Security Vulnerability Fixing Policy and Process
The following document describes Oracle's policy and process for fixing security vulnerabilities under
Oracle Software Security Assurance.
Critical Patch Updates
Fixes for security vulnerabilities are released in quarterly Critical Patch Updates. These are released on dates announced a year in advance and published on the
Oracle Technology Network Critical Patch Updates page. The patches address significant security
vulnerabilities and include fixes that are prerequisites for the security fixes.
The major products patched are Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite,
PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards EnterpriseOne, and JD Edwards OneWorld XE. Updates for all products are issued on the same day. Updates for
Oracle products are available on MetaLink, Oracle's support Web site, and on Customer Connection for PeopleSoft and JD Edwards products.
Cumulative versus One-Off Patches
The Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager and Oracle E-Business Suite R12 patches are cumulative; each Critical Patch Update
contains the security fixes from all previous Critical Patch Updates. In practical terms, the latest Critical Patch Update is the only one that needs to be applied if
you are solely using these products, as it contains all required fixes. Fixes for other products are released as one-off patches, so it is necessary to refer to
previous Critical Patch Update advisories to find all patches that may need to be applied.
Announcement of Security Fixes
It is Oracle's policy not to announce security fixes until they are available for all affected and supported product version
and platform combinations. For some products, there can be more than eighty of these version-platform combinations. As a result,
Critical Patch Update patches for particular version-platform product combinations may consist of announced and unannounced
vulnerability fixes. An unannounced vulnerability fix can be included in a given Critical Patch Update patch when some, but not
all parts of the vulnerability are fixed, or because the fix is available on some, but not all version-platform combinations of a
given product. Oracle will only announce (see Critical Patch Update Documentation section below) vulnerability fixes in Critical
Patch Update Advisories after they are available in all version-platform combinations. Oracle recommends that you install all
Critical Patch Updates.
Security Fixes and Patch Sets
Security fixes are also included in patch sets (or equivalent) and in new product releases. Oracle aims to include all security fixes in a Critical Patch Update
in subsequent patch sets and product releases. If this is not possible, due to the timing of a release, we create a patch containing the latest Critical Patch Update
fixes that can be applied on top of the newly released patch set or product release.
Order of Fixing Security Vulnerabilities
Oracle fixes significant security vulnerabilities in severity order. We believe that this practice ensures that the most critical issues are always fixed first,
to maximize protection of our customers.
Security vulnerabilities are fixed in the following order:
- Main code line, that is the code being developed for the next major release of the product.
- Next Patchset for all non-terminal releases (e.g. 10.2.0.4 but not 9.2.0.8)
- Critical Patch Updates for all supported patchsets that have not previously received the appropriate fix.
The fixes are scheduled for inclusion in a future Critical Patch Update. However, fixes may be backported for inclusion in future patch sets or product releases
that are released before their inclusion in a future Critical Patch Update.
The inclusion of security fixes in future patch sets and product releases allows customers more patching strategy choices. We also believe that including security
fixes in patch sets and releases as maximizes the protection for customers and minimizes their subsequent patching costs.
We recommend that every Critical Patch Update be applied to all affected products. Systems updated with patch sets or upgraded with a new product release will pick
up the security fixes previously included in the patch set or release. This can be used as a means to apply security fixes, but Critical Patch Updates should remain
the primary means of applying security fixes as they are released more frequently than patch sets and new product releases.
The diagram below shows a hypothetical example where a new product release and a patch set are released between the security vulnerability being fixed and the fix
being released in a Critical Patch Update.
Critical Patch Update Documentation
Each Critical Patch Update has an advisory as its top-level document. This lists the products affected and contains a risk matrix for each product suite.
In order to prevent undue risks to our customers, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in
the Critical Patch Update (or Security Alert) advisory and pre-release note, the pre-installation notes, the readme files, and FAQs.—Furthermore, Oracle provides
all customers with the same information in order to protect all customers equally. Oracle does not provide advance notification to individual customers. Finally,
Oracle does not develop or distribute active exploit code (or proof of concept code) for vulnerabilities in our products.
Risk Matrices
The risk matrices provide information to help customers assess the risk posed by the security vulnerabilities in their specific environment. They can be used to
identify the systems most at risk so they can be patched first. Each new security vulnerability fixed in a Critical Patch Update is listed in a row of the risk
matrix for the product it affects.
Common Vulnerability Scoring System (CVSS)
In October 2006, Oracle switched from a proprietary method for indicating the relative severity of security vulnerabilities in the risk matrices to the Common
Vulnerability Scoring System (CVSS). FIRST's web site describes CVSS as a rating
system “designed to provide open and universally standard severity ratings of software vulnerabilities.” CVSS is a standardized method
for assessing security vulnerabilities.
For each vulnerability newly fixed in the Critical Patch Update, Oracle provides values for CVSS metrics indicating:
- The preconditions required to exploit the vulnerability and the ease of exploit; and
- The impact of a successful attack in terms of confidentiality, integrity and availability to the targeted system.
CVSS uses a formula to turn this information into a base score between 0.0 and 10.0, where 10.0 represents the most severe vulnerability. The risk matrices are
ordered using this value, with the most severe vulnerability at the top. Version 2.0 of the CVSS standard has been adopted by Oracle in October 2007, and is
currently being used.
MetaLink Note 394487.1 (subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.
Executive Summary
In order to help organizations quickly assess the importance of the potential security issues fixed in the Critical Patch Update, Oracle provides an executive
summary with a high level synopsis of the security defects in each product addressed by the Critical Patch Update. This executive summary provides a "plain
English" explanation of the vulnerabilities addressed in the Critical Patch Update.
Critical Patch Update Pre-Release Announcement
Oracle publishes a summary of the Critical Patch Update Documentation on the Thursday prior to each Critical Patch Update release date.
This summary, called a Critical Patch Update Pre-Release Announcement, provides advanced information about the upcoming Critical Patch Update, including:
- Name and version numbers of the Oracle products affected by new vulnerabilities that are fixed in the Critical Patch Update
- Number of security fixes for each product suite
- Highest CVSS base score for each product suite
- And, potentially, any other information that may be relevant to help organisations plan for the application of the Critical Patch Update in their environment
While Oracle ensures that each Pre-Release Announcement is as accurate as possible at the time of its publication, the actual content of each Critical Patch Update
may change after the publication of its Pre-Release Announcement. The Critical Patch Update Advisory should therefore be considered as the only accurate description of
the actual content of the Critical Patch Update.
Credit for Reporting Vulnerabilities
Oracle appreciates and values the members of the independent security research community who find vulnerabilities, bring them to our attention, and work with Oracle
so that security fixes can be issued to all customers.
Oracle's policy is to credit all researchers who follow responsible disclosure practices, including:
- Do not publish the vulnerability prior to Oracle releasing a fix for it
- Do not divulge exact details of the issue, for example, through exploits or proof-of-concept code
Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.
Security Alerts
Security Alerts are a release mechanism for one bug or a small number of bugs.
Security Alerts were used up until August 2004 as the main release vehicle for security fixes. At the beginning of 2005 Oracle began releasing fixes in Critical
Patch Updates, but Oracle may issue a Security Alert in the case of a unique or dangerous threat to our customers. In this event, customers will be notified of the
Security Alert by email notification through MetaLink and
Oracle Technology Network. The fix included in the Security Alert will also be included in
the next Critical Patch Update.
References
Oracle Critical Patch Updates & Security Alerts
Oracle Support Services MetaLink (requires account log in)
Oracle Security Technology Center
Oracle Software Security Assurance |
Bookmark
