Tuesday Apr 17, 2012

April 2012 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle has just released the April 2012 Critical Patch Update. This Critical Patch Update provides 88 new security fixes across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle FLEXCUBE, Oracle Siebel Clinical Trial Management System, Oracle Primavera, Oracle Sun products suite, and Oracle MySQL.

Of the 88 new vulnerabilities, 6 directly affect Oracle Database Server. The highest CVSS Base Score for these Database Server vulnerabilities is 9.0. This Base Score affects the Oracle Spatial component on Windows platforms (on non-Windows platforms, i.e., Linux, Unix, the CVSS Base Score is 6.5). In addition, 6 Enterprise Manager Grid Control fixes may be relevant to Database Server deployments. The highest CVSS Base Score for the Enterprise Manager Grid Control vulnerabilities is 5.8; but 4 of the 6 vulnerabilities can be remotely exploitable without authentication. Therefore, Oracle highly recommends that these fixes be applied as soon as possible.

This Critical patch Update also includes 11 new security fixes for Oracle Fusion Middleware. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0 (for vulnerability CVE-2012-1695). This score affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit. Starting again with this Critical Patch Update, JRockit fixes will no longer be provided with the Critical Patch Update for Java SE, but be provided in “the normal” Critical Patch Update along with other Oracle Fusion Middleware fixes.

This Critical Patch Update provides the following application security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 15 for Oracle PeopleSoft Enterprise, 2 for Siebel Clinical Trial Management System, 17 for Oracle FLEXCUBE, and 1 for Oracle Primavera Enterprise Project Management.

Finally, this Critical Patch Update provides 15 new security fixes for the Oracle Sun Products Suite (including Oracle Grid Engine, Oracle Glassfish Enterprise Server, Oracle Solaris, etc.) and 6 new security fixes for Oracle MySQL.

While a great amount of caution is required when analyzing the content of the Critical Patch Updates in an attempt to identify potential trends; I believe the content of this Critical Patch Update is consistent with the views expressed in previous blog entries: Oracle Software Security Assurance activities tend to result in lowering the number of exploitable security bugs in most mature product lines (that is the product lines who have implemented Oracle secure development practices for the longest time), and as a result we see a downward trend in the number of fixes for these product lines. On the other hand, newly acquired product lines often experience relatively large number of security fixes in the Critical Patch Updates. This is due in part to the increased visibility these products may get as a result of their acquisition by Oracle, as well as development’s access to an extended toolset (e.g., security scanning tools) and increased executive attention around security matters as a result of joining Oracle.

For More Information:

The April 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Thursday Mar 29, 2012

Security Alert for CVE-2011-5035 Updated

Hi, this is Eric Maurice again. 

Oracle has just updated the Security Alert for CVE-2011-5035 to announce the availability of additional fixes for products that were affected by this vulnerability through their use of the WebLogic Server and Oracle Container for J2EE components.  As explained in a previous blog entry, a number of programming language implementations and web servers were found vulnerable to hash table collision attacks.  This vulnerability is typically remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password.  If successfully exploited, malicious attackers can use this vulnerability to create denial of service conditions against the targeted system.

A complete list of affected products and their versions, as well as instructions on how to obtain the fixes, are listed on the Security Alert Advisory.  Oracle highly recommends that customers apply these fixes as soon as possible.

Tuesday Feb 14, 2012

February 2012 Critical Patch Update for Java SE Released

Hello, this is Eric Maurice.

Oracle just released the February 2012 Critical Patch Update for Java SE. This Critical patch Update provides fixes for 14 new security vulnerabilities affecting the Java Runtime Environment and JavaFX. The most severe CVSS Base Score for these vulnerabilities is 10.0 denoting a potentially complete compromise of the targeted systems on the Windows platform (e.g. Windows XP). Out of the 14 new vulnerabilities fixed in this Critical Patch Update, 6 affect server deployments of Java SE , including the vulnerability in the Lightweight HTTP server. This means that they can be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.

