Oracle Security Team

Subscribe to Oracle Security Team feed
Oracle Blogs
Updated: 17 hours 14 min ago

CVSS Version 3.0 Announced

Thu, 2015-07-30 17:04

Hello, this is Darius Wiles.

Version 3.0 of the Common Vulnerability Scoring System (CVSS) has been announced by the Forum of Incident Response and Security Teams (FIRST). Although there have been no high-level changes to the standard since the Preview 2 release which I discussed in a previous blog post, there have been a lot of improvements to the documentation.

Soon, Oracle will be using CVSS v3.0 to report CVSS Base scores in its security advisories. In order to facilitate this transition, Oracle plans to release two sets of risk matrices, both CVSS v2 and v3.0, in the first Critical Patch Update (Oracle’s security advisories) to provide CVSS version 3.0 Base scores. Subsequent Critical Patch Updates will only list CVSS version 3.0 scores.

While Oracle expects most vulnerabilities to have similar v2 and v3.0 Base Scores, certain types of vulnerabilities will experience a greater scoring difference. The CVSS v3.0 documentation includes a list of examples of public vulnerabilities scored using both v2 and v3.0, and this gives an insight into these scoring differences. Let’s now look at a couple of reasons for these differences.

The v3.0 standard provides a more precise assessment of risk because it considers more factors than the v2 standard. For example, the important impact of most cross-site scripting (XSS) vulnerabilities is that a victim's browser runs malicious code. v2 does not have a way to capture the change in impact from the vulnerable web server to the impacted browser; basically v2 just considers the impact to the former. In v3.0, the Scope metric allows us to score the impact to the browser, which in v3.0 terminology is the impacted component. v2 scores XSS as "no impact to confidentiality or availability, and partial impact to integrity", but in v3.0 we are free to score impacts to better fit each vulnerability. For example, a typical XSS vulnerability, CVE-2013-1937 is scored with a v2 Base Score of 4.3 and a v3.0 Base Score of 6.1. Most XSS vulnerabilities will experience a similar CVSS Base Score increase.

Until now, Oracle has used a proprietary Partial+ metric value for v2 impacts when a vulnerability "affects a wide range of resources, e.g., all database tables, or compromises an entire application or subsystem". We felt this extra information was useful because v2 always scores vulnerabilities relative to the "target host", but in cases where a host's main purpose is to run a single application, Oracle felt that a total compromise of that application warrants more than Partial. In v3.0, impacts are scored relative to the vulnerable component (assuming no scope change), so a total compromise of an application now leads to High impacts. Therefore, most Oracle vulnerabilities scored with Partial+ impacts under v2 are likely to be rated with High impacts and therefore more precise v3.0 Base scores. For example, CVE-2015-1098 has a v2 Base score of 6.8 and a v3.0 Base score of 7.8. This is a good indication of the differences we are likely to see. Refer to the CVSS v3.0 list of examples for more details on score this vulnerability.

Overall, Oracle expects v3.0 Base scores to be higher than v2, but bear in mind that v2 scores are always relative to the "target host", whereas v3.0 scores are relative to the vulnerable component, or the impacted component if there is a scope change. In other words, CVSS v3.0 will provide a better indication of the relative severity of vulnerabilities because it better reflects the true impact of the vulnerability being rated in software components such as database servers or middleware.


For More Information

The CVSS v3.0 documents are located on FIRST's web site at http://www.first.org/cvss/

Oracle's use of CVSS [version 2], including a fuller explanation of Partial+ is located at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

My previous blog post on CVSS v3.0 preview is located at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

Eric Maurice's blog post on Oracle's use of CVSS v2 is located at https://blogs.oracle.com/security/entry/understanding_the_common_vulne_2

CVSS Version 3.0 Announced

Thu, 2015-07-30 17:04

Hello, this is Darius Wiles.

Version 3.0 of the Common Vulnerability Scoring System (CVSS) has been announced by the Forum of Incident Response and Security Teams (FIRST). Although there have been no high-level changes to the standard since the Preview 2 release which I discussed in a previous blog post, there have been a lot of improvements to the documentation.

Soon, Oracle will be using CVSS v3.0 to report CVSS Base scores in its security advisories. In order to facilitate this transition, Oracle plans to release two sets of risk matrices, both CVSS v2 and v3.0, in the first Critical Patch Update (Oracle’s security advisories) to provide CVSS version 3.0 Base scores. Subsequent Critical Patch Updates will only list CVSS version 3.0 scores.

While Oracle expects most vulnerabilities to have similar v2 and v3.0 Base Scores, certain types of vulnerabilities will experience a greater scoring difference. The CVSS v3.0 documentation includes a list of examples of public vulnerabilities scored using both v2 and v3.0, and this gives an insight into these scoring differences. Let’s now look at a couple of reasons for these differences.

The v3.0 standard provides a more precise assessment of risk because it considers more factors than the v2 standard. For example, the important impact of most cross-site scripting (XSS) vulnerabilities is that a victim's browser runs malicious code. v2 does not have a way to capture the change in impact from the vulnerable web server to the impacted browser; basically v2 just considers the impact to the former. In v3.0, the Scope metric allows us to score the impact to the browser, which in v3.0 terminology is the impacted component. v2 scores XSS as "no impact to confidentiality or availability, and partial impact to integrity", but in v3.0 we are free to score impacts to better fit each vulnerability. For example, a typical XSS vulnerability, CVE-2013-1937 is scored with a v2 Base Score of 4.3 and a v3.0 Base Score of 6.1. Most XSS vulnerabilities will experience a similar CVSS Base Score increase.

Until now, Oracle has used a proprietary Partial+ metric value for v2 impacts when a vulnerability "affects a wide range of resources, e.g., all database tables, or compromises an entire application or subsystem". We felt this extra information was useful because v2 always scores vulnerabilities relative to the "target host", but in cases where a host's main purpose is to run a single application, Oracle felt that a total compromise of that application warrants more than Partial. In v3.0, impacts are scored relative to the vulnerable component (assuming no scope change), so a total compromise of an application now leads to High impacts. Therefore, most Oracle vulnerabilities scored with Partial+ impacts under v2 are likely to be rated with High impacts and therefore more precise v3.0 Base scores. For example, CVE-2015-1098 has a v2 Base score of 6.8 and a v3.0 Base score of 7.8. This is a good indication of the differences we are likely to see. Refer to the CVSS v3.0 list of examples for more details on score this vulnerability.

Overall, Oracle expects v3.0 Base scores to be higher than v2, but bear in mind that v2 scores are always relative to the "target host", whereas v3.0 scores are relative to the vulnerable component, or the impacted component if there is a scope change. In other words, CVSS v3.0 will provide a better indication of the relative severity of vulnerabilities because it better reflects the true impact of the vulnerability being rated in software components such as database servers or middleware.


For More Information

The CVSS v3.0 documents are located on FIRST's web site at http://www.first.org/cvss/

Oracle's use of CVSS [version 2], including a fuller explanation of Partial+ is located at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

My previous blog post on CVSS v3.0 preview is located at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

Eric Maurice's blog post on Oracle's use of CVSS v2 is located at https://blogs.oracle.com/security/entry/understanding_the_common_vulne_2

July 2015 Critical Patch Update Released

Tue, 2015-07-14 14:59

Hello, this is Eric Maurice.

