October 2007 Critical Patch Update Released
By Eric P. Maurice-Oracle on Oct 16, 2007
Hello, this is Eric Maurice again!
Oracle today released the October 2007 Critical Patch Update (CPUOct2007). This Critical Patch Update (CPU) addresses a total of 51 vulnerabilities affecting Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Twenty-seven of these vulnerabilities affect various components of Oracle Database Server, including optional components such as Oracle Database Vault and Oracle Internet Directory. None of the Oracle Database Server fixes require patching the database client-only installations. This Critical Patch Update also includes fixes for eleven Oracle Application Server vulnerabilities, and none of these fixes are for client-only installations.
This Critical Patch Update also marks the adoption of version 2.0 of the Common Vulnerability Scoring System (CVSS). FIRST (Forum of Incident Response and Security Teams) published CVSS 2.0 on June 20, 2007, too late for its adoption by Oracle for the July 2007 CPU. However, today�s transition to CVSS 2.0, and the early adoption of CVSS by Oracle a year ago, is an evidence of the dedication of Oracle to adopting customer-centric practices for vulnerability remediation and disclosure. It is worthwhile to reiterate again that CVSS provides a standard-based approach for assessing the criticality of vulnerabilities. In other words, CVSS assists customers to understand the significance of a given vulnerability in their environment, and assess the priority that should be given to patching that specific vulnerability against production requirements.
The new version of the CVSS standard is designed to address the criticism that CVSS scores tended to be clustered around few score values. With CVSS 2.0, a number of new distinctions are introduced that result in further spreading the typical range of the CVSS �base score� and making the standard more representative of real world vulnerabilities. For example, the �access vector� in CVSS 1.0 had the distinction between �local� and �remote�. With CVSS 2.0, �access vector� can either be network (typically reported as �remotely exploitable�, instances where �the vulnerable software is bound to the network stack and the attacker does not require local network access or local access�), adjacent network (typically the attacker needs access to the same subnet as the targeted system, instances �where the attacker needs to have access to either the broadcast or collision domain of the vulnerable software�), or local (the attacker has �either physical access to the system or a local shell account�). For more information, the Guide to the Common Vulnerability Scoring System version 2.0 is available online, and it includes the scoring formulas set forth by the standard. In addition, the National Institute of Standards and Technology (NIST) maintains a CVSS version 2.0 scoring calculator online.
The enhancements to the CVSS standard make it nearly impossible to provide rules of thumb for deriving CVSS 1.0 from CVSS 2.0 scores. So, in order to help customers transition to the new version of the standard, and to allow them to become more familiar with the new scoring scheme, Oracle has also published MetaLink note 458015.1 (subscription to MetaLink required) that lists the vulnerability Risk Matrices as if they were computed using the CVSS 1.0 scheme. Note however that as a result of using CVSS 2.0 in the October CPU nearly all of the base score values are greater than under CVSS 1.0 (49 of 51 vulnerabilities). Also, the average base score has increased from 2.5 using the CVSS 1.0 standard to 4.8 using the CVSS 2.0 Standard.
The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts. Oracle MetaLink Note 394487.1 (subscription to MetaLink required) explains Oracle's implementation of the CVSS standard. The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources, including the technical white paper: Oracle OnDemand Best Practices for the Critical Patch Update.