When computing CVSS Base Scores, Oracle assumes the worst scenario: in the instance of the Critical Patch Update for Java SE, we assume that a user running a Java applet or Java Web Start application has administrator privileges as is typical on the Windows XP platform. On other platforms, for example Solaris and Linux, users do not routinely operate with administrator privileges. On non-Windows platform, the corresponding CVSS scores for those vulnerabilities reported as 10.0 in the Risk Matrix, for the Confidentiality, Integrity, and Availability impacts are "Partial" (instead of the worst-scenario "Complete" reported in the risk matrix), thus lowering the CVSS Base Score for non-Windows platforms to 7.5.

While a small number of people have criticized Oracle for its strict application of the CVSS Standard, particularly as it relates to the difference between “Partial+” and “Complete,” there is a fundamental difference between vulnerabilities whose impact are limited to the affected application and those that result in a full compromise of the targeted system down to the operating system.  In instances of full compromise down to the Operating System, the targeted systems can be maliciously repurposed (to serve malware for example), audit trails can be compromised, and in the case of a compromised server, the “chain of trust” that may exist between the affected server and other systems in the environment can be compromised. In other words, a full compromise down to the operating system pose a threat that can be significantly greater than that of a compromise limited to a layer above the operating system. In addition, forensic responses will be different (as the investigatory and evidentiary values of the logs will be different).

Hundreds of millions of lines of code in Oracle’s codebase are written in Java. Following the Sun acquisition, Oracle has added additional resources to focus on Java security, including multipliying development staff dedicated to Java security. In addition, the Java development team is able to leverage a toolset, including code scanning tools, that was not previously available to them. With these new resources available to them as a result of the Oracle acquisition, the Java development team is weeding out security bugs in Java, and is looking at ways to further improve the security posture provided by Java to its users.

For more information:

 

Tuesday Jan 31, 2012

Security Alert for CVE-2011-5035 Released

Hello, this is Eric Maurice.

Oracle just released a Security Alert for CVE-2011-5035.  In recent weeks, it was widely reported in the security community that a number of programming language implementations and web servers were vulnerable to hash table collision attacks.  US-CERT (United States Computer Emergency Readiness Team) has posted a detailed explanation of this issue (VU#903934) on its web site.

This vulnerability affects a significant number of products from Oracle and other vendors.  It is particularly severe as it could allow a malicious attacker to create a denial of service condition against the targeted system through an easy unauthenticated attack over the Internet.

Today’s Security Alert provides fixes to address this issue in Oracle WebLogic Server, Oracle iPlanet Web Server, and Oracle Containers for J2EE.  As usual, the availability of the fixes is noted in the Patch Availability Documents listed in the Security Alert Advisory.  Note that these fixes were not included in the  January 2012 Critical Patch Update, which however included the corresponding fix for Oracle GlassFish server.

Due to the threat posed by this vulnerability, particularly because of its ease of exploitation and the wide interest it has received in the hacking community, Oracle strongly recommends that customers apply this Security Alert as soon as possible.  Users of affected non-Oracle products should contact their respective vendor as soon as possible to obtain the appropriate fix.

For More Information:
The Advisory for Security Alert for CVE-2011-5035 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2011-5035-1506603.html

Tuesday Jan 17, 2012

Learning More About Oracle Database Systems Change Number (“SCN”)

Hi, this is Eric Maurice again.

On January 17th 2012, Oracle released the January 2012 Critical Patch Update. This Critical Patch Update provided two new fixes for the Oracle Database. As usual, Oracle recommended a prompt application of the Critical Patch Update, but additionally, in the blog entry accompanying the release of the Critical Patch Update, I emphasized that Database customers should apply the Database fixes as soon as possible, explaining that the first, relatively easy to exploit, Database vulnerability could result in a complete denial of service of the Database, and that the second issue may have wider non-security implications for the databases of a very small number of customers.

In this blog entry, we are going to further discuss this second database issue, listed in the January 2012 Critical Patch Advisory as CVE-2012-0082. Note that Oracle has posted on My Oracle Support a detailed technical note on this issue along with specific recommendations for Oracle customers (See My Oracle Support Note 1376995.1).

