Friday Jul 20, 2012

Use of the Common Vulnerability Reporting Format (CVRF) for Oracle’s Security Advisories

Hi, this is Reshma Banerjee. I am a member of the Security Alerts group within the Global Product Security Team at Oracle. My primary responsibilities include working with security researchers on the vulnerabilities they report to Oracle and engaging with the various engineering organizations at Oracle to ensure timely delivery of security fixes in the Critical Patch Updates and Security Alerts.

As announced in a previous blog entry, starting with the July 2012 Critical Patch Update, Oracle will be producing the security advisory in an XML format that conforms to Common Vulnerability Reporting Format (CVRF version 1.1). Of course, Oracle will also continue to produce its Security Alert and Critical Patch Update advisories using the existing format (As a reminder, all Security Alert and Critical Patch Update Advisories are published at

The Common Vulnerability Reporting Framework is an XML-based standard that enables sharing of vulnerability information in a machine-readable format. Originally derived from the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF), this format was then developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum which enables industry collaboration for the development of security solutions and practices to address global security challenges. Oracle is a member of ICASI.

CVRF is a good example of a useful work-product that can come up from such a pragmatic forum of security-dedicated organizations. It provides an XML format that may be used by any vendor to publish relevant information pertaining to vulnerabilities. This includes among other useful information CVE# to identify vulnerability, CVSS score to rate the relative severity of a vulnerability, affected products and versions, mitigation instructions. We believe that CVRF will help customers with diverse IT environments be more efficient in assessing and processing security vulnerability advisories from different IT vendors. Having been personally involved with CVRF since the summer of 2009, I believe CVRF provides two key benefits:

(1) It provides a consistent way to depict security information thus simplifying the interpretation of the advisories, and

(2) It provides a machine-readable format for the interpretation of security advisories, thus allowing automation (and integration of the advisories in, for example, vulnerability scanning tools).

In absence of common security advisory format, IT industry vendors publish their security advisories and bulletins using their own proprietary format. Most organizations have to contend with heterogeneous IT infrastructure and therefore need to deal with multiple vendors. Consequently, security-conscious organizations need to deal with interpreting security advisories from multiple vendors. While security advisories from the various different IT vendors may include similar information, the differences in format and terminology cause, at best, customers to waste a lot of time interpreting security advisories, and at worst, these differences create confusion and errors as a result of the different terminology being used. To a large extent, this problem is similar to the problem that existed prior to the wide adoption of the Common Vulnerability and Exposures number (CVE #) with the identification of individual vulnerabilities.

As IT vendors adopt CVRF, and use it in their security advisories and bulletins, it will become much easier for customers to interpret relevant security information. In addition, customers will be able to more easily write their own automation tools to get the pertinent information from the various advisories without having to cope with multiple formats. Customers will also be able to write tools to automate the action to be taken if they find information in the advisories that affects them. Oracle plans to continue contributing to the CVRF working group and providing CVRF advisories with future Critical Patch Updates and Security Alerts.

For more Information:

ICASI’s web site is located at

More information on CVRF 1.1 is located at

Tuesday Jul 17, 2012

July 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle has just released the July 2012 Critical Patch Update.  This Critical Patch Update delivers a total of 87 new fixes across a number of product families including: Oracle Database, Oracle Application Express, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle Applications, and the Oracle Sun product suites.

For the first time, in addition to the usual advisories, Oracle is producing the Critical Patch Update advisory in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1.  CVRF is an XML language intended for the sharing of security-related information in a machine-readable fashion.  This format has been designed by the Industry Consortium for Advancement of Security on the Internet (ICASI), of which Oracle is a member.  In a future blog post, we will discuss CVRF in more detail, particularly to highlight its benefit as a means to enable the sharing of vulnerability-related information in a way that can be interpreted by a wide range of systems.

Out of these 87 new security fixes, 4 are for the Oracle Database.  The highest CVSS Base Score for these database vulnerabilities is 5.0.  3 of these 4 vulnerabilities are remotely exploitable without authentication; however 2 of these vulnerabilities affect the Database on the Windows platform only. 

In addition, this Critical Patch Update includes 1 fix for the Oracle Application Express Listener, 2 new fixes for Oracle Secure Backup, and 1 new fix for Oracle Enterprise Manager. 

With this Critical Patch Update, Oracle Fusion Middleware receives 22 new fixes.  The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0, but this score affects a series of Java Runtime Environment issues in JRockit.  These Java SE fixes were previously released in the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update also includes a new security fix for Oracle Hyperion.

This Critical Patch Update provides the following applications security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 9 for Oracle PeopleSoft Enterprise, 7 for Oracle Siebel CRM, and 1 for Oracle Life Sciences.

 Finally, the Oracle Sun product suites receive 24 new security fixes, and MySQL gets 6 new security fixes.   The highest CVSS Base Score for the Sun product suites vulnerabilities is 7.8. 

As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible.  This is particularly important as our experience has shown that potentially malicious hackers comb through vendors’ advisories and often attempt to reverse-engineer the fixes contained in them to develop new exploits. 

Customers seeking recommendations for applying the Critical Patch Update should refer to the “Recommendations for leveraging the Critical Patch Update and maintaining a proper security posture” white paper available on Oracle’s web site.  In addition, customers are encouraged to take advantage of the broad range of resources, tools, and best practices available on My Oracle Support.

For more information:

·         The Oracle Software Security Assurance web site is located at

·         The July 2012 Critical Patch Update Advisory is located at

·         Information about Oracle Support resources, tools, and best practices are available at




This blog provides insight about key aspects of Oracle Software Security Assurance programs.


« July 2012 »