Changes Introduced With October 17th Critical Patch Update
By Darius Wiles on Oct 11, 2006
This is Eric Maurice again! Today, I would like to provide you
with an overview of the changes we will be introducing in the
documentation of the Critical
Patch Update (CPU), a strategic component of Oracle
Software Security Assurance.
- One of the key challenges security professionals face when they
receive a vendor-issued security patch is to assess the criticality
of the underlying vulnerability. This assessment is critical when
deciding the priority and timing of the patch in light of the risk
created by the vulnerability and the organization's business
- Oracle has provided internally developed risk matrices in the
Critical Patch Update Documentation to assist customers in this
assessment. The risk matrices include a set of "risk" columns,
which provide information about the severity of the threat the
vulnerability poses to the affected application (and the resulting
impact on confidentiality, integrity and availability of data). For
each type of CIA threat associated with a specific vulnerability,
Oracle also has commented on the relative difficulty of exploitation
and the potential impact if the vulnerability was successfully
note 293956.1 provides a glossary of the terms used
in the past risk matrices.
- With the October 17th Critical Patch Update, Oracle
will introduce three major enhancements in its CPU documentation:
Oracle is adopting the Common Vulnerability Scoring System (CVSS)
Oracle will specifically identify those critical vulnerabilities
that may be remotely exploitable without requiring authentication to
the targeted system.
Oracle will provide an executive summary of the security
vulnerabilities addressed in the CPU.
- CVSS is an emerging standard designed to provide a methodology
for scoring vulnerabilities based on their criticality in a specific
environment. Starting with the next CPU, Oracle will compute the "Base
Metric Group" of CVSS to help clients and security
professionals assess the risk associated with specific Oracle
vulnerabilities in their own environment. A complete
CVSS guide, which details the various components of
the CVSS scoring systems, is available online on the Forum
of Incident Response and Security Teams (FIRST), an
independent non-profit organization that hosts the CVSS program.
- While existing CPU risk matrices made it possible to assess
whether a specific vulnerability was remotely exploitable without
requiring authentication on the targeted system, Oracle is now going
to specifically identify this type of vulnerability. This
enhancement to the documentation is designed to make it simpler for
customers to identify the most critical vulnerabilities addressed in
- In addition, Oracle will provide an executive summary with a
high level synopsis of the security defects in each product
addressed by the CPU. This executive summary will provide a "plain
English" explanation of the vulnerabilities addressed in the CPU.
The summary may be used to brief executive management and other
non-IT groups on the nature of the defects to be patched. This
enhancement is designed to help organizations assess their
preparedness for the upcoming CPU.
- Oracle introduced these changes as the result of feedback we
received from many of our customers. The template of the new
documentation received positive feedback, and we hope that these
changes will help our customers assess the criticality of the
vulnerabilities resolved with each CPU and help them obtain patching
decisions from their senior management more quickly. Ultimately,
we feel these changes should result in further strengthening the
security posture of our clients by providing a standard approach to
vulnerability scoring and a means for better internal communication.