First, let’s look at what Systems Change Numbers (SCNs) are, and why they’re important. As stated in My Oracle Support Note 1376995.1, the “System Change Number”, or SCN, is a special number used to identify database transactions. SCN values are used in many places – among other things, they are persisted within database blocks; are stored in redo records; and are used to help coordinate distributed transactions. Oracle has designed its database so that at any given point in time there is a maximum SCN value that the current SCN should not sensibly exceed – this is called the “Maximum reasonable SCN”. It is important to note that this maximum value is not a fixed value, but rather is a function of the current system time, and therefore grows over time.

In November 2011, journalists from InfoWorld contacted Oracle and stated that in a number of specific instances it appeared that the SCN of a database could grow at an excessive rate, and that this excessive SCN value could be propagated to other databases in the same environment through, among other things, database links. Oracle quickly determined that this temporary SCN exhaustion issue could have certain security implications, and as a result, in accordance with Oracle policies, Oracle handled this issue as a security bug. As a result of Oracle’s handling of the issue as a security bug, Oracle treated InfoWorld as a security researcher, and since the magazine followed responsible disclosure guidelines, InfoWorld received credit in the Critical Patch Update Advisory.

The specific conditions that could result in a temporary SCN exhaustion are complex. Oracle’s development and security teams quickly worked together to understand all the aspects of this multifaceted issue. These groups first needed to determine under which conditions SCN values could grow at an excessive rate. This meant producing diagnosing and troubleshooting scripts, documenting technical recommendations, and producing fixes for the components causing such a SCN growth to occur. In addition, this issue had to be explored from a security perspective to determine if it could be used by malicious attackers. Finally, fixes and utilities needed to be packaged for distribution (e.g. inclusion of a SCN-related Healthcheck on My Oracle Support, and patches provided through the January 2012 Critical Patch Update), and technical recommendations needed to be properly tested and documented so that they could be shared with the small number of customers who may have been at risk of running out of “SCN headroom”.

Now, let’s have a look at Oracle’s recommendations in regards to managing SCN growth in the Database environment. Oracle included in the January 2012 Critical Patch Update the “scnhealthcheck.sql” script (Patch:13498243). This script can be executed with DBA privileges and will report as to the health of the SCN growth in the database. This script is intended to provide customers with a sense of comfort that they’re not about to run out of SCN headroom, as well as potentially identify additional customers who may be running out of SCN values in their environment so that they can proactively take corrective actions.

The script will report a value of either “A”, “B”, or “C.”

If “A - SCN Headroom is good” is reported, then the SCN health in the audited database is good. The vast majority of databases are expected to fall into this group. Customers should then ensure that all their interconnected databases are patched to current level.  . No additional action is required once the databases have been patched other than to set the parameter  “_external_scn_rejection_threshold_hours” = 24 on some database versions. The script output will advise if this parameter needs to be set. 

If “B- SCN Headroom is low” is reported, then SCN headroom is limited. Customers should then ensure that their databases are patched to the current level as soon as possible, preferably within a week, and set “_external_scn_rejection_threshold_hours” = 24  if advised to do so by the script. Once patched, customers should continue to monitor their SCN health daily by running the script, and will notice after several days or weeks that the “scnhealthcheck.sql” script will report “A”.

“C - SCN Headroom is low” will be reported in the very rare cases that customers are running out of SCN headroom. This will occur when the audited database appears to experience an excessively high rate of SCN increase. In such very rare instances, customers should immediately patch their databases to its current recommended level as listed by “My Oracle Support,” and set “_external_scn_rejection_threshold_hours” if advised to do so. In addition, Oracle recommends that these customers also follow the instructions located in My Oracle Support Note Note:1388639.1 to log a Service Request with Oracle Support so that further advice can be given and additional diagnosis performed if required.

For More Information:

My Oracle Support Note 1376995.1 is located at https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1376995.1

 

January 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle just released the January 2012 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities affecting a wide range of Oracle products families including: Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Virtualization, Oracle Sun product suite, and Oracle MySQL.  Note again that security fixes for Java SE continue to be released on a different schedule because of commitments made before the completion of the Sun acquisition.

