Oracle starts using CVSS risk ratings
Posted by jkouns
Oracle’s last quarterly critical patch update included some changes and started using CVSS to rate the severity of their vulnerabilities. Anyone that has ever tried to truly understand Oracle vulnerabilities most likely thought this would be a much needed improvement. The whole easy, difficult, wide, low, high ratings Oracle used previously made it almost impossible to figure out just how critical are the issues and then to prioritize the patch implementation.
Shortly after the October CPU was released, researchers started to question the CVSS ratings leading many to believe that Oracle is downplaying the true risk of the vulnerabilities.
Oracle also patched 13 remotely exploitable holes in its Application Server software, the highest of which the vendor rated as 4.7 out of 10. However, a closer examination of the flaws suggest that many of the ratings should be in the 8.0 range, said Caleb Sima, CTO of SPI Dynamics, an Atlanta-based security vendor that also reported bugs to Oracle. “The problem is, Oracle didn’t give enough details [for third parties] to be able to say exactly what the score should be,” Sima said.
http://www.crn.com.au/story.aspx?CIID=67019&src=site-marq
Oracle claims that they are listening to their customers and trying to help organizations really understand the true risk. However, it appears that for many of the vulnerabilities there contained even less detail with the new format than previously. Was the only real improvement to the advisories that questionable CVSS ratings were included?
SANS top X, CVSS, and informal (mostly proprietary) systems for scoring/rating vulnerabilities do not work yet because they are based on opinion and not on good measurements.
I do like CVSS (and I do hate SANS), but I have seen plenty of CVSS-based vulnerabilities with totally wrong ratings and/or fail to mention important facts about the vulnerability.
For example, no where does this mention anything about this being a 15 year old vuln in sendmail, having existed since before the 4.4BSD release: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-0161
That’s a pretty important fact.
Here’s an example of a really poorly done severity rating: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-0567
Clearly the impact of the Cisco IPv4 Vulnerability was higher than a 3.3 severity since the bug existed in pretty much every shipped and running product at the time.
So, CVSS is a step in the right direction, but it’s still inherently biased or wrong. Part of the problem is the same issue CERT has had for years - the release of a vulnerability “report” and the release of an exploit “tool” are different occurrences. Hence the problem with the word “zero-day” in the first place. A zero-day what? Bug? Vuln report? Exploit? Warez file?
We have a hard enough time tracking vulns, let alone individual exploits. Patching usually partially (if not fully) addresses a vuln, while IPS barely addresses “exploits” (which are constantly changing). Full vulnerability management is a process issue… one we are still trying to explore how to handle. I’m pretty sure 3rd party patching can be argued back and forth for another few years.
I think the CVSS support is more of a marketing checkbox… Tenable just added CVSS support a week ago in what looked more like a press release than a release note (because it was one). This is going to be a trend for awhile.