Monday, May 2, 2011

How to read the “Oracle Critical Patch Update Advisory - April 2011

Original CPU Apr-2011 URL: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

 

Oracle does not want to disclose any information that an attacker might use to develop a successful exploit against an Oracle product. For this reason, there is no clue that what the security vulnerabilities exactly are.

 

Important Section (1):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Products and Versions

Patch Availability

Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2

Database

Oracle Database 11g Release 1, version 11.1.0.7

Database

Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

Database

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Above section indicates affected product releases and versions that are in Premier Support or Extended Support. If your database version is not there, it could be 2 reasons: 1) it's not affected. 2) it's affected, but the version is not under premier/extended support, one example is 11.1.0.6 and 10.2.0.1.

 

 

Important Section (2):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appendix - Oracle Database Server

 

Oracle Database Server Executive Summary

 

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

 

Oracle Database Server Risk Matrix

 

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-
tication

Confiden-
tiality

Integrity

Avail-
ability

CVE-2011-0792

Oracle Warehouse Builder

Oracle Net

Dimensional Data Modeling

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

10.2.0.5 (OWB), 11.1.0.7

 

CVE-2011-0799

Oracle Warehouse Builder

Oracle Net

Oracle Warehouse Builder User Account

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

10.2.0.5 (OWB), 11.1.0.7, 11.2.0.1

 

CVE-2009-3555 (Oracle Fusion Middleware)

Oracle Security Service

SSL/HTTPS

C Oracle SSL API

Yes

5.8

Network

Medium

None

None

Partial

Partial

10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2

 

CVE-2011-0787 (Oracle Enterprise Manager Grid Control)

Application Service Level Management

HTTP

Service Level Agreements

No

5.5

Network

Low

Single

Partial+

Partial+

None

11.1.0.7

 

CVE-2011-0806

Network Foundation

Oracle Net

None

Yes

5.0

Network

Low

None

None

None

Partial+

10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2

See Note 1

CVE-2011-0785 (Oracle Fusion Middleware)

Oracle Help

HTTP

-

Yes

4.3

Network

Medium

None

None

Partial

None

See note

See Note 2

CVE-2011-0805

UIX

HTTP

None

Yes

4.3

Network

Medium

None

None

Partial

None

10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1

 

CVE-2011-0793

Database Vault

Oracle Net

SYSDBA

No

3.6

Network

High

Single

None

Partial

Partial

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1

 

CVE-2011-0804

Database Vault

Oracle Net

Valid Account

No

3.6

Network

High

Single

Partial

Partial

None

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2

 

 

 

Notes:

1.     Applicable to Windows servers only.

2.     Fixed in all supported Releases and Patchsets.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To interpret above table:

 

CVE#: This is the industry standard identifier of the vulnerability and is provided by the Common Vulnerability and Exposures group at http://cve.mitre.org/

 

Component: This is the high level component affected by the vulnerability.

 

Protocol: This is the protocol over which the vulnerability can be exploited. Reported protocols typically include TCP/IP such as HTTP or Oracle Net. If the attack is launched via the Operating System then the reported protocol is designated "Local" or "Local Login". In some instances, it is possible to mitigate the vulnerability on the affected systems by blocking or limiting connections using the reported protocol.

 

Package and/or Privilege Required: This is either a subcomponent under the component or the privilege required to launch an attack. When this column contains a privilege, the nature of the privilege required will often be very important in determining risk. For example, if the privilege required is "Session only", meaning that only a logon is required, the risk is much greater than if the privilege was reported as "create table".

 

Remote Exploit without Auth.?: remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password

 

Base Score: The CVSS base score defines the severity of the vulnerability and ranges between 0.0 and 10.0, where 10.0 represents the highest severity. Each risk matrix is ordered using this value, with the most severe vulnerability at the top of each risk matrix.

 

Access Vector: The values reported by Oracle are "Network", which means an attack can occur over the network, and "Local", which means that only local attacks are possible (i.e. attacker has physical access to the machine). Generally, local only attacks may be considered lower risk in instanced where the IT staff is trusted (and has been properly vetted).

 

Access Complexity: This column reports on the difficulty of launching an attack that has already been created. Low means easy access and typically requires no or low levels of privilege.

 

Authentication: This column indicates whether authentication is required in order to exploit the vulnerability. Possible values are : "None", "Single Authentication" or "Multiple Authentications".

 

Confidentiality: Unauthorized disclosure of data

 

Integrity: Unauthorized create/update/delete of data

 

Availability: Unauthorized denial of service

 

Supported Versions Affected: Affected version, only list these version under premier/extended supporthttps://gcmprm.oracle.com/ctd/tmo?RID=3-1SKLG7O