Software // Information Management
News
4/17/2007
05:32 PM
Connect Directly
RSS
E-Mail
50%
50%

Oracle Critical Patch Update Hits The Street With 37 Fixes

Nine of the vulnerabilities addressed in the patch can be exploited by an attacker remotely over a network without the need to have a valid username and password for authentication.

Oracle on Tuesday released its latest critical patch update, which includes 37 security patches covering the company's database, application server, and e-business suite, as well as PeopleSoft and JD Edwards products. Nine of the vulnerabilities addressed in this critical patch update were able to be exploited by an attacker remotely over a network, without the need for that attacker to have a valid username and password for authentication.

One of these remotely exploitable vulnerabilities affects Oracle database's core RDBMS, or relational database management system, for databases running on Windows. This vulnerability received the highest Common Vulnerability Scoring System, or CVSS, rating of any vulnerability addressed during Tuesday's patch download. The core RDBMS vulnerability's severity earned it a 7.0 base score, out of 10.0. No other vulnerability scored higher than 4.2.

Oracle last October began rating the significance of different vulnerabilities based on the CVSS standard, which was commissioned by the Homeland Security Department's National Infrastructure Advisory Council and is maintained by the Forum of Incident Response and Security Teams.

It's a good move on Oracle's part, but Oracle customers should know specifically what the rating means for them. For example, if a company isn't running their Oracle databases on Windows, they don't need to worry about the core RDBMS vulnerability, regardless of its CVSS rating.

Alexander Kornbrust, CEO of Red-Database-Security GmbH, a security research and consulting firm that closely watches Oracle, believes the vulnerability unveiled Tuesday related to authenticating users to Oracle databases is more significant to a larger number of end-user organizations. "Many companies are using the database logon trigger for security reasons, to check if a user is coming from a specific IP address or to verify when can connect to a database," he says. "If you can bypass this, it's a big security issue." This authentication vulnerability received a CVSS score of only 2.8.

Oracle began using the CVSS scoring system in part to address Oracle customers and security researchers who have criticized the company in the past for moving too slowly to patch vulnerabilities in its products, issuing too many patches at once, improperly testing patches, and making the patching process too complicated. The company maintains that many of these problems were rectified with the help of its customer security advisory council.

While CVSS values don't always agree with practical uses of Oracle's software, Kornbrust says Oracle did well in adding CVSS to its quarterly critical patch updates. "Even if CVSS isn't perfect, it's better than before," he adds.

Oracle's Global Incident Response Team has been part of the Forum of Incident Response and Security Teams since 2003. "It's an emerging standard and did a lot of things we wanted," says Darius Wiles, a senior manager of security alerts at Oracle. "Customers wanted a way of ranking the vulnerabilities to see which were most important." While CVSS ratings go as high as 10, the highest rating of any Oracle vulnerability during this update is 7.0. Oracle has never had a vulnerability exceed 7.0, Wiles adds.

Derived from a number of metrics and formulas, the CVSS model provides the end user with a composite score representing the severity and risk of a vulnerability. Factors include base metrics that measure the technical nature of a vulnerability (such as whether it's remotely exploitable), temporal metrics that measure the characteristics of a vulnerability over time (such as how long the vulnerability has existed and whether a patch is available), and environmental metrics that pertain to how a vulnerability might affect a particular user's IT environment (such as how many machines might be affected).

Tuesday's update fixes 13 bugs in the company's Oracle Database, 11 in the Oracle E-Business Suite, and five in the Oracle Application Server. Oracle included advance warning about the products that would be affected by the critical patch update as it did in January, when the company fixed 51 bugs, including 26 in its database software.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.