This post is the farthest thing from picking on or insulting CVE. They were running a VDB some four years before OSVDB entered the picture. More impressive, they operated with a level of transparency that no other VDB offered at the time. Early OSVDB entries suffered just as greatly as the early CVE entries, and we even had the benefit of four years to learn from their efforts. Reading the original CVE entries is a fun look at how it all began. This post is a brief light-hearted look at the past.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0345 – CVE contributors can be stumped
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0465 – Client side vulnerabilities aren’t an issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0285 – No reference, no problem!
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0549 – ISS tried desperately to help.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0684 – A CVE entry can be a duplicate of itself.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0151 – We miss colorful CVE commentary.
2004-08-04: 34 flaws found in Oracle database software
2004-09-03: US gov and sec firms warn of critical Oracle flaws
2004-10-15: Oracle Warns of Critical Exploits
2005-01-20: Oracle Patch Fixes 23 ‘Critical’ Vulnerabilities
2005-10-19: Oracle fixes bugs with mega patch
2006-01-18: Oracle fixes pile of bugs
In the interest of helping journalists cover Oracle.. perhaps they should just move to a templated form to save time?
[YOUR TITLE], [YOUR PUBLICATION]
Oracle released on [DAY_OF_WEEK] fixes for a [LONG/HUGE/MONSTROUS] list of security vulnerabilities in [ONE/MANY/ALL] of its products. The quarterly patch contained patches for [NUMBER] vulnerabilities.
Titled “Critical Patch Update”, the patch provides [FIXES/REMEDIES/MITIGATION] for [NUMBER] flaws in the Database products, [NUMBER] flaws in the Application Server, [NUMBER] flaws in the COllaboration Suite, [NUMBER] of flaws in the E-Business Suite, [NUMBER] of flaws in the PeopleSoft Enterprise Portal, and [NUMBER] of flaws in the [NEW_TECHNOLOGY_OR_ACQUISITION].
Many of the flaws have been deemed critical by Oracle, meaning they are trivial to exploit, were likely discovered around 880 days ago, and are trivially abused by low to moderately skilled [HACKERS/ATTACKERS/CRACKERS]. Some of these flaws may be used in the next worm-of-the-week.
“[DULL_QUOTE_FROM_COMPANY_WHO_DISCOVERED_0_OF_THE_FLAWS]” security company [COMPANY] said yesterday as they upped their internet risk warning system number (IRWSN) to [ARBITRARY_NUMBER]. “This is another example of why our products will help protect customers who chose to deploy Oracle software” [ARBITRARY_CSO_NAME] stated.
“[BULLSHIT_QUOTE_ABOUT_PROACTIVE_SECURITY_FROM_ORACLE” countered Mary Ann Davidson, CSO at Oracle. “These hackers providing us with free security testing and showing their impatience after a mere 880 days are what causes problems. If these jackass criminals would stop being hackers, our products would not be broken into and our customers would stay safe!”
Oracle has been criticized for being slow to fix security flaws by everyone ranging from L0rD D1cKw4v3R to US-CERT to the Pope.