Oracle should take a closer look at security and severity scoring, says Imperva

Oracle should review the severity scoring of its security updates, as the current system is misleading, according to security firm Imperva.

Oracle should review the severity scoring of its security updates, as the current system is misleading, according to security firm Imperva.

The call comes after the release of Oracle's latest quarterly critical patch update, which contains 78 new security fixes across all product families, including 16 in the database server product.

For this release, and historically, the security scoring does not always reflect the true operational risk, said Amichai Shulman, chief technology officer at Imperva.

CVE-2011-2253, for example, is rated as 7.1 on the severity scale (CVSS score), but it requires privileged SYSDBA to abuse this vulnerability, which would place this problem much lower on most security professionals' priority list, and consequently, it should be scored lower, he said.

"By contrast, CVE-2011-0835 and CVE-2011-0880 allow you to take over the entire database with just a valid set of credentials, yet scores much lower at 6.5," said Shulman.

Mislabelled vulnerabilities affect risk management

Unfortunately, given the pervasiveness of the Oracle database, mislabelling the security impact of vulnerabilities can adversely affect the risk management process, he said.

The CPU also highlights serious security problems with proprietary Java Virtual Machine JRockit and Oracle Secure Backup, said Shulman.

"We see serious security problems with these products, which are notorious for producing severe vulnerabilities," he said.

Vulnerabilities CVE-2011-0873 (JRockit) and CVE-2011-2261 (Oracle Secure Backup) in the latest CPU each received a CVSS score of 10, the most severe vulnerability rating.

"Oracle should take a closer look at the security of these products as their poor track record may indicate a deeper, systemic security problem," said Shulman.

Address critical vulnerabilities first

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply critical patch update fixes as soon as possible, but with such a large number of patches on offer, organisations will have to concentrate on the most critical and work from there, said Marcus Carey, security researcher at security firm Rapid7.

According to Carey, there are seven "deadly" vulnerabilities that require immediate attention. These are CVE-2011-0873, CVE-2011-2239, CVE-2011-2253, CVE-2011-2261, CVE-2011-2285, CVE-2011-2288, CVE-2011-2305, any one of which could result in complete compromise of a system.

Of these, the worst three are CVE-2011-0873, CVE-2011-2261 (highlighted by Shulman), and CVE-2011-2288 (SPARC T3 Series), said Carey, as they are remotely exploitable with a low complexity to launch a successful attack.

"This big three do not require credentials to exploit. These are the type of attacks that are probably already being exploited in the wild," he said.

CVE-2011-0873 can be exploited via HTTP, CVE-2011-2261 can be exploit via multiple protocols, and CVE-2011-2288 can be exploited by SSH.

Organisations can expect to see publicly available exploits on the big three soon, Carey warned.

Photo: Peter Kaminski

Read more on IT risk management