Oracle Critical Patch Update Hits The Street With 37 Fixes

Nine of the vulnerabilities addressed in the patch can be exploited by an attacker remotely over a network without the need to have a valid username and password for authentication.
Oracle on Tuesday released its latest critical patch update, which includes 37 security patches covering the company's database, application server, and e-business suite, as well as PeopleSoft and JD Edwards products. Nine of the vulnerabilities addressed in this critical patch update were able to be exploited by an attacker remotely over a network, without the need for that attacker to have a valid username and password for authentication.

One of these remotely exploitable vulnerabilities affects Oracle database's core RDBMS, or relational database management system, for databases running on Windows. This vulnerability received the highest Common Vulnerability Scoring System, or CVSS, rating of any vulnerability addressed during Tuesday's patch download. The core RDBMS vulnerability's severity earned it a 7.0 base score, out of 10.0. No other vulnerability scored higher than 4.2.

Oracle last October began rating the significance of different vulnerabilities based on the CVSS standard, which was commissioned by the Homeland Security Department's National Infrastructure Advisory Council and is maintained by the Forum of Incident Response and Security Teams.

It's a good move on Oracle's part, but Oracle customers should know specifically what the rating means for them. For example, if a company isn't running their Oracle databases on Windows, they don't need to worry about the core RDBMS vulnerability, regardless of its CVSS rating.

Alexander Kornbrust, CEO of Red-Database-Security GmbH, a security research and consulting firm that closely watches Oracle, believes the vulnerability unveiled Tuesday related to authenticating users to Oracle databases is more significant to a larger number of end-user organizations. "Many companies are using the database logon trigger for security reasons, to check if a user is coming from a specific IP address or to verify when can connect to a database," he says. "If you can bypass this, it's a big security issue." This authentication vulnerability received a CVSS score of only 2.8.

Oracle began using the CVSS scoring system in part to address Oracle customers and security researchers who have criticized the company in the past for moving too slowly to patch vulnerabilities in its products, issuing too many patches at once, improperly testing patches, and making the patching process too complicated. The company maintains that many of these problems were rectified with the help of its customer security advisory council.

While CVSS values don't always agree with practical uses of Oracle's software, Kornbrust says Oracle did well in adding CVSS to its quarterly critical patch updates. "Even if CVSS isn't perfect, it's better than before," he adds.

Oracle's Global Incident Response Team has been part of the Forum of Incident Response and Security Teams since 2003. "It's an emerging standard and did a lot of things we wanted," says Darius Wiles, a senior manager of security alerts at Oracle. "Customers wanted a way of ranking the vulnerabilities to see which were most important." While CVSS ratings go as high as 10, the highest rating of any Oracle vulnerability during this update is 7.0. Oracle has never had a vulnerability exceed 7.0, Wiles adds.

Derived from a number of metrics and formulas, the CVSS model provides the end user with a composite score representing the severity and risk of a vulnerability. Factors include base metrics that measure the technical nature of a vulnerability (such as whether it's remotely exploitable), temporal metrics that measure the characteristics of a vulnerability over time (such as how long the vulnerability has existed and whether a patch is available), and environmental metrics that pertain to how a vulnerability might affect a particular user's IT environment (such as how many machines might be affected).

Tuesday's update fixes 13 bugs in the company's Oracle Database, 11 in the Oracle E-Business Suite, and five in the Oracle Application Server. Oracle included advance warning about the products that would be affected by the critical patch update as it did in January, when the company fixed 51 bugs, including 26 in its database software.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing