It looks like market pressures are finally forcing Oracle to address flaws in their vulnerability and patch disclosure process. Oracle recently announced that it will be making some changes to its Critical Patch Update (CPU) process, effective with the next CPU on October 17th.
David Litchfield has been one of Oracle’s most vocal critics, even calling at one point for the Oracle CSO’s resignation, he should be applauded for his efforts. Mogull and I have been telling Oracle they need to address these issues or face significant impending problems as well and the market and their customers have become increasingly vocal over the past year.
Oracle has been facing the same pressures that Microsoft faced in the early part of the decade, pressure which resulted in Microsoft integrating strong security best practices as part of their SDLC and implementing vulnerability and patch disclosure process which is world class. They still have issues, but they are making admirable progress, even the cool kids think so. Enough about Redmond though, this is about Redwood Shores…
With the October 17th Critical Patch Update, Oracle will introduce three major enhancements in its CPU documentation:
- Oracle is adopting the Common Vulnerability Scoring System (CVSS)
- Oracle will specifically identify those critical vulnerabilities that may be remotely exploitable without requiring authentication to the targeted system.
- Oracle will provide an executive summary of the security vulnerabilities addressed in the CPU.
“Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication.”
Oracle has been less than transparent (and that is about as nice as anyone can be on the topic) when it comes to vulnerability disclosure and their CPU process, leaving organizations to struggle with prioritizing patches. Patching Oracle products, especially mission critical databases, is a far more resource intensive and business impacting task than MS desktops, so providing this level of detail should benefit the enterprise. Of course we still need to wait until October 17th to see how much visibility they actually provide and there are still many challenges with patch distribution and updating.
Bottom line: This is a step in the right direction and providing this level of information into their CPU is mandatory and should have been done years ago.