Security Vulnerability Fixing Policy and Process

(Revised Oct. 20, 2009)

The following document describes Oracle's policy and process for fixing security vulnerabilities under Oracle Software Security Assurance.

Critical Patch Updates

Fixes for security vulnerabilities are released in quarterly Critical Patch Updates. These are released on dates announced a year in advance and published on the Oracle Technology Network Critical Patch Updates page. The patches address significant security vulnerabilities and include fixes that are prerequisites for the security fixes.

The major products patched are Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards EnterpriseOne, JD Edwards OneWorld XE, Siebel CRM, Oracle Communications Suite and Oracle WebLogic Suite. Updates for all products are issued on the same day. Updates for Oracle products are available on My Oracle Support, Oracle's support Web site.

Cumulative versus One-Off Patches

The Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business Suite R12 and Oracle Communications Suite patches are cumulative; each Critical Patch Update contains the security fixes from all previous Critical Patch Updates. In practical terms, the latest Critical Patch Update is the only one that needs to be applied if you are solely using these products, as it contains all required fixes. Fixes for other products are released as one-off patches, so it is necessary to refer to previous Critical Patch Update advisories to find all patches that may need to be applied.

Announcement of Security Fixes

It is Oracle's policy not to announce security fixes until they are available for all affected and supported product version and platform combinations. For some products, there can be more than eighty of these version-platform combinations. As a result, Critical Patch Update patches for particular version-platform product combinations may consist of announced and unannounced vulnerability fixes. An unannounced vulnerability fix can be included in a given Critical Patch Update patch when some, but not all parts of the vulnerability are fixed, or because the fix is available on some, but not all version-platform combinations of a given product. Oracle will only announce (see Critical Patch Update Documentation section below) vulnerability fixes in Critical Patch Update Advisories after they are available in all version-platform combinations. Oracle recommends that you install all Critical Patch Updates.

Security Fixes and Patch Sets

Security fixes are also included in patch sets (or equivalent) and in new product releases. Oracle aims to include all security fixes in a Critical Patch Update in subsequent patch sets and product releases. If this is not possible, due to the timing of a release, we create a patch containing the latest Critical Patch Update fixes that can be applied on top of the newly released patch set or product release.

Order of Fixing Security Vulnerabilities

Oracle fixes significant security vulnerabilities in severity order. We believe that this practice ensures that the most critical issues are always fixed first, to maximize protection of our customers.

Security vulnerabilities are fixed in the following order:

  1. Main code line, that is the code being developed for the next major release of the product.
  2. Next Patchset for all non-terminal releases (e.g. 10.2.0.4 but not 9.2.0.8)
  3. Critical Patch Updates for all supported patchsets that have not previously received the appropriate fix.

The fixes are scheduled for inclusion in a future Critical Patch Update. However, fixes may be backported for inclusion in future patch sets or product releases that are released before their inclusion in a future Critical Patch Update.

The inclusion of security fixes in future patch sets and product releases allows customers more patching strategy choices. We also believe that including security fixes in patch sets and releases as maximizes the protection for customers and minimizes their subsequent patching costs.

We recommend that every Critical Patch Update be applied to all affected products. Systems updated with patch sets or upgraded with a new product release will pick up the security fixes previously included in the patch set or release. This can be used as a means to apply security fixes, but Critical Patch Updates should remain the primary means of applying security fixes as they are released more frequently than patch sets and new product releases.

The diagram below shows a hypothetical example where a new product release and a patch set are released between the security vulnerability being fixed and the fix being released in a Critical Patch Update.

Example: Security Vulnerability Fix Timeline

 

Critical Patch Update Documentation

Each Critical Patch Update has an advisory as its top-level document. This lists the products affected and contains a risk matrix for each product suite.

In order to prevent undue risks to our customers, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update (or Security Alert) advisory and pre-release note, the pre-installation notes, the readme files, and FAQs.—Furthermore, Oracle provides all customers with the same information in order to protect all customers equally. Oracle does not provide advance notification to individual customers. Finally, Oracle does not develop or distribute active exploit code (or proof of concept code) for vulnerabilities in our products.

Risk Matrices

The risk matrices provide information to help customers assess the risk posed by the security vulnerabilities in their specific environment. They can be used to identify the systems most at risk so they can be patched first. Each new security vulnerability fixed in a Critical Patch Update is listed in a row of the risk matrix for the product it affects.

Common Vulnerability Scoring System (CVSS)

In October 2006, Oracle switched from a proprietary method for indicating the relative severity of security vulnerabilities in the risk matrices to the Common Vulnerability Scoring System (CVSS). FIRST's web site describes CVSS as a rating system “ designed to provide open and universally standard severity ratings of software vulnerabilities.”  CVSS is a standardized method for assessing security vulnerabilities.

For each vulnerability newly fixed in the Critical Patch Update, Oracle provides values for CVSS metrics indicating:

  • The preconditions required to exploit the vulnerability and the ease of exploit; and
  • The impact of a successful attack in terms of confidentiality, integrity and availability to the targeted system.

CVSS uses a formula to turn this information into a base score between 0.0 and 10.0, where 10.0 represents the most severe vulnerability. The risk matrices are ordered using this value, with the most severe vulnerability at the top. Version 2.0 of the CVSS standard has been adopted by Oracle in October 2007, and is currently being used.

My Oracle Support Note 394487.1 (subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.

Executive Summary

In order to help organizations quickly assess the importance of the potential security issues fixed in the Critical Patch Update, Oracle provides an executive summary with a high level synopsis of the security defects in each product addressed by the Critical Patch Update. This executive summary provides a "plain English" explanation of the vulnerabilities addressed in the Critical Patch Update.

Critical Patch Update Pre-Release Announcement

Oracle publishes a summary of the Critical Patch Update Documentation on the Thursday prior to each Critical Patch Update release date. This summary, called a Critical Patch Update Pre-Release Announcement, provides advanced information about the upcoming Critical Patch Update, including:

  • Name and version numbers of the Oracle products affected by new vulnerabilities that are fixed in the Critical Patch Update
  • Number of security fixes for each product suite
  • Highest CVSS base score for each product suite
  • And, potentially, any other information that may be relevant to help organisations plan for the application of the Critical Patch Update in their environment

While Oracle ensures that each Pre-Release Announcement is as accurate as possible at the time of its publication, the actual content of each Critical Patch Update may change after the publication of its Pre-Release Announcement. The Critical Patch Update Advisory should therefore be considered as the only accurate description of the actual content of the Critical Patch Update.

Credit for Reporting Vulnerabilities

Oracle appreciates and values the members of the independent security research community who find vulnerabilities, bring them to our attention, and work with Oracle so that security fixes can be issued to all customers.

Oracle's policy is to credit all researchers who follow responsible disclosure practices, including:

  • Do not publish the vulnerability prior to Oracle releasing a fix for it
  • Do not divulge exact details of the issue, for example, through exploits or proof-of-concept code

Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.

Security Alerts

Security Alerts are a release mechanism for one bug or a small number of bugs.

Security Alerts were used up until August 2004 as the main release vehicle for security fixes. At the beginning of 2005 Oracle began releasing fixes in Critical Patch Updates, but Oracle may issue a Security Alert in the case of a unique or dangerous threat to our customers. In this event, customers will be notified of the Security Alert by email notification through My Oracle Support and Oracle Technology Network. The fix included in the Security Alert will also be included in the next Critical Patch Update.

References

Oracle Critical Patch Updates & Security Alerts
Oracle Support Services, My Oracle Support (requires account log in)
Oracle Security Technology Center
Oracle Software Security Assurance