OK, maybe not the Holy Grail, but a definite boon for automating notification to internal groups of CPU information.
You may be aware that in the past, Oracle published an XML feed for CPU’s, the Common Vulnerability Reporting Format
CVRF is no longer being delivered, the last CVRF was published in October 2023
Oracle is now publishing CSAF- Common Security Advisory Framework.
See how the new Security Alerts provide this infomation:
Security Alerts
Critical Patch Update and Security Alert Programs Frequently Asked Questions
https://www.oracle.com/security-alerts/cpufaq.html
For CVRF and CSAF
See: https://www.oracle.com/security-alerts/cpufaq.html#cvrf
…
5. CVRF (Common Vulnerability Reporting Format)
5.1 What is CVRF?
5.2 What is Oracle’s involvement with CVRF?
5.3 Who to contact for any CVRF related questions?
6. CSAF (Common Security Advisory Framework)
6.1 What is CSAF?
6.2 What is Oracle’s involvement with CSAF?
6.3 Who to contact for any CSAF related questions?
Oracle has begun publishing CSAF
https://www.oracle.com/docs/tech/security-alerts/oracle-cpu-csaf-rss.xml
CSAF is an OASIS standard, see the manifest:
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os-manifest.txt
Example link from [cpu-csaf-rss] for Jan 2024 CPU
https://www.oracle.com/docs/tech/security-alerts/cpujan2024csaf.json
See this segment from the CPU in the JSON file:
| { “cve”: “CVE-2023-28823”, “ids”: [ { “system_name”: “Oracle Bug ID of Oracle Communications Service Catalog and Design”, “text”: “35788358” } ], “notes”: [ { “category”: “description”, “text”: “Vulnerability in the Oracle Communications Service Catalog and Design product of Oracle Communications Applications (component: PSR Designer (Integrated Performance Primitives)). The supported version that is affected is 7.4.2.8.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Communications Service Catalog and Design executes to compromise Oracle Communications Service Catalog and Design. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Service Catalog and Design. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).”, “title”: “Vulnerability Description” } ], “product_status”: {
“known_affected”: [ “P-2283V-7.4.2.8.0” ] }, |
“remediations”: [ { “category”: “vendor_fix”, “details”: “Oracle customers with valid support contracts”, “product_ids”: [ “P-2283V-7.4.2.8.0” ], “url”: “https://support.oracle.com/rs?type=doc&id=2992416.1” } ], “scores”: [ { “cvss_v3”: { “baseScore”: 7.3, “baseSeverity”: “HIGH”, “vectorString”: “CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H”, “version”: “3.1” }, “products”: [ “P-2283V-7.4.2.8.0” ] } ] } |
See also the discussion on VEX.
7. VEX (Vulnerability Exploitability eXchange)
VEX is a specification that can be used to assert that certain CVEs are or are not exploitable in the context of a specific product.
See for reference:
https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf
The JSON file also includes VEX details.
See this segment:
…
“cve”: “CVE-2023-2976”,
“flags”: [
{
“date”: “2024-01-16T13:00:00-07:00”,
“label”: “vulnerable_code_not_in_execute_path”,
“product_ids”: [
“P-13824V-21.3-21.12”,
“P-13373V-Prior to 19.5.40”,
“P-13824V-19.3-19.21”
]
}
…
{
“category”: “description”,
“text”: “Security-in-Depth issue in the SQLcl (Google Guava) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product.”,
“title”: “Vulnerability Description”
}
Examples of other labels which may be found:
- vulnerable_code_not_present
- vulnerable_code_not_in_execute_path
- vulnerable_code_cannot_be_controlled_by_adversary
The delivery of VEX has a very exciting potential, see this from first.org
Consolidated SBOM and CSAF/VEX Operational Framework
https://www.first.org/standards/frameworks/psirts/Consolidated-SBOM-VEX-Operational-Framework.pdf
“The Operational Framework for SBOM and CSAF/VEX is a high-level document which provides recommendations and guidance to organizations creating (suppliers) systems that support the distribution of Software Bills of Materials (SBOM) for their products. This also enables the automation of risk management for their customers through the development of machine-readable security advisories which follow CSAF incorporating VEX guidelines.”
Let us know in Ideas Lab how you can see this information being used in PeopleSoft LifeCycle Management and PeopleSoft Cloud Manager.