Oracle today released the July2015 Critical Patch Update. TheCritical Patch Update program is Oracle’s primary mechanism for the release ofsecurity fixes across all Oracle products, including security fixes intended toaddress vulnerabilities in third-party components included in Oracle’s productdistributions.

The July2015 Critical Patch Update provides fixes for 193 new securityvulnerabilities across a wide range of product families including: OracleDatabase, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager,Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoftEnterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle JavaSE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, andOracle MySQL.

Out of these 193 fixes, 44 are for third-party componentsincluded in Oracle products distributions (e.g., Qemu, Glibc, etc.)

This CriticalPatch Update provides 10 fixes for the Oracle Database, and 2 of theDatabase vulnerabilities fixed in today’s Critical Patch Update are remotelyexploitable without authentication. Themost severe of these database vulnerabilities has received a CVSS Base Score of9.0 for the Windows platform and 6.5 for Linux and Unix platforms. This vulnerability (CVE-2015-2629) reflectsthe availability of new Java fixes for the Java VM in the database.

With this CriticalPatch Update, Oracle Fusion Middleware receives 39 new security fixes, 36of which are for vulnerabilities which are remotely exploitable withoutauthentication. The highest CVSS BaseScore for these Fusion Middleware vulnerabilities is 7.5.

This CriticalPatch Update also includes a number of fixes for Oracle applications. Oracle E-Business Suite gets 13 fixes, OracleSupply Chain Suite gets 7, PeopleSoft Enterprise gets 8, and Siebel gets 5fixes. Rounding up this list are 2 fixesfor the Oracle Commerce Platform.

The Oracle Communications Applications receive 2 newsecurity fixes. The highest CVSS BaseScore for these vulnerabilities is 10.0, this score is for vulnerabilityCVE-2015-0235, which affects Glibc, a component used in the OracleCommunications Session Border Controller. Note that this same Glibc vulnerability is also addressed in a number ofOracle Sun Systems products.

Also included in this CriticalPatch Update are 25 fixes Oracle Java SE. 23 of these Java SE vulnerabilities are remotely exploitable withoutauthentication. 16 of these Java SE fixesare for Java client-only, including one fix for the client installation of JavaSE. 5 of the Java fixes are for clientand server deployment. One fix isspecific to the Mac platform. And 4fixes are for JSSE client and server deployments. Please note that this Critical Patch Updatealso addresses a recentlyannounced 0-day vulnerability (CVE-2015-2590), which was being reported asactively exploited in the wild.

This Critical PatchUpdate addresses 25 vulnerabilities in Oracle Berkeley DB, and none of thesevulnerabilities are remotely exploitable without authentication. The highest CVSS Base score reported forthese vulnerabilities is 6.9.

Note that the CVSSstandard was recently updated to version 3.0. In a previousblog entry, Darius Wiles highlighted some of the enhancements introduced bythis new version. Darius will soonpublish another blog entry to discuss this updated CVSS standard and itsimplication for Oracle’s future security advisories. Note that the CVSS Base Score reported in therisk matrices in today’s Critical Patch Update were based on CVSS v2.0.

For More Information:

The July 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

The Oracle Software Security Assurance web site is locatedat http://www.oracle.com/us/support/assurance

July 2015 Critical Patch Update Released

Tue, 2015-07-14 14:59

Hello, this is Eric Maurice.

Oracle today released the July 2015 Critical Patch Update. The Critical Patch Update program is Oracle’s primary mechanism for the release of security fixes across all Oracle products, including security fixes intended to address vulnerabilities in third-party components included in Oracle’s product distributions.

The July 2015 Critical Patch Update provides fixes for 193 new security vulnerabilities across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 193 fixes, 44 are for third-party components included in Oracle products distributions (e.g., Qemu, Glibc, etc.)

This Critical Patch Update provides 10 fixes for the Oracle Database, and 2 of the Database vulnerabilities fixed in today’s Critical Patch Update are remotely exploitable without authentication. The most severe of these database vulnerabilities has received a CVSS Base Score of 9.0 for the Windows platform and 6.5 for Linux and Unix platforms. This vulnerability (CVE-2015-2629) reflects the availability of new Java fixes for the Java VM in the database.

With this Critical Patch Update, Oracle Fusion Middleware receives 39 new security fixes, 36 of which are for vulnerabilities which are remotely exploitable without authentication. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5.

This Critical Patch Update also includes a number of fixes for Oracle applications. Oracle E-Business Suite gets 13 fixes, Oracle Supply Chain Suite gets 7, PeopleSoft Enterprise gets 8, and Siebel gets 5 fixes. Rounding up this list are 2 fixes for the Oracle Commerce Platform.

The Oracle Communications Applications receive 2 new security fixes. The highest CVSS Base Score for these vulnerabilities is 10.0, this score is for vulnerability CVE-2015-0235, which affects Glibc, a component used in the Oracle Communications Session Border Controller. Note that this same Glibc vulnerability is also addressed in a number of Oracle Sun Systems products.

Also included in this Critical Patch Update are 25 fixes Oracle Java SE. 23 of these Java SE vulnerabilities are remotely exploitable without authentication. 16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments. Please note that this Critical Patch Update also addresses a recently announced 0-day vulnerability (CVE-2015-2590), which was being reported as actively exploited in the wild.

This Critical Patch Update addresses 25 vulnerabilities in Oracle Berkeley DB, and none of these vulnerabilities are remotely exploitable without authentication. The highest CVSS Base score reported for these vulnerabilities is 6.9.

Note that the CVSS standard was recently updated to version 3.0. In a previous blog entry, Darius Wiles highlighted some of the enhancements introduced by this new version. Darius will soon publish another blog entry to discuss this updated CVSS standard and its implication for Oracle’s future security advisories. Note that the CVSS Base Score reported in the risk matrices in today’s Critical Patch Update were based on CVSS v2.0.

For More Information:

The July 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance

Security Alert CVE-2015-3456 Released

Fri, 2015-05-15 14:52

Hi, this is Eric Maurice.

Oracle just released SecurityAlert CVE-2015-3456 to address the recently publicly disclosed VENOMvulnerability, which affects various virtualization platforms. This vulnerability results from a bufferoverflow in the QEMU's virtual Floppy Disk Controller (FDC).

While the vulnerability is not remotely exploitable withoutauthentication, its successful exploitation could provide the maliciousattacker, who has privileges to access the FDC on a guest operating system,with the ability to completely take over the targeted host system. As a result, a successful exploitation of thevulnerability can allow a malicious attacker with the ability to escape theconfine of the virtual environment for which he/she had privileges for. This vulnerability has received a CVSS BaseScore of 6.2.

Oracle has decided to issue this Security Alert based on anumber of factors, including the potential impact of a successful exploitationof this vulnerability, the amount of detailed information publicly availableabout this flaw, and initial reports of exploit code already “in the wild.” Oracle further recommends that customersapply the relevant fixes as soon as they become available.

