The main problem with the Oracle CVSS base scores is more with CVSS than Oracle. Under the CVSSv2 definition of Confidentiality/Integrity/Availability impact, if the entire database is compromised but not the "entire system" then the metric value will be Partial rather than Complete. Since the large majority of Oracle database vulnerabilities require a valid database session unless exploited via a blended threat (i.e., such as SQL injection which is completely ignored by Oracle in any analysis), the maximum realistic score for an Oracle database vulnerability is 6.5 since CIA impact will only ever be Partial except in rare occasions. Oracle does include a "Partial+" in the advisories to indicate where the entire database is compromised. The CVSS definitions around system vs. service vs. application should be strengthened in a future version. Additional information on the Oracle CVSS scores is at http://www.integrigy.com/oracle-security-blog/archive/2006/10/27/oracle-cvss Regarding the quality of information released by Oracle in the CPU advisories, I can easily understand why there are discrepancies between a researcher's advisory and Oracle's. Having worked with Oracle on over 50 vulnerabilities, my experience is that the Oracle security team generally does not spend much effort to fully research, validate, and explore each vulnerability. Rather the focus is on confirming the vulnerability and coordinating with development to fix the vulnerability as qualified and documented by the security researcher. If the researcher does not provide full details or does not document a specific attack vector, then Oracle probably won't include this in the fix or advisory. This has resulted in a few well publicized cases where the same vulnerability had to be fixed multiple times since Oracle only fixed the bug based on the exact exploit details/code provided by the security researcher. -----Original Message----- From: Joxean Koret [mailto:joxeankoret@xxxxxxxx] Sent: Saturday, January 10, 2009 12:27 PM To: security curmudgeon Cc: Team SHATTER; bugtraq@xxxxxxxxxxxxxxxxx; secalert_us@xxxxxxxxxx Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) Hi, This is very typical and, in my opinion, you should only consider trustworthy the Team Shatter's advisory, not the Oracle's one. Take for example the bug APPS01[1] in Oracle Critical Patch Update of April 2007 [2], it was a preauthenticated remote bug (with remote I mean "from internet", not from "adjacent network"). CVSS2 Score would be 9/10 (calcule it yourself [3]), however, the Oracle advisory says that a "Valid session" was needed and that the CVSS2 score was 4.2. It's funny. >As a responsible security professional, I have to assume their research >is accurate and their advisory should be taken more seriously than >Oracle's. Yes, don't trust the Oracle's advisories, the aren't real. [1]http://www.zerodayinitiative.com/advisories/ZDI-08-088 [2] http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpua pr2007.html [3] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Thanks, Joxean Koret On Sat, 2009-01-10 at 11:11 +0000, security curmudgeon wrote: > > Summary: Team SHATTER says this is a remote overflow that allows for > the > execution of arbitrary code (CVSS2 9.0). Oracle says this is a > limited > DoS condition (CVSS2 4.0). That is a big discrepancy. >
