Is Oracle misleading its database customers during its quarterly Critical Patch Updates (CPUs)? If you look at how they classify vulnerabilities, we at TeamSHATTER believe the answer is... yes.
Industry surveys and reports continue to show that most companies are well behind in rolling out patches for previous CPUs, many citing that the process is too cumbersome.
To make matters worse, many rely on the Common Vulnerability Scoring System (CVSS) associated with the disclosed vulnerabilities from each CPU to determine the sense of urgency when it comes to any patching they may conduct at all.
Simply put, if it is not reported as critical, or does not have a CVSS score of 7.0 or higher, it is less likely to be deemed urgent or perhaps even worthy of a fix in given environments.
Unfortunately for its customers, Oracle has figured out a way to downplay the severity of its vulnerabilities and water down the scoring by interpreting the “Complete” impact rating in a favorable-for-Oracle way and introducing a proprietary impact rating that they call “Partial+”.
According to Oracle, a vulnerability’s impact is only considered “Complete” if “all software running on the machine” is affected, not just the Oracle Database Server. This runs completely contrary to the official CVSS definition, not to mention — common sense.
A database server is a major software asset that, in almost any real-world installation, is the sole software running on the given hardware, besides that of the OS, of course.
Now, any vulnerability that would usually be considered “Complete”, but doesn’t fit Oracle’s narrow definition, is rated by Oracle as ‘Partial+’. And Oracle claims, “The addition of the Partial+ rating does not change the CVSS base metric scoring system.”
However, in the following example, one might conclude that there is either a tremendous lack of consistency on Oracle’s part when it comes to scoring or that the Partial+ scoring system does in fact manipulate and downplay the CVSS base scores.
In the April 2011 CPU, one of the disclosed vulnerabilities, CVE-2011-0806 was given a score of 5.0. However, in the July 2010 CPU, a nearly identical vulnerability (CVE-2010-0903) was reported and given a score of 7.8. According TeamSHATTER researcher, Esteban Martinez Fayo, who discovered and reported both vulnerabilities, “The two vulnerabilities are virtually identical.
The exploit is different for just one byte and the effect when exploited is exactly the same. It is unclear to me as to why in one CPU they gave a rating of ‘Complete’ and in the other a rating of ‘Partial+’.”
(*To view full image click here)
And if the CVSS base scores are not affected by the Partial+ scoring, one might wonder why Oracle goes on to state, “However, customers have all the required information to recalculate the CVSS score with Partial+ ratings changed to Complete, if that is more appropriate for their environment.”
Partial+ has become a running joke among database security professionals, DBAs and others charged with the security and risk management of databases. Through the Partial+ rating, Oracle is basically stacking the deck in their favor so it appears that vulnerabilities to their products are less severe than they really are, and then they have the audacity to tell customers that they have all of the information required to perform recalculations to actually get to what the scores really should be.
As Partial+ is an Oracle-only impact rating and not in accordance with CVSS scoring, when Oracle puts out its CPU with ‘CVSS scores’ — beware because many of these are using the Partial+ rating and are NOT CVSS 2.0 – and yield lower scores that provide many customers with a false sense of security due to the downplaying of the true severity of the given vulnerability.
According to a recent blog post by industry analyst Adrian Lane of Securosis, “Lowering of CVSS scores by saying the compromise is ‘Partial+’, instead of ‘Complete’ deliberately misunderstands the way attackers work. Once they get a foot in the door they will automatically start looking for what to attack next. To reduce the risk score you would need to understand what else would be exposed by exploiting this vulnerability.”
If I am a DBA, I say don’t change the scoring. Allow me to determine, based on industry accepted standards, the severity of the vulnerabilities. And don’t tell me that we are provided with all of the required information to recalculate the scores back to what they are supposed to be. Provide me with BOTH scores side-by-side and then let me determine what is the most appropriate for my environment.
Cross-posted from TeamSHATTER.com