Oracle Issues Risk Matrix with Patch

Oracle announced its first security patch for 2005, complete with a new threat assessment tool called Risk Matrix.

The download is the first update since Oracle changed to a quarterly patch cycle. In addition to January's update, Oracle said it would still immediately notify customers through a separate Security Alert if any uncovered threats are great enough.

The first patch for the 2005 session is a cumulative update -- including all of last month's Oracle Security Alert #68 fixes -- and contains fixes for multiple security vulnerabilities. The download also contains non-security fixes that are required (because of interdependencies) by those security fixes.

Unlike previous security advisories, Oracle embedded links to its MetaLink patches within a PDF-based document.

The Critical Patch Update also debuts Oracle's new Risk Matrix program. The software helps customers gauge the severity of any vulnerabilities discussed in the quarterly patch advisory. The grid includes the access required to exploit the vulnerability and the credentials and additional circumstances required to exploit the vulnerability.

"If a network attack is possible, we will list the protocol used by the attack," Oracle said as part of its documentation.

The Risk Matrix is categorized by the risk to confidentiality (e.g., privacy), integrity (e.g., information modification), and availability (e.g., service interruption), Oracle said.

Each category indicates how easily the vulnerability can be exploited and the potential harm a successful attack can cause, with the most serious vulnerabilities having the widest impact. The Matrix also covers the range of versions impacted by any vulnerability -- from the earliest to the last patch-set for each supported release that is still affected by the vulnerability.

"For example," Oracle said, "a customer is using Oracle Database 10g Release 1, version 10.1.0.2, and wishes to determine if they are affected by the DB06 vulnerability. In the Oracle Database Server Risk Matrix, the DB06 row shows '10g' in the Earliest Supported Release Affected column, and '10.1.0.3.1 (10g)' in the Last Affected Patch Set column. This means that all supported versions of 10g up to and including 10.1.0.3.1 are affected by the vulnerability. Therefore, this customer is affected."

Oracle said it will also indicate if recommended workarounds are available, and if so, what they are.

Unless there is a major security risk, Oracle is planning similar distributions in April, July and October.

"Well done to Mary Ann Davidson and her team for doing this and improving the information available with the security advisory as compared to previous advisories," Pete Finnigan, a Oracle Security consultant wrote in his blog Tuesday. "I also see that there are patches for older versions and even de-supported versions which are supported for particular products only."

The patch covers a dozen systems including:

• Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1 (supported for Oracle Application Server only)
• Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS) (supported for Oracle Application Server only)
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle8 Database Release 8.0.6, version 8.0.6.3 (supported for E-Business Suite only)
• Oracle Application Server 10g Release 2 (10.1.2)
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
• Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2
• Oracle Collaboration Suite Release 2, version 9.0.4.2
• Oracle9i Application Server Release 2 and Oracle E-Business Suite and Applications Release 11i (11.5)
• Oracle E-Business Suite and Applications Release 11.0