Oracle has also published a listof Oracle products that may be affected by this vulnerability. This list will be updated as fixes becomeavailable.

The Oracle Security and Development teams are also workingwith the Oracle Cloud teams to ensure that the Oracle Cloud teams can evaluatethese fixes as they become available and be able to apply the relevant patchesin accordance with applicable change management processes in theseorganizations.

For More Information:

The Security Alert Advisory is located at

http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html

The list of Oracle products that may be affectedby this vulnerability is published at http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html

Security Alert CVE-2015-3456 Released

Fri, 2015-05-15 14:52

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2015-3456 to address the recently publicly disclosed VENOM vulnerability, which affects various virtualization platforms. This vulnerability results from a buffer overflow in the QEMU's virtual Floppy Disk Controller (FDC).

While the vulnerability is not remotely exploitable without authentication, its successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system. As a result, a successful exploitation of the vulnerability can allow a malicious attacker with the ability to escape the confine of the virtual environment for which he/she had privileges for. This vulnerability has received a CVSS Base Score of 6.2.

Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already “in the wild.” Oracle further recommends that customers apply the relevant fixes as soon as they become available.

Oracle has also published a list of Oracle products that may be affected by this vulnerability. This list will be updated as fixes become available.

The Oracle Security and Development teams are also working with the Oracle Cloud teams to ensure that the Oracle Cloud teams can evaluate these fixes as they become available and be able to apply the relevant patches in accordance with applicable change management processes in these organizations.

For More Information:

The Security Alert Advisory is located at

http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html

The list of Oracle products that may be affected by this vulnerability is published at http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html

April 2015 Critical Patch Update Released

Tue, 2015-04-14 15:17

Hello, this is Eric Maurice.

Oracle today released the April2015 Critical Patch Update. The predictablenature of the Critical Patch Update program is intended to providecustomers the ability to plan for the application of security fixes across allOracle products. Critical Patch Updatesare released quarterly in the months of January, April, July, and October. Unfortunately, Oracle continues toperiodically receive reports of active exploitation of vulnerabilities thathave already been fixed by Oracle in previous Critical Patch Updatereleases. In some instances, maliciousattacks have been successful because customers failed to apply Critical PatchUpdates. The “Critical” in thedesignation of the CriticalPatch Update program is intended to highlight the importance of the fixesdistributed through the program. Oraclehighly recommends that customers apply these Critical Patch Updates as soon aspossible. Note that Critical PatchUpdates are cumulative for most Oracle products. As a result, the application of the mostrecent Critical Patch Update brings customers to the most recent securityrelease, and addresses all previously-addressed security flaws for theseproducts. The Critical Patch Updaterelease schedule for the next 12 calendar months is published on Oracle’sCritical Patch Updates, Security Alerts and Third Party Bulletin page onOracle.com.

The April2015 Critical Patch Update provides 98 new fixes for security issues acrossa wide range of product families including: Oracle Database, Oracle FusionMiddleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-BusinessSuite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, OracleJDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle Industry Applications, OracleJava SE, Oracle Sun Systems Products Suite, Oracle MySQL, and Oracle SupportTools.

Out of these 98 new fixes, 4 are for the OracleDatabase. None of the databasevulnerabilities are remotely exploitable without authentication. The most severe of the databasevulnerabilities (CVE-2015-0457) has received a CVSS Base Score 9.0 only forWindows for Database versions prior to 12c. This Base Score is 6.5 for Database12c on Windows and for all versions of Database on Linux, Unix and other platforms. This vulnerability is related to thepresence of the Java Virtual Machine in the database.

17 of the vulnerabilities fixed in thisCritical Patch Update are for Oracle Fusion Middleware. 12 of these Fusion Middleware vulnerabilitiesare remotely exploitable without authentication, and the highest reported CVSSSBase Score is 10.0. This CVSS10.0 BaseScore is for CVE-2015-0235 (a.k.a. GHOST which affects the GNU libc library)affecting the Oracle Exalogic Infrastructure.

ThisCritical Patch Update also delivers 14 new security fixes for Oracle JavaSE. 11 of these Java SE fixes are forclient-only (i.e., these vulnerabilities can be exploited only throughsandboxed Java Web Start applications and sandboxed Java applets). Two apply to JSSE client and Serverdeployments and 1 to Java client and Server deployments. The Highest CVSS Base Score reported forthese vulnerabilities is 10.0 and this score applies to 3 of the Javavulnerabilities (CVE-2015-0469, CVE-2015-0459, and CVE-2015-0491).

For Oracle Applications, thisCritical Patch Update provides 4 new fixes for Oracle E-Business Suite , 7 for Oracle SupplyChain Suite, 6 for Oracle PeopleSoft Enterprise, 1 for Oracle JDEdwardsEnterpriseOne, 1 for Oracle Siebel CRM, 2 for the Oracle Commerce Platform, and2 for Oracle Retail Industry Suite, and 1 for Oracle Health SciencesApplications.

Finally, thisCritical Patch Update provides 26 new fixes for Oracle MySQL. 4 of the MySQL vulnerabilities are remotelyexploitable without authentication and the maximum CVSS Base Score for theMySQL vulnerabilities is 10.0.

As stated at the beginning of this blog, Oracle recommendsthat customers consistently apply Critical Patch Update as soon aspossible. The security fixes providedthrough the Critical Patch Update program are thoroughly tested to ensure thatthey do not introduce regressions across the Oracle stack. Extensive documentation is available on theMy Oracle Support Site and customers are encouraged to contact Oracle Supportif they have questions about how to best deploy the fixes provided through theCritical Patch Update program.

For More Information:

The April 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

The Critical Patch Updates, Security Alerts and Third PartyBulletin page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Oracle Software Security Assurance web site is locatedat http://www.oracle.com/us/support/assurance/overview/index.html. Oracle’s vulnerability handling policies andpractices are described at http://www.oracle.com/us/support/assurance/vulnerability-remediation/introduction/index.html

April 2015 Critical Patch Update Released

Tue, 2015-04-14 15:17

Hello, this is Eric Maurice.

Oracle today released the April 2015 Critical Patch Update. The predictable nature of the Critical Patch Update program is intended to provide customers the ability to plan for the application of security fixes across all Oracle products. Critical Patch Updates are released quarterly in the months of January, April, July, and October. Unfortunately, Oracle continues to periodically receive reports of active exploitation of vulnerabilities that have already been fixed by Oracle in previous Critical Patch Update releases. In some instances, malicious attacks have been successful because customers failed to apply Critical Patch Updates. The “Critical” in the designation of the Critical Patch Update program is intended to highlight the importance of the fixes distributed through the program. Oracle highly recommends that customers apply these Critical Patch Updates as soon as possible. Note that Critical Patch Updates are cumulative for most Oracle products. As a result, the application of the most recent Critical Patch Update brings customers to the most recent security release, and addresses all previously-addressed security flaws for these products. The Critical Patch Update release schedule for the next 12 calendar months is published on Oracle’s Critical Patch Updates, Security Alerts and Third Party Bulletin page on Oracle.com.