Out of the 78 new fixes, 2 affect the Oracle Database.  The maximum CVSS Base Score for the Database vulnerabilities fixed in this Critical Patch Update is 5.5, however Oracle considers these fixes to be important.  In a previous blog entry, we discussed how CVSS Base Scores are computed, and we highlighted the fact that the CVSS Base Score scale is designed to rate the severity of vulnerabilities ranging up to complete exploitation of the affected system down to the Operating System layer (CVSS Base Score greater than 7.5). 
One of the database vulnerabilities fixed in this Critical Patch Update has received a CVSS Base Score of 5.0.  It is a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it).  In other words, this vulnerability could allow an unauthenticated attacker to carry a denial of service attack against the targeted database, for example if it were to be exposed to the Internet.

Though not remotely exploitable without authentication, the other database fix provided in this Critical Patch Update is also important.  This database bug, which was also reported to Oracle by InfoWorld, may have wider non-security related consequences for a small number of customers.  Database customers are therefore strongly encouraged to apply this Critical Patch Update and consult My Oracle Support Note 1376995.1 for additional instructions.

11 of the 78 new fixes provided by this Critical Patch Update are for Oracle Fusion Middleware.  The highest CVSS Base Score for these Oracle Fusion Middleware bugs is 6.4. 

An additional 17 fixes affect the Oracle Sun product suite, including Solaris, Glassfish Enterprise Server, and OpenSSO.  The highest CVSS Base Score for these Sun product suite vulnerabilities is 7.8.

3 new fixes affect Oracle virtualization.  The maximum CVSS Base Score for these vulnerabilities is 3.7.  This score is related to a vulnerability affecting Oracle VM VirtualBox.

Finally, Oracle MySQL receives 27 fixes.  The maximum CVSS Base Score for these MySQL vulnerabilities is 5.5.  One of these vulnerabilities is remotely exploitable without authentication.  Note that this is the first time that MySQL fixes are being included in the Critical Patch Update.

Oracle continues to recommend that customers apply all security patches and keep up with newer releases as a means to continue to preserve their security posture.  As highlighted in this Critical Patch Update, the decreasing number of fixes produced for the most mature product lines in recent Critical Patch Updates should not be construed as an indication that Critical Patch Updates are becoming less important to the security posture of Oracle customers.  Furthermore, security research continues to show that unpatched systems remain an attractive target for malicious hackers.  Fortunately, Oracle customers can leverage a number of tools, including My Oracle Support, to keep up with recommended security and non-security releases.

 

For More Information:

Wednesday Dec 14, 2011

Keeping Up With Newer Releases is Good Security Practice

Hi, this is Eric Maurice again.

On October 18th 2011, Oracle released the October 2011 Critical Patch Update.  As usual, this Critical Patch Update included a number of fixes across a wide range of products, including the Oracle Database.  In the blog entry summarizing the Critical Patch Update, I highlighted the fact that the number of fixes released for the Oracle Database were expected to remain low and made the following statement:

“As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments.”

In today’s follow-up, we are going to discuss the various patching options available to Oracle Database customers and go over the security benefits resulting from keeping up with the most recent releases (patch sets and major releases) of the Oracle Database.  Note that many of the concepts discussed in this blog are also applicable for Oracle Fusion Middleware and Oracle Enterprise Manager products.

In order to provide the best security posture to all Oracle customers, Oracle’s security fixing policies generally require Oracle to fix security vulnerabilities in severity order: in other words, Oracle tries to fix the most severe vulnerabilities first.

Oracle provides Database security and non-security fixes in major releases, Patch Sets, and Patch Set Updates (PSUs), whereas traditional Critical Patch Update patches (not PSUs) include only security fixes (more details about the content of each of these types of patches follow). 

Let’s have a more detailed look into the content that goes in the different types of Oracle patches and updates and how this content might affect an organization’s patching strategy.

