There is a fine line between providing too much or too little detail in
security vulnerability reports.
Oracle users have been complaining for some time that they get too little
information, but that changed this week with Oracle’s final quarterly Critical Patch Update (CPU) of 2006, which fixes more than 100 flaws.
The October update represents the largest number of flaw fixes in all of
2006.
The last update in July had 65 bugs, April’s update had 36 and January’s update fixed 82 flaws.
Of the 101 security fixes in the October update, 56 could potentially be
remotely exploited without even a username or password. Oracle had not
previously disclosed in its CPUs how many flaws were remotely exploitable.
“While existing CPU risk matrices made it possible to assess whether a
specific vulnerability was remotely exploitable without requiring
authentication on the targeted system, Oracle is now going to specifically
identify this type of vulnerability,” Eric Maurice Manager for Security in
Oracle’s Global Technology Business Unit wrote on Oracle’s security blog.
“This enhancement to the documentation is designed to make it simpler for
customers to identify the most critical vulnerabilities addressed in a CPU.”
Oracle’s database products represent the largest number of security
fixes at 63, with Oracle Application Server reporting 14 flaws, E-Business
Suite 13 flaws, Oracle PeopleSoft Enterprise PeopleTools and Enterprise
Portal Solutions: 8 flaws and J.D. Edwards EnterpriseOne getting just one flaw
fix.
The October update also provides a greater degree of detail than its
predecessor by also including a Common Vulnerability Scoring System (CVSS)
score.
With CVSS, Oracle will compute a “Base Metric Group,” which is
intended to help Oracle users assess the risk to their own environment of a
specific vulnerability.
Ron Ben-Natan, CTO of Guardium, a Waltham, Mass., database security and
compliance company, gave the new CVSS reporting a thumbs up, noting that the
new format is definitely an improvement and easier for customers
“Users like quantification, and they like one number,” Ben-Natan said.
The move to CVSS and the ability for enterprises to understand it isn’t
going to happen instantly.
“It will, however, take time for database administrators to get an intuitive
feel of the ‘minimal’ CVSS rating that requires immediate action,” Ben-Natan
explained.
“The risk matrix should still be reviewed, even for those
vulnerabilities that seem to have a lower score, because they may be
relevant in particular environments.”