Manufacturer of software for computer security AppSec announced that Oracle produces an inadequate assessment of vulnerabilities. According to researchers Application Security (AppSec), Oracle Corporation may enter into mislead consumers about the seriousness of some of the vulnerabilities discovered in its software.
“Oracle likes to downplay the risk of vulnerabilities,” – said Alex Rozeker, Director of Research AppSec. “As a result, organizations using vulnerability assessment of Oracle’s choice of priority updates that can unduly delay the application of some critical patches, “- he said.
Every 3 months, Oracle forms and produces patches to fix newly vulnerabilities in their software products. The company ranks these vulnerability severity by Industry standard – Common Assessment Framework Vulnerabilities (Common Vulnerability Scoring System, CVSS).
Attention Company AppSec focuses on adding Oracle’s unique assessment Partial +. Score CVSS – a single number, a score between 1 and 10, showing the degree of severity of vulnerabilities. The number itself is the average value of numbers that measure various aspects of hazard vulnerability.
One set of numbers CVSS assesses how serious the damage may be due to malicious software created for a specific vulnerability. If such Trojan-Exploit would only hurt the attacked software, it was would be assigned to an incomplete evaluation (Partial rating). But if such an exploit could cause serious damage to the running system, will be assigned a full assessment (Complete rating), which entails increasing numbers.
“Using such a system, Oracle is almost never puts Complete. In most cases, the company will choose the rating Partial +, which is a proper Partial version of the Oracle “, – noticed Rozeker. In some cases, Oracle may apply for Partial + Vulnerability Database, which Rozeker described as the vulnerability of a system level.
Oracle nevertheless recognizes that some users may want to recalculate performance evaluations CVSS, if the software assigned the Partial +.
Eric Maurice, director of the efficiency of software protection company Oracle, in his blog, admits that some companies sometimes prefer to “Increase the performance evaluation, when Oracle tells them about the Partial +”.
Official representatives of Oracle declined to comment on this occasion.
Many organizations rely on an assessment of CVSS in order to prioritize the installation of patches, which sometimes requires a serious and long tests to make sure that updated software is working properly. “For the organization it is very difficult to troubleshoot all systems. So the organization has a vulnerability in a matter of priority in terms of dangers, to cope with the most severe in the first place “- said Rozeker.
As an example of inconsistency Partial + Rozeker leads a pair of nearly identical vulnerabilities discovered in the network stack, the Oracle database researcher AppSec. “One vulnerability assessment CVSS Oracle assigned a 5 points, and other more serious – of 7.8 points, although the vulnerability differed from each other by only 1 byte, “- said in his blog, Esteban Martinez Fayo, researcher security system. The main difference between the two assessments was that one, estimated as less dangerous, was granted the status Partial +, and another – Complete.
Of course, the company AppSec personally interested in that officers Security responsible for protecting the data, have reviewed reports vulnerabilities in Oracle. The company offers the controlling software for evaluation database security, as well as its own revised scale severity for vulnerabilities database Oracle. But the company really have knowledge of the weaknesses of Oracle: its researchers have found 4 of 6 Vulnerability Database, which Oracle has eliminated during the last update.
Not only do AppSec any doubt about the unique evaluation of Oracle Partial +.
Creating an assessment Partial +, Oracle actually develops its own measurement system, said Adrian Lane, CTO and analyst firm Security Securosis. Lane, who also recently addressed the topic in blog said – despite the fact that CVSS provides only a rough Risk index of vulnerability, this evaluation system still useful for administrators. “By changing the basic system parameters CVSS, Oracle is making disorder in the system, “- he said.
Lane agreed with the assessment Rozekera: vulnerability, which affects all tables the database is a system vulnerability. If the vulnerability affects only a few tables, then it should be considered Partial, but in establishing control over the entire database, an exploit may disrupt the activities of all platform and then assigns a score Complete, he said.