July 19, 2011

Imperva's CTO Perspective on the July 2011 Oracle CPU

Imperva’s CTO Amichai Shulman’s observations:

The July 2011 Oracle vulnerability announcement contains fixes for 78 vulnerabilities in total, 16 of which are in the database server product.  

I have three observations.  

First, this is a good-sized set of patches for both general Oracle products and in particular the database. Here, you can see the Oracle vulnerability volume per CPU (click for a larger view)


Second, for this release, and historically, the security scoring clearly doesn’t always reflect the true operational risk.  For example, CVE-2011-2253 is rated as a 7.1 on the severity scale (CVSS score).  However, it requires privileged SYSDBA to abuse this vulnerability which would place this problem much lower on most security professional’s priority list.  Consequently, this should be scored lower.  By contrast, CVE-2011-0835 and CVE-2011-0880, allow you to take over the entire database with just a valid set of credentials yet scores much lower at 6.5.  Unfortunately, given the pervasiveness of the Oracle database, mislabeling the security impact of vulnerabilities can adversely affect the risk management process.

Third, with JRockit and Oracle Secure Backup, we see serious security problems with these products—again.  These products are notorious for producing severe vulnerabilities.  In this case, CVE-2011-0873 and CVE-2011-2261, each received a CVSS score of 10.  The lesson?  Oracle should take a closer look at the security of these products as their poor track record may indicate a deeper, systemic security problem.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.