Oracle Issues Risk Matrix with Patch
Oracle The download is the first update since Oracle changed to a quarterly patch cycle. In addition to January's update, Oracle said it would still immediately notify customers through a separate
Security Alert if any uncovered threats are great enough.
The first patch for the 2005 session is a cumulative update --
including all of last month's Oracle Security Alert #68 fixes -- and
contains fixes for multiple security vulnerabilities. The download also
contains non-security fixes that are required (because of
interdependencies) by those security fixes.
The Critical Patch Update also debuts Oracle's new Risk Matrix program. The software helps customers gauge the severity of any vulnerabilities discussed in the quarterly patch advisory. The grid
includes the access required to exploit the vulnerability and the
credentials and additional circumstances required to exploit the
vulnerability.
"If a network attack is possible, we will list the protocol used by
the attack," Oracle said as part of its documentation.
The Risk Matrix is categorized by the risk to confidentiality (e.g.,
privacy), integrity (e.g., information modification), and availability
(e.g., service interruption), Oracle said.
Each category indicates how easily the vulnerability can be exploited
and the potential harm a successful attack can cause, with the most
serious vulnerabilities having the widest impact. The Matrix also covers
the range of versions impacted by any vulnerability -- from the earliest
to the last patch-set for each supported release that is still affected
by the vulnerability.
"For example," Oracle said, "a customer is using Oracle Database 10g
Release 1, version 10.1.0.2, and wishes to determine if they are
affected by the DB06 vulnerability. In the Oracle Database Server Risk
Matrix, the DB06 row shows '10g' in the Earliest Supported Release
Affected column, and '10.1.0.3.1 (10g)' in the Last Affected Patch Set
column. This means that all supported versions of 10g up to and
including 10.1.0.3.1 are affected by the vulnerability. Therefore, this
customer is affected."
Oracle said it will also indicate if recommended workarounds are
available, and if so, what they are.
Unless there is a major security risk, Oracle is planning similar
distributions in April, July and October.
"Well done to Mary Ann Davidson and her team for doing this and
improving the information available with the security advisory as
compared to previous advisories," Pete Finnigan, a Oracle Security
consultant wrote in his blog Tuesday. "I also see that there are patches
for older versions and even de-supported versions which are supported
for particular products only."
The patch covers a dozen systems including:
announced its first security patch for
2005, complete with a new threat assessment tool called Risk Matrix.