The April 2015 Critical Patch Update provides 98 new fixes for security issues across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle MySQL, and Oracle Support Tools.

Out of these 98 new fixes, 4 are for the Oracle Database. None of the database vulnerabilities are remotely exploitable without authentication. The most severe of the database vulnerabilities (CVE-2015-0457) has received a CVSS Base Score 9.0 only for Windows for Database versions prior to 12c. This Base Score is 6.5 for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms. This vulnerability is related to the presence of the Java Virtual Machine in the database.

17 of the vulnerabilities fixed in this Critical Patch Update are for Oracle Fusion Middleware. 12 of these Fusion Middleware vulnerabilities are remotely exploitable without authentication, and the highest reported CVSSS Base Score is 10.0. This CVSS10.0 Base Score is for CVE-2015-0235 (a.k.a. GHOST which affects the GNU libc library) affecting the Oracle Exalogic Infrastructure.

This Critical Patch Update also delivers 14 new security fixes for Oracle Java SE. 11 of these Java SE fixes are for client-only (i.e., these vulnerabilities can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets). Two apply to JSSE client and Server deployments and 1 to Java client and Server deployments. The Highest CVSS Base Score reported for these vulnerabilities is 10.0 and this score applies to 3 of the Java vulnerabilities (CVE-2015-0469, CVE-2015-0459, and CVE-2015-0491).

For Oracle Applications, this Critical Patch Update provides 4 new fixes for Oracle E-Business Suite , 7 for Oracle Supply Chain Suite, 6 for Oracle PeopleSoft Enterprise, 1 for Oracle JDEdwards EnterpriseOne, 1 for Oracle Siebel CRM, 2 for the Oracle Commerce Platform, and 2 for Oracle Retail Industry Suite, and 1 for Oracle Health Sciences Applications.

Finally, this Critical Patch Update provides 26 new fixes for Oracle MySQL. 4 of the MySQL vulnerabilities are remotely exploitable without authentication and the maximum CVSS Base Score for the MySQL vulnerabilities is 10.0.

As stated at the beginning of this blog, Oracle recommends that customers consistently apply Critical Patch Update as soon as possible. The security fixes provided through the Critical Patch Update program are thoroughly tested to ensure that they do not introduce regressions across the Oracle stack. Extensive documentation is available on the My Oracle Support Site and customers are encouraged to contact Oracle Support if they have questions about how to best deploy the fixes provided through the Critical Patch Update program.

For More Information:

The April 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

The Critical Patch Updates, Security Alerts and Third Party Bulletin page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html. Oracle’s vulnerability handling policies and practices are described at http://www.oracle.com/us/support/assurance/vulnerability-remediation/introduction/index.html

January 2015 Critical Patch Update Released

Tue, 2015-01-20 14:55

Hi, this is Eric Maurice.

Oracle today released the January2015 Critical Patch Update. This CriticalPatch Update provides 169 new fixes for security issues across a wide rangeof product families including: Oracle Database, Oracle Fusion Middleware,Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite,Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle SiebelCRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite,Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 169 vulnerabilities, 8 are for the OracleDatabase. None of these databasevulnerabilities are remotely exploitable without authentication, but a numberof these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) hasreceived a CVSS Base Score of 9.0 to denote that a full compromise of thetargeted server is possible on the Windows platform (for versions prior toDatabase 12c) but requires authentication (The CVSS Base Score for platformsother than Windows and for Database 12C on Windows is 6.5).

One database vulnerability (CVE-2014-6577) received a CVSSBase Score of 6.8. If successfullyexploited, vulnerability CVE-2014-6577 can result in a complete confidentialitycompromise of the targeted systems on database versions prior to 12c on theWindows platform. The CVSS Base Scorefor CVE-2014-6577 is 6.5 (the reported confidentiality impact value is"Partial+") for Database 12c on Windows and for all versions of the Databaseon Linux, Unix and other platforms.

Two database vulnerabilities received a CVSS Base Score of6.5 (CVE-2014-0373 and CVE-2014-6578). TheCVSS Base score of 6.5 for these vulnerabilities along with the Partial+ratings indicate that a successful compromise of the vulnerabilities couldresult in a possible compromise of the entire database, but authenticating tothe targeted system is required.

Becauseof the severity of these issues, Oracle highly recommends that this CriticalPatch Update be applied against affected systems as soon as possible. As a reminder, the security risk matriceslisted on the Critical Patch Update advisory lists the affected versions, andthe accompanying patch availability document provides information about how toobtain the appropriate patches.

Note that, as discussed in aprevious blog entry by Darius Wiles, the CVSS Special Interest Group hasrecently published a preview of the upcoming CVSS version 3.0 standard. A major improvement planned for this updatedversion of CVSS is the addition of a Scope metric that will provide a moregeneric way to indicate if the impact of a vulnerability extends beyond the componentthat contains the vulnerability. As aresult, this new ‘Scope’ metric will eliminate the need for Oracle to use aPartial+ custom score.

ThisCritical Patch Update provides 36 new fixes for Oracle Fusion Middlewareproducts. The most severe of theseFusion Middleware vulnerabilities has received a CVSS Base Score of 9.3. Two of the Oracle Fusion Middlewarevulnerabilities fixed in this Critical Patch Update can result in a servertakeover (CVE-2011-1944 and CVE-2014-0224).

ThisCritical Patch Update provides a number of security fixes for OracleApplications, including 10 new fixes for Oracle E-Business Suite, 6 for OracleSupply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for OracleJDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for OracleiLearning. Oracle Applications customersshould apply these fixes as soon as possible, as well as apply other relevantfixes in the Oracle stack as prescribed in the Critical Patch Update Advisoryand associated documentations. It isalso very important that application customers remain on actively supportversions from Oracle so that they can benefit from Oracle’s ongoing securityassurance effort, and continue to get security fixes which are thoroughlytested across the Oracle stack. Customers who have these applications hosted on their behalf shouldensure that their service providers apply these patches in a timely fashionupon successful testing.

ThisCritical Patch Update also provides 29 new security fixes for the OracleSun Systems Products Suite. The highestCVSS Base Score reported for these vulnerabilities is 10.0. This vulnerability(CVE-2013-4784) affects XCP Firmware versions prior to XCP 2232. Note that per Oracle’sLifetime Systems Support Policy; Oracle will no longer systematicallyassess new security vulnerabilities against Solaris 8 and Solaris 9.

ThisCritical Patch Update delivers 19 new security fixes for Oracle JavaSE. The most severe of thesevulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SEclient-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; andCVE-2015-0408). Out of these 19vulnerabilities, 15 affect client-only installations, 2 affect client andserver installations, and 2 affect JSSE installations. This relatively low historical number forOracle Java SE fixes reflect the results of Oracle’sstrategy for addressing security bugs affecting Java clients and improvingsecurity development practices in the Java development organization.