Traditional Critical Patch Update patches include only security vulnerability related content.  They generally provide fixes for higher risk security vulnerabilities.  Oracle’s focus with these patches is to address higher risk issues while ensuring that customers’ environments remain stable after patch application.  These patches include fixes for vulnerabilities, which can be directly exploitable, e.g. buffer overflows, and which could ultimately result in the takeover of the targeted system. 

Traditional Critical Patch Update patches typically do not address issues that cannot be directly exploited (e.g. as violation of least privilege policy and other security in depth fixes) unless they could aggravate the impact of another directly exploitable issue.  They also do not provide fixes for issues for which there are no exploits but which are otherwise against safe secure coding principles.  For example, we routinely fix issues such as specific uninitialized variables, which have no known security exploits, but for which we are concerned that someone might find a way to exploit.  

Traditional Critical Patch Update patches also do not include fixes for certain exploitable issues that have very low risk when the fixes could result in customer applications failing to work properly without modification.  They also do not include fixes for exploitable issues that are very low risk (such as when the exploitation window is very narrow, for example when limited to a short period during installation).  In addition, Critical Patch Updates typically do not include fixes that require large scale code modification or for which there is no reasonable patching mechanism.

Again, Oracle’s focus with the traditional Critical Patch Update patches is to address higher risk issues while ensuring that their application will not cause customers to experience significant impact in production.

Patch Set Updates (PSUs) are another type of bundled patches distributed under the Critical Patch Update program.  In addition to containing all the fixes contained in the traditional Critical Patch Update bundles, PSUs also contain non-security fixes for issues that have been reported by multiple customers. 

These non security PSU fixes are designed to provide high-reward / low-risk fixes, and are an expression of Oracle’s overall proactive support strategy.  Before their inclusion in a PSU, Oracle will have determined that these non-security fixes have already been installed at a number of customer sites with no reported negative effects.  A Patch Set Update is denoted by incrementing the 5th place in the version string (e.g. Oracle Database Server 11.2.0.3.1). 

Next, let’s have a look at Patch Sets.  A Patch Set release is identifiable by the 4th place in the version string (For example, 11.2.0.2.0, 11.2.0.3.0).  Patch Sets contain all the PSU fixes as well as additional content.  This additional content includes reworked security PSU fixes to make them more extensive or to cover more in-depth issues.  It can also include additional fixes for security in-depth issues, including fixes for issues such as uninitialized variables, and other issues related to unsafe coding practices, which are not known to be exploitable but nevertheless have been fixed by Oracle to prevent their use in case they were ever discovered by an attacker. 

Major releases (denoted by the number before and the digit after the “dot” in the version number, e.g. for Oracle Database 11g Release 1 the major release would be the "11.1" in the patch set 11.1.0.7) contain all the above Patch Set fixes as well as additional reworked security fixes to make them more extensive or to cover more in-depth issues.  Major releases also contain many additional fixes for security in-depth issues as well as major architectural fixes that improve security in a comprehensive manner.  In addition to providing new product features, major releases will also contain fixes that were not delivered in Patch Sets or PSUs because of Oracle’s concerns about negative impact on existing applications without code or significant configuration changes.

Note again that because of Oracle’s policies governing the sequencing of the security fixes, it is possible that certain security fixes will be included in Patch Sets or product releases distributed before the relevant Critical Patch Update.  In other words, in some instances the fix for a given vulnerability may be included in a Patch Set or a product release, before the vulnerability is fixed in a consequent Critical Patch Update.  Furthermore, though we try to avoid such a situation, there are instances where security fixes cannot be backported to previous but still supported releases because the nature of the fix is too complex, may require an in-depth re-engineering of the code, or may require extensive code or configuration changes by the customers.  In such instances, the security fixes may only be available through a patchset or more likely through a major release.

Oracle recommends that, to optimize their security posture, as well as to fully take advantage of Oracle’s proactive support model (through the release of low risk fixes for commonly encountered issues), customers have a plan that includes regular patch sets and release upgrades coupled with quarterly patch set updates.  Such upgrades are provided without additional charge to customers with Oracle Premier Support

These upgrades provide not only critical security benefits, even in instances where customers apply ALL the Critical Patch Updates in a timely fashion, but also provide tangible production benefits as customers on recent releases are less likely to experience production issues, that have been reported by other customers, and for which Oracle produced a fix.

