With the July 2023 Critical Patch Update, Oracle introduced another enhancement in the format of its security advisories. Oracle will now provide Vulnerability Exploitability Exchange (VEX) justifications in the Critical Patch Update advisories to further help organizations prioritize their security patching effort.
Critical Patch Update advisories are used to disclose the existence of security vulnerabilities in existing on-premises products and provide related security patch information. Oracle’s primary goal with these security advisories is to help customers quickly and accurately determine the applicability of Critical Patch Update releases to their environment. Additionally, the information contained in the security advisories is critical to helping customers make educated patching decisions.
In July 2012, in addition to publishing traditional Critical Patch Update advisories in English, Oracle started publishing security advisories in the Common Vulnerability Reporting Format (CVRF). CVRF was an XML interchange format that was developed by the Industry Consortium for Advancement of Security on the Internet (ICASI) to provide a standard machine-readable format for security advisories. Producing advisories in machine-readable format enables more security automation as inventory and scanning tools can be fed up-to-date vulnerability information. This in turn helps organizations more quickly identify potentially vulnerable systems and undertake patching efforts.
ICASI transferred CVRF to OASIS in November 2016 and the CSAF Technical Committee within OASIS was chartered to make a major revision to CVRF. This revision resulted in the Common Security Advisory Framework (CSAF), a JSON interchange format.
In the same way Oracle participated in the definition of the various versions of the Common Vulnerability Scoring Standard (CVSS), Oracle was an active participant in the definition of the CVRF and CSAF standards. In April 2022, in addition to English and CVRF (XML) advisories, Oracle started publishing Critical Patch Update advisories in the CSAF (JSON) format.
The most recent CSAF standard is the CSAF 2.0 standard. It was introduced in November 2022 and is published at https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html. This version introduced a number of significant enhancements, among which was the ability to include Vulnerability Exploitability Exchange (VEX) information. VEX can be used to assert whether specific vulnerabilities (identified by their CVE identifiers) are exploitable (or not) in the context of a given product distribution. This information is particularly valuable because many commercial products contain open-source components. However, the inclusion of a given open-source component with a known vulnerability in a product distribution doesn’t necessarily mean that this vulnerability is exploitable in the context of the product distribution in which the vulnerable open-source component is included. The Cybersecurity & Infrastructure Security Agency (CISA) is a proponent of VEX and has published a document “Vulnerability Exploitability eXchange (VEX) – Status Justifications” explaining the benefits of VEX and related guidance.
When reporting that a given CVE is not exploitable in a given product distribution, VEX provides the justification for such an assessment by reporting one of the following:
- Component_not_present
- Vulnerable_code_not_present
- Vulnerable_code_not_in_execute_path
- Vulnerable_code_cannot_be_controlled_by_adversary
- Inline_mitigations_already_exist
Starting with the July 2023 Critical Patch Update, Oracle will also publish VEX justifications for third-party vulnerabilities (identified by their CVEs) that are not exploitable in the context of their respective product distributions. VEX justifications will be published in plain English in the traditional advisories and in the CSAF machine-readable format.
The inclusion of VEX in Critical Patch Update advisories is a significant benefit to customers. This is because Critical Patch Update releases have historically contained a growing number of updates for non-Oracle code (i.e., open-source components). For example, 449 of the 508 security patches provided by the July 2023 Critical Patch Update (about 88%) were for non-Oracle CVEs. And while generally, a significant number of non-Oracle CVEs are severe or critical (312 of the 449 non-Oracle CVEs addressed in the July 2023 Critical Patch Update are high and critical vulnerabilities, that is vulnerabilities with a CVSS Base Score of 7.0 and above), Critical Patch Updates also include security updates for non-Oracle CVEs that are not exploitable in the context of a given Oracle product distribution. Providing the VEX information will allow customers to authoritatively determine that, while a third-party component with a known vulnerability is present in a certain Oracle product distribution, that vulnerability is not exploitable in the context of the product, and as a result no immediate patching or other remediation activities are required. In other words, VEX information will help organizations focus their effort on exploitable issues, rather than waste resources on patching issues that potentially do not create a risk for them. It also helps address the shortcomings of many scanning tools which can determine the presence of a component with a known vulnerability but cannot determine whether this vulnerability is exploitable or not as used in the scanned environment.
Additionally, as Software Bills of Material (SBOMs) are likely to be more prevalent in the near future, in large part because of the effort initially led by the National Telecommunications and Information Administration (NTIA), the inclusion of VEX in SBOMs will help prevent undue pressure to fix non-exploitable issues.
For more information:
The Critical Patch Update program is described at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html.
Critical Patch Update advisories are published on the Critical Patch Updates, Security Alerts and Bulletins page located at https://www.oracle.com/security-alerts/.
Oracle’s use of CSAF and VEX is explained at https://www.oracle.com/security-alerts/cpufaq.html.