It is very important to note that, with thisCritical Patch Update, Oracle will change the behavior of Java SE inregards to SSL. This Critical PatchUpdate will disable by default the use of SSL version 3.0. SSL v3.0 is widely regarded as an obsoleteprotocol, and this situation is aggravated by the POODLEvulnerability (CVE-2014-3566). As aresult, this protocol is being widely targeted by malicious hackers.

Organizations should disable the use of all versions of SSLas they can no longer rely on SSL to ensure secure communications betweensystems.

Customers should update their custom code to switch to amore resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in allOracle software moving forward. A manualconfiguration change can allow Java SE clients and server endpoints, which havebeen updated with this Critical Patch Update, to continue to temporarily useSSL v3.0. However, Oracle stronglyrecommends organizations to phase out their use of SSL v3.0 as soon aspossible.

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

See Darius Wiles’ blog entry about upcomingchanges to the CVSS Standard at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

January 2015 Critical Patch Update Released

Tue, 2015-01-20 14:55

Hi, this is Eric Maurice.

Oracle today released the January 2015 Critical Patch Update. This Critical Patch Update provides 169 new fixes for security issues across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 169 vulnerabilities, 8 are for the Oracle Database. None of these database vulnerabilities are remotely exploitable without authentication, but a number of these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) has received a CVSS Base Score of 9.0 to denote that a full compromise of the targeted server is possible on the Windows platform (for versions prior to Database 12c) but requires authentication (The CVSS Base Score for platforms other than Windows and for Database 12C on Windows is 6.5).

One database vulnerability (CVE-2014-6577) received a CVSS Base Score of 6.8. If successfully exploited, vulnerability CVE-2014-6577 can result in a complete confidentiality compromise of the targeted systems on database versions prior to 12c on the Windows platform. The CVSS Base Score for CVE-2014-6577 is 6.5 (the reported confidentiality impact value is "Partial+") for Database 12c on Windows and for all versions of the Database on Linux, Unix and other platforms.

Two database vulnerabilities received a CVSS Base Score of 6.5 (CVE-2014-0373 and CVE-2014-6578). The CVSS Base score of 6.5 for these vulnerabilities along with the Partial+ ratings indicate that a successful compromise of the vulnerabilities could result in a possible compromise of the entire database, but authenticating to the targeted system is required.

Because of the severity of these issues, Oracle highly recommends that this Critical Patch Update be applied against affected systems as soon as possible. As a reminder, the security risk matrices listed on the Critical Patch Update advisory lists the affected versions, and the accompanying patch availability document provides information about how to obtain the appropriate patches.

Note that, as discussed in a previous blog entry by Darius Wiles, the CVSS Special Interest Group has recently published a preview of the upcoming CVSS version 3.0 standard. A major improvement planned for this updated version of CVSS is the addition of a Scope metric that will provide a more generic way to indicate if the impact of a vulnerability extends beyond the component that contains the vulnerability. As a result, this new ‘Scope’ metric will eliminate the need for Oracle to use a Partial+ custom score.

This Critical Patch Update provides 36 new fixes for Oracle Fusion Middleware products. The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 9.3. Two of the Oracle Fusion Middleware vulnerabilities fixed in this Critical Patch Update can result in a server takeover (CVE-2011-1944 and CVE-2014-0224).

This Critical Patch Update provides a number of security fixes for Oracle Applications, including 10 new fixes for Oracle E-Business Suite, 6 for Oracle Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for Oracle JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle iLearning. Oracle Applications customers should apply these fixes as soon as possible, as well as apply other relevant fixes in the Oracle stack as prescribed in the Critical Patch Update Advisory and associated documentations. It is also very important that application customers remain on actively support versions from Oracle so that they can benefit from Oracle’s ongoing security assurance effort, and continue to get security fixes which are thoroughly tested across the Oracle stack. Customers who have these applications hosted on their behalf should ensure that their service providers apply these patches in a timely fashion upon successful testing.

This Critical Patch Update also provides 29 new security fixes for the Oracle Sun Systems Products Suite. The highest CVSS Base Score reported for these vulnerabilities is 10.0. This vulnerability (CVE-2013-4784) affects XCP Firmware versions prior to XCP 2232. Note that per Oracle’s Lifetime Systems Support Policy; Oracle will no longer systematically assess new security vulnerabilities against Solaris 8 and Solaris 9.

This Critical Patch Update delivers 19 new security fixes for Oracle Java SE. The most severe of these vulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SE client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408). Out of these 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations. This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.

It is very important to note that, with this Critical Patch Update, Oracle will change the behavior of Java SE in regards to SSL. This Critical Patch Update will disable by default the use of SSL version 3.0. SSL v3.0 is widely regarded as an obsolete protocol, and this situation is aggravated by the POODLE vulnerability (CVE-2014-3566). As a result, this protocol is being widely targeted by malicious hackers.

Organizations should disable the use of all versions of SSL as they can no longer rely on SSL to ensure secure communications between systems.

Customers should update their custom code to switch to a more resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in all Oracle software moving forward. A manual configuration change can allow Java SE clients and server endpoints, which have been updated with this Critical Patch Update, to continue to temporarily use SSL v3.0. However, Oracle strongly recommends organizations to phase out their use of SSL v3.0 as soon as possible.

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

See Darius Wiles’ blog entry about upcoming changes to the CVSS Standard at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

CVSS version 3.0 Preview 2

Mon, 2015-01-05 16:48
Normal 0 false false false EN-US X-NONE X-NONE

Hello, this is Darius Wiles.

Oracle has been using the Common Vulnerability Scoring System (CVSS) in Critical Patch Update advisories and Security Alerts for over 8 years. CVSS version 2.0 is the current standard, but the CVSS Special Interest Group (SIG), acting on behalf of FIRST, has recently published a preview of the upcoming CVSS version 3.0 standard.

The CVSS version 3.0 preview represents a near final version of the standard and includes metric and vector strings, formula, scoring examples and a calculator. These are all available at the CVSS version 3.0 development site at http://www.first.org/cvss/v3/development. The official public comment period is scheduled to last through February 28, 2015 and we encourage everyone with an interest in CVSS to review the preview and provide feedback to cvss-v3-comments@first.org.

Eric Maurice wrote a blog post a few years ago that explains how Oracle uses CVSS version 2.0, including the reasons Oracle added a Partial+ custom score for Confidentiality, Integrity and Availability metrics. A major improvement planned for version 3.0 is the addition of a Scope metric that provides a more generic way to indicate if the impact of a vulnerability extends beyond the component that contains the vulnerability. This new ‘Scope’ metric will eliminate the need for Oracle to use a Partial+ custom score.

The version 2.0 Access Complexity metric was a combination of several concepts, sometimes making it difficult to know which value to assign when some concepts were high risk and some low risk for a given vulnerability. Version 3.0 splits the privileges required by an attacker and whether the attack requires user (victim) interaction into separate, new metrics.

Version 3.0 also clarifies at which stage of an attack a CVSS score should be calculated. Because Version 2.0 did not offer this guidance, it could lead to variations in CVSS scores between organizations. Version 3.0 provides greater clarity by stating, essentially, that a CVSS score should be calculated when the first impact occurs.

