Oracle on Oct. 16 released 51 security fixes, including 27 patches for the beating heart of so many enterprises: the Oracle database.
In addition to that load of patches, Oracle administrators can also look forward to rolling out 11 patches to Oracle's Application Server, seven to Oracle Collaboration Suite, eight to Oracle E-Business Suite and Applications, three to Oracle Enterprise Manager and three to Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.
It's not the biggest patch set the database kingpin has ever released, but it's still big enough to hurt—particularly given the scant amount of information given in Oracle's risk matrices and what some see as deceptively mild risk ratings due to Oracle's move to the industry-standard CVSS (Common Vulnerability Scoring System) Version 2.0 scoring.
"The highest vulnerability rating [out of all 51 patches] is 6.5 out of 10," Amichai Shulman, director of the Application Defense Center and chief technology officer for Imperva, based in Foster City, Calif., said in an interview with eWEEK. He was referring to Oracle Database vulnerability DB01, which is easy to access and yet could lead to a complete database server takeover, according to Oracle's risk matrix.
According to Oracle's matrix, DB01 has Confidentiality, Integrity and Availability as all rated Partial+. Partial+ is a term invented by Oracle since CVSS only defines "Partial" and "Complete." In Oracle's MetaLink note about the use of CVSS, the company presents its interpretation, in which "Complete" will never be used unless the exploit directly leads to a takeover of the operating system as well. Oracle has invented "Partial+" to indicate an overall effect on the database server without effect on the underlying operating system, Shulman said.
Given the fact that DB01 thus entails database compromise, "I find it strange that this vulnerability, which in all aspects seems very severe, receives a relatively low score," Shulman said.
DB20 and DB19 are also vulnerabilities that may inflict denial of service on an Oracle database server without any authentication required, yet they are both rated 5 on a score of 1 to 10. "There's something about this scoring method that tends to draw the scores down," Shulman said.
In fact, seven of Oracle's database patches are for vulnerabilities that require no special privileges whatsoever to exploit. What that means, Shulman said, is that there are no easy workarounds for the vulnerabilities.
"We've become used to a lot of vulnerabilities that require execute privileges on a specific package. These can have easy workarounds if you deny access to a package or a stored procedure and leave only administrators with the power to execute those stored procedures. But if you look at today's patches, you'll see that out of all the vulnerabilities, almost 15 require no special privileges, only the ability to connect to the database server. So there's clearly no workaround," he said.
Shulman is "strongly" advising Oracle administrators to study the details of each exploit when assessing the patch set, rather than looking at the score. "The score in my opinion is very misleading," he said.
October 16, 2007
By Lisa Vaas
http://www.eweek.com/print_article2/0,1217,a=217362,00.asp
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
In addition to that load of patches, Oracle administrators can also look forward to rolling out 11 patches to Oracle's Application Server, seven to Oracle Collaboration Suite, eight to Oracle E-Business Suite and Applications, three to Oracle Enterprise Manager and three to Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.
It's not the biggest patch set the database kingpin has ever released, but it's still big enough to hurt—particularly given the scant amount of information given in Oracle's risk matrices and what some see as deceptively mild risk ratings due to Oracle's move to the industry-standard CVSS (Common Vulnerability Scoring System) Version 2.0 scoring.
"The highest vulnerability rating [out of all 51 patches] is 6.5 out of 10," Amichai Shulman, director of the Application Defense Center and chief technology officer for Imperva, based in Foster City, Calif., said in an interview with eWEEK. He was referring to Oracle Database vulnerability DB01, which is easy to access and yet could lead to a complete database server takeover, according to Oracle's risk matrix.
According to Oracle's matrix, DB01 has Confidentiality, Integrity and Availability as all rated Partial+. Partial+ is a term invented by Oracle since CVSS only defines "Partial" and "Complete." In Oracle's MetaLink note about the use of CVSS, the company presents its interpretation, in which "Complete" will never be used unless the exploit directly leads to a takeover of the operating system as well. Oracle has invented "Partial+" to indicate an overall effect on the database server without effect on the underlying operating system, Shulman said.
Given the fact that DB01 thus entails database compromise, "I find it strange that this vulnerability, which in all aspects seems very severe, receives a relatively low score," Shulman said.
DB20 and DB19 are also vulnerabilities that may inflict denial of service on an Oracle database server without any authentication required, yet they are both rated 5 on a score of 1 to 10. "There's something about this scoring method that tends to draw the scores down," Shulman said.
In fact, seven of Oracle's database patches are for vulnerabilities that require no special privileges whatsoever to exploit. What that means, Shulman said, is that there are no easy workarounds for the vulnerabilities.
"We've become used to a lot of vulnerabilities that require execute privileges on a specific package. These can have easy workarounds if you deny access to a package or a stored procedure and leave only administrators with the power to execute those stored procedures. But if you look at today's patches, you'll see that out of all the vulnerabilities, almost 15 require no special privileges, only the ability to connect to the database server. So there's clearly no workaround," he said.
Shulman is "strongly" advising Oracle administrators to study the details of each exploit when assessing the patch set, rather than looking at the score. "The score in my opinion is very misleading," he said.
October 16, 2007
By Lisa Vaas
http://www.eweek.com/print_article2/0,1217,a=217362,00.asp
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
全站熱搜
留言列表