For more information:

Tuesday Oct 18, 2011

October 2011 Critical Patch Updates Released

Hello, this is Eric Maurice.

Oracle just released the October 2011 Critical Patch Update and the Critical Patch Update for Java SE.  As explained in previous blogs, because of commitments made before the completion of the Sun acquisition, the security patches for Java SE are typically released on a different schedule than other Oracle products. However, today, the release date of the Critical Patch Update for Java SE coincided with the regular Critical Patch Update release schedule.

The October 2011 Critical Patch Update for Java SE provides fixes for 20 new security vulnerabilities.  The highest CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0, and it is applicable to 6 vulnerabilities.  In addition, one of these 20 new fixes is for the “BEAST” exploit.  “BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic.  This exploit was recently demonstrated at a security conference.  The vulnerability related to this exploit is CVE-2011-3389, and it has a CVSS Base Score of 4.3.  Note also that beginning with this Critical Patch Update, security fixes for Oracle JRockit will no longer be released with the Oracle Fusion Middleware fixes but instead will be released along with Java SE fixes in the Critical Patch Update for Java SE.  The primary benefit of this change is that Oracle JRockit will now receive Java-related fixes as soon as these fixes are released by Oracle (JRockit fixes were previously distributed with other Oracle Fusion Middleware fixes in the next Critical Patch Update that followed the Critical Patch Update for Java SE).

The October 2011 Critical Patch Update provides fixes for 57 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Linux and Virtualization, and Oracle Sun product suite.  None of the 57 new fixes are applicable for client-only deployments. 

Of the 57 new fixes, 5 are for Oracle Database Server.  None of the Oracle Database Server vulnerabilities addressed in this Critical Patch Update are remotely exploitable without authentication.  The most severe vulnerability affecting the Oracle Database Server products suite affects Oracle Application Express (APEX), and it has received a CVSS Base Score of 6.5.  None of these fixes are applicable to client-only deployments.

As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments. 

22 out of the 57 fixes provided with this Critical Patch Update are for the Oracle Sun product suite.  The most severe of these vulnerabilities affect the LDAP Library in Sun Solaris (CVE-2011-3508) and has received a CVSS Base Score of 9.3.  Oracle recommends that Solaris customers apply this Critical Patch Update as soon as possible.


Finally, please note that this Critical Patch Update lists a fix for Oracle Linux.  Starting with this Critical Patch Update, security fixes in proprietary components of Oracle Linux will be listed in the Critical Patch Update advisory.    However, the security fixes for the code generated by the Linux community, as well as those for proprietary Oracle components will continue to be released through the El-errata documentation, in the same fashion as before.

For more information:

 

 

Thursday Sep 15, 2011

Security Alert for CVE-2011-3192 Released

Hi, this is Eric Maurice.

Oracle just released a Security Alert for CVE-2011-3192, also known as “Apache Killer.”  This vulnerability was recently discovered in the Apache HTTP Server and publicly disclosed.  It affects a number of Oracle products through their implementation of Apache, including Oracle Application Server and Oracle Fusion Middleware (a list of the affected products is provided in the Security Alert Advisory). 

The National Vulnerability Database has reported a CVSS Base Score for this vulnerability of 7.8 indicating a complete Operating System denial of service (DOS); however a complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete DOS of the Oracle HTTP Server but not the Operating System. 

This vulnerability allows a malicious attacker to hang the Oracle HTTP Server product via an easy-to-deploy, unauthenticated network attack.  Due to the criticality of this vulnerability and particularly its ease of exploitation, Oracle decided to release fixes for the affected and supported products as soon as the testing for these fixes was completed, before the release of the next scheduled Critical Patch Update on October 18th 2011. 

Oracle recommends that all affected customers apply the fixes provided by this Security Alert as soon as possible in order to maintain their “security in depth” posture, even if they have applied some of the workarounds that have been published on the Internet, as  Oracle has found that many of these workarounds can cause regression issues across the stack. 

