Changes in security policies for the Sun product lines

About Oracle Software Security Assurance
Oracle security vulnerability remediation policies
Information contained in the Critical Patch Update and Security Alert advisories
Extension of Oracle Software Security Assurance to the Sun product lines
Security Alerts
Conclusion
For More Information

Introduction

Oracle is in the process of aligning the policies and practices previously in place at Sun Microsystems with Oracle Software Security Assurance policies and procedures. One area where this integration is particularly visible is in the policies and procedures for disclosure of fixes for security vulnerabilities in the Sun product lines.

The Sun product lines present a number of unique attributes for Oracle, including the implications of Open Source and the existence of Operating System specific issues, but in many cases it has been possible to carry over Sun's existing policies to Oracle Software Security Assurance with relatively minor differences.

The following document provides an overview of these differences.

About Oracle Software Security Assurance

Objectives

Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance is Oracle's methodology to build security into the design, build, testing and maintenance of its products, with the goal of ensuring that Oracle's products, and customers' systems leveraging those products, remain as secure as possible.

A set of industry-leading standards, technologies and practices, Oracle Software Security Assurance is aimed at:

  • Fostering security innovation
  • Reducing the incidence of security weaknesses in Oracle products
  • Reducing the impact on customers of security weaknesses in released products
For more information about Oracle Software Security Assurance, see
http://www.oracle.com/security/software-security-assurance.html

Oracle security vulnerability remediation policies

The Critical Patch Update (CPU) is the primary mechanism for the release of security bug fixes for Oracle products. Critical Patch Updates are released quarterly on the Tuesdays closest to the 15th of the months of January, April, July, and October. Starting in January 2011, Critical Patch Updates will be released on the Tuesdays closest to the 17th of the months of January, April, July, and October.

In addition, Oracle retains the ability to issue out-of-cycle patches or workaround instructions in case of particularly critical vulnerabilities and/or when active exploits are reported "in the wild". This program is known as the Security Alert program.

Information about all previously-released Security Alerts and Critical Patch Updates, along with the links to download security patches, is posted on the Security Alerts and Critical Patch Updates page located at
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Information contained in the Critical Patch Update and Security Alert advisories

The format of the CPU and Security Alert advisories is different from the one used previously by Sun. While Sun customers may find themselves initially unfamiliar with the new format of the security advisories, the information contained in the CPU and Security Alert advisories is generally very similar to that disclosed by Sun.

Common Vulnerabilities and Exposures ("CVE")

A Common Vulnerabilities and Exposures (CVE) number provides a universal and unique identifier for an individual security vulnerability. Oracle is a CVE Numbering Authority, and as such, all new vulnerabilities listed in a security advisory will receive a CVE number. Sun used CVEs only in certain circumstances, but they will now be used for all new vulnerabilities.

For more information on CVE, see Mitre's web site at http://cve.mitre.org/

Common Vulnerability Scoring System ("CVSS")

CPU and Security Alert advisories include a risk matrix, which lists the CVSS Base Score for each vulnerability. This CVSS Base Score provides a standard measure of the relative severity of a vulnerability. Oracle's use of CVSS is further explained at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

While Sun didn't use CVSS, much of the information was provided by Sun in the text of its advisories. Along with a CVSS Base Score, this information will now be provided in the risk matrices of the advisories, which describe how an attack could happen, how difficult it is to exploit, and the impact of a successful attack.

The information provided in the risk matrices is intended to help customers assess the impact of a vulnerability and determine whether they need to apply the required fixes, without empowering malicious attackers who routinely use security bulletins as a source of information to develop and conduct attacks or develop malicious code.

Extension of Oracle Software Security Assurance to the Sun product lines

With the exception of the security fixes for 3rd party code or products which are not owned or controlled by Oracle, the security fixes for the Sun product lines will be released and announced in the same fashion as other Oracle products. For more information on Oracle security vulnerability fixing policy and process, see http://www.oracle.com/technetwork/topics/security/whatsnew/index,html

Java

Sun released security updates for Java Platform, Standard Edition (Java SE) three times a year (roughly once every 4 months). These security updates are now released as Java SE Critical Patch Updates and use the Oracle Critical Patch Update advisory format. There is no change except for the format of the advisory. The frequency with which Java SE security updates are released is not expected to change in the short term.

 

3rd Party Products

A large number of products and components initially developed or controlled by third parties (e.g. Kerberos) are distributed with the Sun product lines. These 3rd party products and components range from software programs, which are included with Solaris as part of the Sun Freeware collection, to components such as Sendmail, Kerberos, or Adobe Acrobat, which are tightly woven into Solaris.

Oracle (and Sun previously) typically does not have control over the timing and content of the security fixes created by the third parties. In order to maintain the security posture of the customers using these third party products and components, Oracle will continue Sun's practice of announcing the availability of these third-party fixes when they become available. The availability of third party fixes will continue to be published on the Oracle Third Party Vulnerability Resolution Blog located at http://blogs.oracle.com/sunsecurity/ .

Critical Patch Updates for Sun product lines

The Critical Patch Update will become the primary mechanism for communicating the release of security fixes for the Sun product lines.

Previously, security fixes for Solaris were included in both the Recommended Clusters and Sun Alert Clusters provided by Sun. Under the Critical Patch Update model, a snapshot of the Recommended Cluster that contains all of the fixes referenced in the CPU will be made available as a CPU cluster on the day the CPU is released.

For Sun products that were not part of the Solaris cluster, the CPU advisory will instruct users on the location of the relevant security fixes

Security Alerts

Oracle may issue an out-of-cycle Security Alert in case of a unique or dangerous threat for Sun products. In this event, customers will be notified of the Security Alert by email notification through My Oracle Support and Oracle Technology Network. The fix included in the Security Alert will also be included in the next Critical Patch Update. The Security Alert program results in continuing Sun's ability to quickly produce critical security fixes when necessary.

Conclusion

By harmonizing the security fix release schedule and standardizing the format of the security advisories across all Oracle and Sun product lines, Oracle allows customers to develop repeatable procedures for security patching. This predictable security patching schedule also makes it easier for customer to allocate resources at the appropriate time, which should result in a higher percentage of customers installing the relevant security patches and remaining on current security patch levels. The bundling of multiple fixes also allows for concentrated testing of the patch bundle which should result in fewer complications and conflicts between individual fixes. Furthermore, consistency in the delivery of the security information contained in the advisories will greatly simplify the task of the personnel tasked with interpreting these advisories and making patching decisions.

This page will be periodically updated to provide additional information on specific Sun product lines.

For More Information

The Security Alerts and Critical Patch Updates page includes links to all previously-released security advisories from Oracle. It is also where all future Security Alert and Critical Patch Update advisories will be located. This page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

For more information on Oracle security vulnerability fixing policy and process, see http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

Oracle's use of CVSS to rate the relative severity of security vulnerabilities is explained at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html