Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server).  The CVE ID is CVE-2008-3257.  The CVSS 2.0 score for this vulnerability is 10 out of 10.  To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.

The major risk associated with this vulnerability is that there are multiple published expliots, which allow for an attacker to compromise the integrity of the web server.

In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.).  Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories.  The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier.  The format of the CVE identifier is (1) a fixed "CVE" to indicate it is a CVE identifier, (2) the year (i.e., 2008), and (3) a sequential number of when the entry was added to CVE (i.e., 2607).  As an example, the first database vulnerability is CVE-2008-2607.

The previous Oracle proprietary numbering scheme had several issues in relationship to CVE numbering -

1. Oracle provided a mapping to previously released vulnerabilities only for those vulnerabilities in core components like Apache and OpenSSL.  No mapping was provided for previously publicly disclosed vulnerabilities, so there are cases when the same vulnerability has two CVE identifiers.
   
2. A single CVE identifier was usually assigned to multiple vulnerabilities in an almost arbitrary fashion.  This meant that a CVE identifier might include vulnerabilities from multiple components and in the case of the Oracle E-Business Suite across multiple patches.  For Integrigy, this caused problems with our vulnerability scanning tool, AppSentry, since our reports have to handle many-to-many mappings when dealing with CVEs, patches, and vulnerabilities.
   
3. The CVE numbers were usually assigned 1-2 days after the Oracle release.

The CVE identifiers in the Oracle advisory does use a single CVE identifier per vulnerability and maps directly to previously disclosed vulnerabilities (see CVE-2007-1359).  Although it would have been nice if Oracle had included hyperlinks in the advisory to either CVE or NVD for easier access.  It will be interesting to see if CVE-2007-1359 is fixed in this CPU as either CVE-2008-2589, CVE-2008-2594, or CVE-2008-2609, which would reduce the effectiveness of using the CVE identifiers and again result in duplication of vulnerabilities in CVE if CVE identifiers for previously disclosed vulnerabilities are not used.

Using the CVE Identifiers

Additional information on vulnerabilities can be found either in the CVE or the National Vulnerability Database (NVD) sponsored by the Department of Homeland Security.  NVD contains the most detailed information including a break-down of the CVSS2 score and links to external references that may have more information on the vulnerability.  The typical process is that a generic NVD is created with only a reference to the original Oracle advisory.  When there is public disclosure with additional details on the vulnerability, the NVD entry is updated with links to those disclosures.  This process should be much more timely and accurate as most public disclosures will now include the CVE identifier.  Usually, about 30% of the vulnerabilities per quarter will have additional information and the database vulnerabilities typically have more information than the other products.

An example of a fully populated entry is the ModSecurity vulnerability that was previously fixed in ModSecurity 2.1.1 -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1359

An example of an entry with additional details is the buffer overflow in the Oracle AQ package SYS.DBMS_AQELM -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2607

Here is a brief analysis of the pre-release announcement for the upcoming July 2008 Oracle Critical Patch Update (CPU) -

• Overall, 45 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
  
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, and 12.0.x
• The major CPU version support changes for July 2008 are -
  
• Database version 10.2.0.4 is included in the list of affected versions
  
• Oracle E-Business Suite 11i version 11.5.9 is no longer supported for CPUs
  

Oracle Database

• There are 11 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs.  Usually, the vast majority of database vulnerabilities require authentication.  However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
  
• The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• The 2 Oracle 11g vulnerabilities discovered by Integrigy are low risk and are not be directly exploitable, but may allow authentication security mis-configurations to go undetected.

Oracle Application Server

• There are 9 new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in Hyperion BI Plus, Oracle HTTP Server, Oracle Internet Directory, and Oracle Portal.
  
• The Oracle HTTP Server vulnerabilities may be related to recent Apache HTTP Server and OpenSSL fixes.
• The Oracle Portal vulnerability may be related to CVE-2008-2138, which is an access restriction bypass issue in the WebDav component of Oracle Portal.

Oracle E-Business Suite 11i and R12

• There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication.  However, since iStore allows for customer self-registration, most likely the iStore vulnerability (or vulnerabilities) can be readily exploited by an unprivileged user.
• For the Oracle E-Business Suite 11i, only 11.5.10.x is now supported for CPUs and requires ATG_PF.H RUP 5 or RUP 6 be installed.
• The 2 Oracle E-Business Suite 11i/R12 vulnerabilities discovered by Integrigy are low risk and are in the Oracle Application Object Library (AOL/FND).

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Correction: This post has been edited to update the supported Oracle E-Business Suite 11i versions.  The original Oracle pre-release and Rev1 of the advisory incorrectly stated only 11.5.10.2 was supported - 11.5.10 and 11.5.10.1 are still supported.