This recommendation is also applicable to other vendors’ products which may contain this vulnerability as a result of their implementation of the Apache HTTP Server.  Organizations should quickly determine which of their systems is vulnerable, obtain the necessary patches from their respective suppliers, and plan to quickly apply these patches, especially in external facing systems.

For More Information:

Tuesday Jul 19, 2011

July 2011 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the July 2011 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities in a wide range of product families including: Oracle Database Server, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle Sun Products. 

Out of these 78 vulnerabilities, 13 affect Oracle Database Server, including one affecting Oracle Database Vault and 2 affecting client-only deployments.  The CVSS Base Scores for these Database Server vulnerabilities range between 1.3 and 7.1. 

This Critical Patch Update also provides fixes for 3 security flaws affecting Oracle Secure Backup.  The highest CVSS Base Score for the vulnerabilities affecting Secure Backup is 10.0.  Oracle Secure backup customers are therefore urged to apply this Critical Patch Update as soon as possible.

In addition, 7 fixes are provided for Oracle Fusion Middleware.  The highest CVSS Base Score for vulnerabilities affecting Oracle Fusion Middleware is 10.0.  This CVSS Base Score is related to previously released Java SE security fixes applicable to JRockit.  Note again that Java SE security fixes continue to be issued on a separate Critical Patch Update schedule (the schedule for the Critical Patch Updates for Java SE and all other Oracle products is posted at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

18 security fixes are provided for Oracle Enterprise Manager Grid Control.  The CVSS Base Scores for the Enterprise Manager Grid Control vulnerabilities fixed in this Critical Patch Update range between 4.3 and 6.8. 

23 new security fixes are provided for the Oracle Sun Product Suite, including Oracle OpenSSO, Solaris, Oracle GlassFish Server, etc.    The CVSS Base Scores for the Oracle Sun Product Suite vulnerabilities fixed in this Critical Patch Update range between 1.7 and 10.0. 

With the addition of the Sun products, Oracle Software Security Assurance programs extend to the software components of hardware products, including firmware.  Firmware and other hardware-related security fixes are included in the Critical Patch Updates.  But the application of Oracle Software Security Assurance by the former hardware divisions of Sun does not end with the Critical Patch Update and Security Alert programs! 

While, before the acquisition, there were differences between the security practices of the various hardware security groups at Sun (e.g. differences between Solaris, Development Tools, Volume Systems, Enterprise Systems, Disk Storage divisions, etc.), these security practices are now integrated under Oracle Software Security Assurance guidance.  For example, security release criteria (i.e. security items in the mandatory checklist before allowing a software product to become GA) are applied uniformly across all Hardware Systems divisions.  Also, the development teams across the Hardware Systems division have access to a broader set of security tool sets, including static analysis tools.  These changes will help further strengthen the security quality of the code produced by these groups. 

Oracle Software Security Assurance programs affect ALL Oracle products (and their respective development organizations) and help ensure consistency in coding practices, security reporting, etc. resulting in effective information sharing between Oracle groups.  This is particularly important because customers will reap security benefits when purchasing Oracle-engineered systems (e.g. Exadata, Exalogic, , etc.)  as opposed to getting multi-vendor bundles (or attempting to integrate complex systems from multiple vendor by themselves.)  For example, the existence of consistent and extended security checklists when bringing Oracle solutions together help ensure security integrity across the solution stack being offered to customers, as customers need not rely upon the consistency of multiple vendors’ security assurance programs. 

As always, Oracle recommends that customers review the risk matrices included in the Critical Patch Update Advisory to determine whether these fixes are relevant to them and, if so, determine the potential risk these vulnerabilities create in their environment, and ultimately determine their patching priority.  As a reminder, Oracle recently started to issue a plain-English version of the risk matrices to help customers who may not yet be familiar with CVSS get accustomed to the Standard.  In addition, a technical white paper is available on Oracle’s web site to help customers come up with a repeatable process to deal with security patches in their environment.

 

For more Information:

·         The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today