Oracle’s system to rate flaw severity
Oracle has introduced severity rating for its security bulletins, making it clearer to its customers the order of importance for fixing flaws.
The software giant’s most recent quarterly bulletin, released earlier this month, was the first to use the Common Vulnerability Scoring System, an industry-wide attempt to clarify the ratings given to vulnerabilities.
The bulletin contained fixes for 101 security vulnerabilities across a range of Oracle products: 14 vulnerabilities in Application Server, 13 in E-Business suite, eight in PeopleSoft products and one each in Oracle Pharmaceuticals and JDEdwards software.
According to the bulletin the majority of the vulnerabilities are significant ones — 30 of the Oracle Database related flaws could expose systems to unauthenticated remote attacks, while 13 application flaws carry that risk; one each in E-Business Suite and PeopleSoft products could be so exploited.
Oracle’s patch update states: “Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible.”
“Depending on your environment it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack.”
The update advised that for attacks that require certain privileges or access to certain packages, removing the privileges or ability to access the packages from untrusted users may help reduce the risk of a successful attack.
However it warned users to test these changes on non-production systems and said neither approach was a long-term solution.
Pete Finnigan, an independent security specialist, said on his blog that the new-style advisories should prove much better structured for users: “The advisories have been getting better and this is a good stride forward,” he wrote.
While Oracle has enjoyed a strong reputation for security in the past, it has faced mounting criticism in the past year or so and now wants to be seen as more pro-active on the issue.
Oracle chief Larry Ellison strongly defended the company’s security record during an exclusive briefing with IT Weekly earlier this year.
“I’ll think you’ll see a massive focus on security within Oracle over the next two years,” he told IT Weekly then.
He was slated to speak more on the topic of security at this month’s Oracle OpenWorld event in San Francisco, US.