communications Order and Service Management. Of these 38 vulnerabilities, 19 are remotely exploitable without authentication.

Oracle Database Server receives 16 new fixes, 6 of which are for vulnerabilities that are remotely exploitable without authentication. Three of these vulnerabilities have received a CVSS Base Score of 10.0. These scores reflect the relative severity of the vulnerabilities as they can result in a full compromise of the targeted system down to the operating system (OS). The CVSS guide available on the FIRST web site provides a detailed explanation on how Base Scores are computed. Note however, that these scores are only applicable for the Windows platform. On other platforms, the score for these vulnerabilities is limited to 7.5 because a successful exploitation of these vulnerabilities will not result in a compromise down to the OS layer. Furthermore, note that these vulnerabilities affect various versions (9.2.0.8; 10.1.0.5; 10.2.0.4; and 11.1.0.6), however the most recent versions of Oracle Database Server (11.1.0.7 and 11.2.0.1) are not subject to these vulnerabilities. This is because of the order in which fixes are produced by Oracle (i.e., the main code line is fixed first, for more information see Oracle's policy for fixing security vulnerabilities).

Due to the severity of the new Database Server vulnerabilities, Oracle recommends that this Critical Patch Update be applied against the affected systems as soon as possible. However, until the application of the CPU, common network access control products, such as reverse proxies and firewalls, which are routinely deployed around sensitive systems, can greatly reduce the risks posed by these vulnerabilities. These network security tools can help prevent attempts to exploit these vulnerabilities remotely, and effectively hide the vulnerable systems from malicious Internet users. As a matter of good security practice, a database server should not be exposed to the Internet, and connections to databases should be limited to securely configured application servers and trusted staff.

Oracle WebLogic and JRockit receive 6 new security fixes. One of the fixes has a reported CVSS Base Score of 10.0. It affects Oracle JRockit, and this fix is in fact designed to address multiple vulnerabilities affecting the Sun Java Runtime Environment. These vulnerabilities were disclosed by Sun Microsystems in August 2009, and the CPU Advisory provides the complete list of Sun advisories addressed in JRockit.

For more information:
o The Security Technology Center on OTN is located at http://www.oracle.com/technology/deploy/security/index.html
o The October 2009 CPU advisory is located at http://www.oracle.com/technology/deploy/security/alerts.htm
o Information to subscribe to Oracle security e-mail notifications is located on http://www.oracle.com/technology/deploy/security/securityemail.html
o Note 360870.1 (My Oracle Support subscription required) explains the impact of Java security vulnerabilities on Oracle products.
o Note 394487.1 (My Oracle Support subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.