Third-Party Software Components


Third-party software components, including open source components, are routinely used by commercial software vendors and cloud service providers. Oracle Software Security Assurance sets a number of formal requirements to help mitigate some potential security risks associated with the use of third-party software components included in Oracle’s products and cloud services.

Selection Criteria

Oracle requires security reviews for any third-party components embedded in Oracle products and cloud services.

The development teams must use current and actively maintained versions of third-party software. Teams must verify that third-party components are free of publicly reported vulnerabilities at the time of their inclusion in an Oracle product distribution or use by a cloud service. They must also verify that there is active maintenance for any third party component selected, and must confirm that component maintenance (either by the component source, by a fourth party, or by Oracle) extends throughout the support life of the embedding product.

Development teams are required to compile binaries for third party open source components from source code. This ensures that the binaries used in Oracle products derive from known source code, which improves Oracle’s ability to support that code if needed, and reduces the risk of malicious functionality being embedded in third party binaries.

Ongoing Maintenance

Under Oracle Software Security Assurance, development teams are required to monitor third-party components in use for reports of new security vulnerabilities. Software Composition Analysis (SCA) tools are integrated into DevOps processes to scan Oracle software. These tools can help identify newly-reported vulnerabilities in third party components. Oracle requires third-party components to be updated and patched in a timely fashion.

Distribution of third-party patches

The primary mechanism for the backport of fixes for security vulnerabilities in Oracle on-premises products is the quarterly Critical Patch Update (CPU) program. Patches for non-Oracle Common Vulnerabilities and Exposures (CVEs) represent a significant proportion of the content of each CPU release.

Solaris Third Party Bulletins are used to announce security patches for third-party software distributed with Oracle Solaris.