This is just a high-level overview of some of the changes, and we've glossed over some important details. We encourage you to take a look at the preview and provide feedback to the SIG before the end of the comment period. We are excited about the planned improvements to version 3.0 and hope to move to the new standard in our alerts and advisories soon after the final standard is published.

For More Information:

The CVSS version 3.0 development site is located at http://www.first.org/cvss/v3/development

Oracle’s use of the CVSS 2.0 Scoring System is explained at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

Information about SSL “Poodle” vulnerability CVE-2014-3566

Wed, 2014-10-15 13:09

Hello, this is Eric Maurice.

A security vulnerability affecting Secure Socket Layer (SSL) v3.0 was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is generally considered an obsolete protocol. A number of organizations, including OWASP previously advised against using this protocol, as weaknesses affecting it have been known for some time.

This “Poodle” vulnerability has received the identifier CVE-2014-3566.

A number of Oracle products do not support SSL v3.0 out of the box, while some Oracle products do provide for enabling SSL v3.0. Based on this vulnerability as well as the existence of other issues with this protocol, in instances when SSL v3.0 is supported but not needed, Oracle recommends permanently disabling SSL v3.0.

Normal 0 false false false EN-US X-NONE X-NONE

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Furthermore, Oracle is assessing the use of SSL v3.0 across its corporate systems and those managed on behalf of Oracle customers (e.g., Oracle Cloud). Oracle is actively deprecating the use of this protocol. In instances where Oracle identifies a possible impact to cloud customers, Oracle will work with the affected customers to determine the best course of action. Oracle recommends that cloud customers investigate their use of SSL v3.0 and discontinue to the extent possible the use of this protocol.

For more information, see the "Poodle Vulnerability CVE-2014-3566" page located on OTN at http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

October 2014 Critical Patch Update Released

Tue, 2014-10-14 14:49
Normal 0 false false false EN-US X-NONE X-NONE

Hello, this is Eric Maurice again.

Oracle today released the October 2014 Critical Patch Update. This Critical Patch Update provides fixes for 154 vulnerabilities across a number of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Product Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Communications Industry Suite, Oracle Retail Industry Suite, Oracle Health Sciences Industry Suite, Oracle Primavera, Oracle Java SE, Oracle and Sun Systems Product Suite, Oracle Linux and Virtualization, and Oracle MySQL.

In today’s Critical Patch Update Advisory, you will see a stronger than previously-used statement about the importance of applying security patches. Even though Oracle has consistently tried to encourage customers to apply Critical Patch Updates on a timely basis and recommended customers remain on actively-supported versions, Oracle continues to receive credible reports of attempts to exploit vulnerabilities for which fixes have been already published by Oracle. In many instances, these fixes were published by Oracle years ago, but their non-application by customers, particularly against Internet-facing systems, results in dangerous exposure for these customers. Keeping up with security releases is a good security practice and good IT governance.

Out of the 154 vulnerabilities fixed with today’s Critical Patch Update release, 31 are for the Oracle Database. All but 3 of these database vulnerabilities are related to features implemented using Java in the Database, and a number of these vulnerabilities have received a CVSS Base Score of 9.0.

This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows). When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.

The Java Virtual Machine (Java VM) was added to the database with the release of Oracle 8i in early 1999. The inclusion of Java VM in the database kernel allows Java stored procedures to be executed by the database. In other words, by running Java in the database server, Java applications can benefit from direct access to relational data. Not all customers implement Java stored procedures; however support for Java stored procedures is required for the proper operation of the Oracle Database as certain features are implemented using Java. Due to the nature of the fixes required, Oracle development was not able to produce a normal RAC-rolling fix for these issues. To help protect customers until they can apply the Oracle JavaVM component Database PSU, which requires downtime, Oracle produced a script that introduces new controls to prevent new Java classes from being deployed or new calls from being made to existing Java classes, while preserving the ability of the database to execute the existing Java stored procedures that customers may rely on.

As a mitigation measure, Oracle did consider revoking all Public Grant to Java Classes, but such approach is not feasible with a static script. Due to the dynamic nature of Java, it is not possible to identify all the classes that may be needed by an individual customer. Oracle’s script is designed to provide effective mitigation against malicious exploitation of Java in the database to customers who are not deploying new Java code or creating Java code dynamically.

Customers who regularly develop in Java in the Oracle Database can take advantage of a new feature introduced in Oracle 12.1. By running their workloads with Privilege Analysis enabled, these customers can determine which Java classes are actually needed and remove unnecessary Grants.

18 of the 154 fixes released today are for Oracle Fusion Middleware. Half of these fixes are pass-through fixes to address vulnerabilities in third-party components included in Oracle Fusion Middleware distributions. The most severe CVSS Base Score reported for these Oracle Fusion Middleware vulnerabilities is 7.5.

This Critical Patch Update also provides fixes for 25 new Java SE vulnerabilities. The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0. This score affects one Java SE vulnerability. Out of these 25 Java vulnerabilities, 20 affect client-only deployments of Java SE (and 2 of these vulnerabilities are browser-specific). 4 vulnerabilities affect client and server deployments of Java SE. One vulnerability affects client and server deployments of JSSE.

Rounding up this Critical Patch Update release are 15 fixes for Oracle and Sun Systems Product Suite, and 24 fixes for Oracle MySQL.

Note that on September 26th 2014, Oracle released Security Alert CVE-2014-7169 to deal with a number of publicly-disclosed vulnerabilities affecting GNU Bash, a popular open source command line shell incorporated into Linux and other widely used operating systems. Customers should check out this Security Alert and apply relevant security fixes for the affected systems as its publication so close to the publication of the October 2014 Critical Patch Update did not allow for inclusion on these Security Alert fixes in the Critical Patch Update release.

For More Information:

The October 2014 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Security Alert CVE-2014-7169 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html. Furthermore, a list of Oracle products using GNU Bash is located at http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html.

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Security Alert CVE-2014-7169 Released

Fri, 2014-09-26 15:20
Normal 0 false false false EN-US X-NONE X-NONE

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2014-7169. Vulnerability CVE-2014-7169, previously known as CVE-2014-6271, affects GNU Bash, and if successfully exploited can result in providing a malicious attacker the ability to fully compromise a targeted system. GNU Bash is a popular open source command line shell incorporated into Linux and other widely used operating systems. The National Vulnerability Database (NVD) has given this vulnerability a CVSS Base Score of 10.0.

Oracle is continuing to investigate this vulnerability. Today’s Security Alert lists the products that Oracle has currently determined to be vulnerable to CVE-2014-7169. Download and installation instructions are provided for those products with available patches. Note that the fixes provided with this Security Alert address both vulnerabilities CVE-2014-7169 and CVE-2014-6271. The Security Alert Advisory will be updated to reflect the availability of fixes for additional products when they have successfully completed testing. It is Oracle’s priority to provide fixes that provide effective mitigation against this vulnerability while not introducing regressions or other issues. In other words, Oracle will provide fixes for additional affected products as soon as they have been fully tested and determined to provide effective mitigation against this vulnerability.

