[Previous entry: "October 2007 Critical Patch Update (CPU) is out"] [Next entry: "Oracle plugs critical database, application flaws"]
Oracle Issues Pile of 51 Security Patches
October 17th, 2007 by Pete
Post to del.icio.us
Post to Furl
Oracle Issues Pile of 51 Security Patches - By Lisa Vaas
"Oracle releases a long list of patches and scores them in a manner that some say downplays the true risks.
Oracle on Oct. 16 released 51 security fixes, including 27 patches for the beating heart of so many enterprises: the Oracle database."
Interesting article by Lisa that confirms my suspicions here last night that the scores seem low for most of the reported fixes and particularly for the remotely exploitable bugs that do not require authentication.
October 17th, 2007 at 08:37 pm
Stephen Kost says:
The problem with the Oracle CVSS scores has everything to do with CVSS and not much about Oracle manipulating the scores. To achieve a high CVSS base metric, root access needs to be gained, which is difficult to do against a properly configured Oracle database. What is not taken into account with the score is that the entire database or application can be compromised. The CVSS focus is really on servers and routers rather than databases and applications. This is why Oracle uses the Partial+ rating. This has been an issue ever since Oracle began using CVSS. From a year-ago, you can read my blog post on the topic --
http://www.integrigy.com/oracle-security-blog/archive/2006/10/27/oracle-cvss