Oracle Patches 51, Updates Vulnerability-Scoring System

Oracle’s October Critical Patch Update (CPU) addresses 51 vulnerabilities spread across the company’s product portfolio, a marked improvement over last October’s update. The quarterly release also introduces an update to the system it uses to score the severity of vulnerabilities.

Oracle’s namesake database products, which have 27 disclosed vulnerabilities, get the majority of the 51 fixes. According to Oracle’s advisory, seven of the database vulnerabilities may be remotely exploitable without authentication.

Oracle Application Server gets 11 fixes, seven of which are remotely exploitable without authentication. There are eight
security fixes for the Oracle E-Business Suite and one is remotely
exploitable without authentication. Oracle Collaboration Suite gets seven fixes.
Oracle PeopleSoft Enterprise PeopleTools gets two security fixes, and one new security fix for PeopleSoft Enterprise Human Capital Management.

The 51 flaws addressed in this month’s update continue the decrease in reported vulnerabilities, which numbered 65 in the July update and are considerably fewer than the 100 the company fixed last October. That update also marked the first time that Oracle revealed how many flaws were remotely exploitable without authentication. The remote exploit flaws are among the most dangerous in that they are more accessible and hence more easily exploited than local flaws, which first require local access as well
as some form of authentication.

This year’s update also includes version 2 of the Common Vulnerability Scoring System (CVSS), which provides a benchmarking base metric system in order to score the relative severity of a reported vulnerability. The company adopted the system last year to expand its security information disclosure method.

“It is worthwhile to reiterate again that CVSS provides a standard-based
approach for assessing the criticality of vulnerabilities,” Eric Maurice,
manager for security in Oracle’s global technology business unit, wrote on
Oracle’s security blog.

“In other words, CVSS assists customers to
understand the significance of a given vulnerability in their environment,
and assess the priority that should be given to patching that specific
vulnerability against production requirements.”

With CVSS 2.0, he continued, a number of changes have been
introduced that make the standard more representative of real-world

But while the new version of CVSS has more parameters, Amichai Shulman, CTO of application data security company Imperva, said that the scores have remained the same.

“Based on our analysis, we recommend that security officers take a close look at the details composing the risk score rather than accepting the score itself,” Shulman wrote in an e-mail sent to

“For example, the highest-ranked vulnerability is only 6.5 out of 10, yet it is easy to exploit remotely and allows the attacker to take complete control of the database. This is a serious vulnerability, but its score does not reflect that fact.”

Regardless of how Oracle actually measures the severity of the
vulnerabilities, the imperative for Oracle users is to update and do so quickly.

“Oracle users should understand that the period after a CPU has been issued
is ironically more risky than the period before the CPU is published, as it
gives black hats who may not have known about certain vulnerabilities
directions where to look for them,” Slavik Markovich, CTO of database security
vendor Sentrigo, wrote in an e-mail sent to

“Based on
the severity level of the vulnerabilities patched in this CPU, users should
be sure to take the steps necessary to protect their organizations’ data by
heeding the advice of Oracle with regard to patch specifications and

News Around the Web