Due to the severity of this vulnerability, the public availability of detailed technical information, and reports of attempted exploitation, Oracle urges customers to apply the appropriate fixes when they become available.

Customers who are concerned about the status of individual products not listed in today’s Security Alert Advisory should contact Oracle Technical Support to obtain additional information. In response to these inquiries, the Security Alert Advisory may also be updated to reflect the status of these products to ensure the wider dissemination of relevant information.

For More Information:

The advisory for Security Alert CVE-2014-7169 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html.

More information has also been published at http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

July 2014 Critical Patch Update Released

Tue, 2014-07-15 14:41
Normal 0 false false false EN-US X-NONE X-NONE

Hello, this is Eric Maurice.

Oracle today released the July 2014 Critical Patch Update. This Critical Patch Update provides 113 new security fixes across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

This Critical Patch Update provides 20 additional security fixes for Java SE. The highest CVSS Base Score for the Java vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects a single Java SE client vulnerability (CVE-2014-4227). 7 other Java SE client vulnerabilities receive a CVSS Base Score of 9.3 (denoting that a complete compromise of the targeted client is possible, but that that access complexity to exploit these vulnerabilities is “medium.”) All in all, this Critical Patch Update provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server. Oracle recommends that home users visit http://java.com/en/download/installed.jsp to ensure that they run the most recent version of Java. Oracle also recommends Windows XP users to upgrade to a currently-supported operating system. Running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.

This Critical Patch Update also includes 5 fixes for the Oracle Database. The highest CVSS Base Score for these database vulnerabilities is 9.0 (this score affects vulnerability CVE-2013-3751)).

Oracle Fusion Middleware receives 29 new security fixes with this Critical Patch Update. The most severe CVSS Base Score for these vulnerabilities is 7.5.

Oracle E-Business Suite receives 5 new security fixes with this Critical Patch Update. The most severe CVSS Base Score reported for these vulnerabilities is 6.8.

Oracle Sun Systems Products Suite receive 3 new security fixes with this Critical Patch Update and one additional Oracle Enterprise Manager Grid Control fix is applicable to these deployments. Fixes that exist because of the dependency between individual Oracle product components are listed in italics in the Critical Patch Update Advisory. These bugs are listed in the risk matrices of the products they initially exist in, as well as in the risk matrices of the products they are used with. The most severe CVSS Base Score for these Oracle Sun Systems Products Suite vulnerabilities is 6.9.

As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products.

For More Information:

The July 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance.

Java home users can detect if they are running obsolete versions of Java SE and install the most recent version of Java by visiting http://java.com/en/download/installed.jsp

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Security Alert CVE-2014-0160 (‘Heartbleed’) Released

Fri, 2014-04-18 14:38

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2014-0160 to address the publicly disclosed ‘Heartbleed’ vulnerability which affects a number of versions of the OpenSSL library.  Due to the severity of this vulnerability, and the fact that active exploitation of this vulnerability is reported “in the wild,” Oracle recommends that customers of affected Oracle products apply the necessary patches as soon as they are released by Oracle.

The CVSS Base Score for this vulnerability is 5.0.  This relative low score denotes the difficulty in coming up with a system that can rate the severity of all types of vulnerabilities, including the ones that constitute blended threat. 

It is easy to exploit vulnerability CVE-2014-0160 with relative impunity as it is remotely exploitable without authentication over the Internet.  However a successful exploit can only result in compromising the confidentiality of some of the data contained in the targeted systems.  An active exploitation of the bug allows the malicious perpetrator to read the memory of the targeted system on which resides the vulnerable versions of the OpenSSL library.  The vulnerability, on its own, does not allow a compromise of the availability (e.g., denial of service attack) or integrity of the targeted system (e.g., deletion of sensitive log files). 

Unfortunately, this vulnerability is very serious in that it is contained into a widely used security package, which enables the use of SSL/TLS, and the compromise of that memory can have serious follow-on consequences.  According to http://heartbleed.com the compromised data may contain passwords, private keys, and other sensitive information.  In some instances, this information could be used by a malicious perpetrator to decrypt private information that was sent months or years ago, or log into systems with stolen identity.   As a result, this vulnerability creates very significant risks including unauthorized access to systems with full user rights.

 

For more information:

 

The Advisory for Security Alert CVE-2014-0160 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html

The ‘OpenSSL Security Bug - Heartbleed / CVE-2014-0160’ page on OTN is located at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

The ‘Heartbleed’ web site is located at http://www.heartbleed.com.  Note that this site is not affiliated with Oracle.

 

 

 

 

Oracle Java Cloud Service - April 2014 Critical Patch Update

Thu, 2014-04-17 08:59

Hi, this is Eric Maurice.

In addition to the release of the April 2014 Critical Patch Update, Oracle has also addressed the recently publicly disclosed issues in the Oracle Java Cloud Service.  Note that the combination of this announcement with the release of the April 2014 Critical Patch Update is not coincidental or the result of the unfortunate public disclosure of exploit code, but rather the result of the need to coordinate the release of related fixes for our on-premise customers. 

Shortly after issues were reported in the Oracle Java Cloud Service, Oracle determined that some of these issues were the result of certain security issues in Oracle products (though not Java SE), which are also licensed for traditional on-premise use.  As a result, Oracle addressed these issues in the Oracle Java Cloud Service, and scheduled the inclusion of related fixes in the following Critical Patch Updates upon completion of successful testing so as to avoid introducing regression issues in these products.

 

For more information:

The April 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

More information about Oracle Software Security Assurance, including details about Oracle’s secure development and ongoing security assurance practices is located at http://www.oracle.com/us/support/assurance/overview/index.html

April 2014 Critical Patch Update Released

Tue, 2014-04-15 15:04

Hello, this is Eric Maurice again.

Oracle today released the April 2014 Critical Patch Update.  This Critical Patch Update provides fixes for 104 vulnerabilities across a number of product lines including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.  A number of the vulnerabilities fixed in this Critical Patch Update have high CVSS Base Score and are being highlighted in this blog entry.  Oracle recommends this Critical Patch Update be applied as soon as possible.

Out of the 104 vulnerabilities fixed in the April 2014 Critical Patch Update, 2 were for the Oracle Database.  The most severe of these database vulnerabilities received a CVSS Base Score of 8.5 for the Windows platform to denote a full compromise of the targeted system, although a successful exploitation of this bug requires authentication by the malicious attacker.  On other platforms (e.g., Linux, Solaris), the CVSS Base Score is 6.0, because a successful compromise would be limited to the Database and not extend to the underlying Operating System.  Note that Oracle reports this kind of vulnerabilities with the ‘Partial+’ value for Confidentiality, Integrity, and Availability impact (Partial+ is used when the exploit affects a wide range of resources, e.g. all database tables).  Oracle makes a strict application of the CVSS 2.0 standard, and as a result, the Partial+ does not result in an inflated CVSS Base Score (CVSS only provides for ‘None,’ ‘Partial,’ or ‘Complete’ to report the impact of a bug).  This custom value is intended to call customers’ attention to the potential impact of the specific vulnerability and enable them to potentially manually increase this severity rating.  For more information about Oracle’s use of CVSS, see http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html.

