Oracle Issues Risk Matrix with Patch

Oracle announced its first security patch for
2005, complete with a new threat assessment tool called Risk Matrix.

The download is the first update since Oracle changed to a quarterly patch cycle. In addition to January’s update, Oracle said it would still immediately notify customers through a separate
Security Alert if any uncovered threats are great enough.

The first patch for the 2005 session is a cumulative update —
including all of last month’s Oracle Security Alert #68 fixes — and
contains fixes for multiple security vulnerabilities. The download also
contains non-security fixes that are required (because of
interdependencies) by those security fixes.

Unlike previous security advisories, Oracle embedded links to its
MetaLink patches within a PDF-based document.

The Critical Patch Update also debuts Oracle’s new Risk Matrix program. The software helps customers gauge the severity of any vulnerabilities discussed in the quarterly patch advisory. The grid
includes the access required to exploit the vulnerability and the
credentials and additional circumstances required to exploit the
vulnerability.

“If a network attack is possible, we will list the protocol used by
the attack,” Oracle said as part of its documentation.

The Risk Matrix is categorized by the risk to confidentiality (e.g.,
privacy), integrity (e.g., information modification), and availability
(e.g., service interruption), Oracle said.

Each category indicates how easily the vulnerability can be exploited
and the potential harm a successful attack can cause, with the most
serious vulnerabilities having the widest impact. The Matrix also covers
the range of versions impacted by any vulnerability — from the earliest
to the last patch-set for each supported release that is still affected
by the vulnerability.

“For example,” Oracle said, “a customer is using Oracle Database 10g
Release 1, version 10.1.0.2, and wishes to determine if they are
affected by the DB06 vulnerability. In the Oracle Database Server Risk
Matrix, the DB06 row shows ’10g’ in the Earliest Supported Release
Affected column, and ‘10.1.0.3.1 (10g)’ in the Last Affected Patch Set
column. This means that all supported versions of 10g up to and
including 10.1.0.3.1 are affected by the vulnerability. Therefore, this
customer is affected.”

Oracle said it will also indicate if recommended workarounds are
available, and if so, what they are.

Unless there is a major security risk, Oracle is planning similar
distributions in April, July and October.

“Well done to Mary Ann Davidson and her team for doing this and
improving the information available with the security advisory as
compared to previous advisories,” Pete Finnigan, a Oracle Security
consultant wrote in his blog Tuesday. “I also see that there are patches
for older versions and even de-supported versions which are supported
for particular products only.”

The patch covers a dozen systems including:

• Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3
  and 10.1.0.3.1 (supported for Oracle Application Server only)
• Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and
  9.2.0.6
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and
  9.0.4 (9.0.1.5 FIPS) (supported for Oracle Application Server only)
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle8 Database Release 8.0.6, version 8.0.6.3 (supported for
  E-Business Suite only)
• Oracle Application Server 10g Release 2 (10.1.2)
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
• Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2
• Oracle Collaboration Suite Release 2, version 9.0.4.2
• Oracle9i Application Server Release 2 and Oracle E-Business Suite
  and Applications Release 11i (11.5)
• Oracle E-Business Suite and Applications Release 11.0