Oracle and the Common Criteria

Oracle is an active advocate of the Common Criteria. The first vendor to develop and evaluate database protection profiles, Oracle was the first database vendor to be awarded a Common Criteria certificate for its Oracle7, Release 7.2 database server product. 

Overview of the Common Criteria
The International Common Criteria for Information Technology Security Evaluation is a joint effort between North America and the European Union to develop a single set of internationally recognized security criteria. Recently finalized as an ISO standard (number 15408), the Common Criteria supersedes the existing US TCSEC and the European ITSEC. It has been since embraced by most countries around the world as the de facto security evaluation criteria. All documents on the Common Criteria can be downloaded from the CC's official web site.

The Common Criteria awards successfully evaluated products evaluation assurance level (EAL) ratings from EAL1 (lowest) to EAL7 (highest).

To date all of Oracle's evaluations have been performed under Common Criteria version 2. The latest Common Criteria version is 3.1 and was released in September 2006.

Evaluation Status
Within the Common Criteria there are two evaluation states:
In Evaluation  and Evaluated.

Common Criteria Evaluated Oracle Products
Queries regarding the versions of guidance documents obtained from Oracle can be raised by sending an email to seceval_us@oracle.com and if required, a copy of the evaluated version can be provided by email.

Oracle Database

Oracle Servers

Oracle Middleware

Oracle Applications

Protection Profiles

Other Products

Oracle Database

Oracle Enterprise Linux

Oracle Solaris

Oracle Application Server

Oracle AquaLogic

Oracle Business Intelligence

Oracle Enterprise Manager

Oracle Identity and Access Management
 

Oracle Identity Manager

 

Oracle Internet Directory

Oracle WebLogic

Oracle Primavera

Database Management Systems

Java Card

Other Oracle Products

 

Database Management System Protection Profiles
Oracle is the only database vendor who has produced and evaluated database management system protection profiles for CC evaluations. Three profiles have been produced and evaluated for Oracle's database server evaluations. The Database Management System Protection Profile is the most recent Oracle produced Protection Profile and has been evaluated to EAL3.

In June 2006 the U. S. Government Protection Profile Database Management Systems For Basic Robustness Environments version 1.1 was Common Criteria certified.

Protection Profiles Produced and Evaluated for Oracle's Database Server Evaluations

 

Java Card Protection Profiles
Oracle has created protection profiles for Java Card implementations, to help creators of products based on Java Card technology meet the demand by banks, governments, and other card issuers for security evaluations that comply with a rigorous, widely accepted standard. The latest Java Card Protection Profile is version 3.0, which has been certified at the EAL4+ assurance level by ANSSI, allows Java Card vendors to certify products based on the Java Card Specification, in its 2.2.1, 2.2.2, and 3.0.1 (Classic Edition) versions.

Protection Profiles Produced and Evaluated for Java Card Implementation Evaluations

Maintenance Report

Maintenance Report


Superseded Java Card Protection Profiles