This Critical Patch Update also provides fixes for 20 Fusion Middleware vulnerabilities.  The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5.  This score affects one remotely exploitable without authentication vulnerability in Oracle WebLogic Server (CVE-2014-2470).  If successfully exploited, this vulnerability can result in a wide compromise of the targeted WebLogic Server (Partial+ rating for Confidentiality, Integrity, and Availability.  See previous discussion about the meaning of the ‘Partial+’ value reported by Oracle). 

Also included in this Critical Patch Update were fixes for 37 Java SE vulnerabilities.  4 of these Java SE vulnerabilities received a CVSS Base Score of 10.0.  29 of these 37 vulnerabilities affected client-only deployments, while 6 affected client and server deployments of Java SE.  Rounding up this count were one vulnerability affecting the Javadoc tool and one affecting unpack200.  As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java.  Java SE security fixes delivered through the Critical Patch Update program are cumulative.  In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.   Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities. 

This Critical Patch Update also included fixes for 5 vulnerabilities affecting Oracle Linux and Virtualization products suite.  The most severe of these vulnerabilities received a CVSS Base Score of 9.3, and this vulnerability (CVE-2013-6462) affects certain versions of Oracle Global Secure Desktop. 

Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible.  In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update.  However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates.  As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are no longer available under Oracle Premier Support, update their systems to a currently-supported release so as to fully benefit from Oracle’s ongoing security assurance effort.

For more information:

The April 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

More information about Oracle’s application of the CVSS scoring system is located at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

An Ovum white paper “Avoiding security risks with regular patching and support services” is located at http://www.oracle.com/us/corporate/analystreports/ovum-avoiding-security-risks-1949314.pdf

More information about Oracle Software Security Assurance, including details about Oracle’s secure development and ongoing security assurance practices is located at http://www.oracle.com/us/support/assurance/overview/index.html

The details of the Common Vulnerability Scoring System (CVSS) are located at http://www.first.org/cvss/cvss-guide.html. 

Java desktop users can verify that they are running the most version of Java and remove older versions of Java by visiting http://java.com/en/download/installed.jsp.      

 

 

‘Heartbleed’ (CVE-2014-0160) Vulnerability in OpenSSL

Thu, 2014-04-10 13:44

Hi, this is Eric Maurice.

A vulnerability affecting certain versions of the OpenSSL libraries was recently publicly disclosed.  This vulnerability has received the nickname ‘Heartbleed’ and the CVE identifier CVE-2014-0160. 

Oracle is investigating the use of the affected OpenSSL libraries in Oracle products and solutions, and will provide mitigation instructions when available for these affected Oracle products. 

Oracle recommends that customers refer to the 'OpenSSL Security Bug - Heartbleed CVE-2014-0160' page on the Oracle Technology Network (OTN) for information about affected products, availability of fixes and other mitigation instructions.  This page will be periodically updated as Oracle continues its assessment of the situation.   Oracle customers can also open a support ticket with My Oracle Support if they have additional questions or concerns.

 

For More Information:

The CVE-2014-016 page on OTN is located at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

The Heartbleed web site is located at http://heartbleed.com/.  This site is not affiliated with Oracle and provides a list of affected OpenSSL versions.

The My Oracle Support portal can be accessed by visiting https://support.oracle.com

 

January 2014 Critical Patch Update Released

Tue, 2014-01-14 14:50

Hello, this is Eric Maurice.

Oracle released the January 2014 Critical Patch Update today. This Critical Patch Update provided fixes for 144 new security vulnerabilities across a wide range of product families, including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

The January 2014 Critical Patch Update provided 5 fixes for the Oracle Database. The maximum CVSS Base Score for these database vulnerabilities was 5.0. This score was for one vulnerability (CVE-2013-5853), which also happened to be the only remotely exploitable without authentication database vulnerability in this Critical Patch Update.

This Critical Patch Update provided 22 security fixes for Oracle Fusion Middleware, 19 of which were for vulnerabilities that were remotely exploitable without authentication. The most severe CVSS Base Score for these vulnerabilities is 10.0. This score is for vulnerability CVE-2013-4316 which affects Oracle WebCenter Sites (versions 11.1.1.6.1 and 11.1.1.8.0).

Oracle Hyperion received 2 new security fixes. One of these vulnerabilities (CVE-2013-3830) received a CVSS Base Score of 7.1, which denotes a complete compromise if successfully exploited, but also requires a single authentication from the attacker.

This Critical Patch Update also included a number of fixes for Oracle applications. 4 security fixes are for Oracle E-Business Suite (one of the vulnerabilities may be remotely exploitable without authentication), 16 security fixes are for Oracle Supply Chain Products Suites (6 of the vulnerabilities may be remotely exploitable without authentication), 17 security fixes are for Oracle PeopleSoft Enterprise (10 of the vulnerabilities may be remotely exploitable without authentication). 2 security fixes are for Oracle Siebel CRM (one of the vulnerabilities may be remotely exploitable without authentication), etc.

This Critical Patch Update also provided 36 security fixes for Java SE. 34 of these Java SE vulnerabilities may be remotely exploitable without authentication. Only 3 of these vulnerabilities are relevant to Java SE or JSSE server deployments, but are not server side specific (that is they also affect client deployments). The maximum CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects 5 vulnerabilities (one of them being applicable to server deployments, that is, it can be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets).

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible. While a successful exploitation of a number of the vulnerabilities addressed by this Critical Patch Update may not be possible in many customers’ deployments because the affected component is not installed or cannot be easily accessed by malicious attacker, a prompt application of the Critical Patch Update will help ensure that “security in depth” is maintained in the environment. IT environments are dynamic in nature, and systems configurations and security controls (e.g., network access control policies) often change over time. Applying the Critical Patch Update and other vendors’ relevant security patches helps ensure that the related security controls continue to work, should one of the systems fail or its control be circumvented during an attack.

In 2014, the Critical Patch Update program remains Oracle’s primary mechanism for the release of security fixes across all Oracle product families. The recent inclusion of Java SE in the standard Critical Patch Update release schedule has resulted in an increase in the relative size of each Critical Patch Update release since Java SE’s inclusion in October 2013. From a Java SE perspective, this inclusion also meant that security fixes are released for Java SE in 4 annual scheduled releases (as opposed to 3 annual releases prior to the Oracle acquisition of Sun Microsystems.) The schedule of the Critical Patch Update (on the Tuesday closest to the 17th of the months of January, April, July, and October), as well as the frequency of this security patching schedule, is based largely on customers’ feedback who desire a balance between a high level of predictability for managing their systems as well as a reasonable frequency in the release of security patches so as to maintain a proper security posture. As such, from an Oracle perspective, “time to fix (length of time between discovery of the bug or initial reporting and delivery of the fix) is not as relevant a figure as “time to patch” (length of time between discovery of the bug or initial reporting and application of the fix by all affected customers).

For More Information:

The January 2014 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html.

Pages