Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "October 2007 Critical Patch Update (CPU) is out"] [Next entry: "Oracle plugs critical database, application flaws"]

Oracle Issues Pile of 51 Security Patches



Oracle Issues Pile of 51 Security Patches - By Lisa Vaas

"Oracle releases a long list of patches and scores them in a manner that some say downplays the true risks.

Oracle on Oct. 16 released 51 security fixes, including 27 patches for the beating heart of so many enterprises: the Oracle database."


Interesting article by Lisa that confirms my suspicions here last night that the scores seem low for most of the reported fixes and particularly for the remotely exploitable bugs that do not require authentication.




There has been 2 Comments posted on this article


October 17th, 2007 at 08:37 pm

Pete Finnigan says:

The problem with the Oracle CVSS scores has everything to do with CVSS and not much about Oracle manipulating the scores. To achieve a high CVSS base metric, root access needs to be gained, which is difficult to do against a properly configured Oracle database. What is not taken into account with the score is that the entire database or application can be compromised. The CVSS focus is really on servers and routers rather than databases and applications. This is why Oracle uses the Partial+ rating. This has been an issue ever since Oracle began using CVSS. From a year-ago, you can read my blog post on the topic --

http://www.integrigy.com/oracle-security-blog/archive/2006/10/27/oracle-cvss



October 18th, 2007 at 08:59 am

Pete Finnigan says:

Hi Steve,

Thanks for your comment. I was not meaning to suggest that Oracle manipulated the scores i was making a dig at the method used, perhaps I shoulod have explained better. Thanks for the link to your blog entry, its interesting. In the case of Oracle using CVSS its a case of the customers being fully aware of what the realistic maximums are and what they mean. The issue for me is that for some thief to steal say credit card data is a full compromise of the business and root access is not needed. Customres of Oracle need to understand that a lower score is in their case a full compromise.

thanks again for the link

cheers

Pete