Oracle’s last quarterly critical patch update included some changes and started using CVSS to rate the severity of their vulnerabilities. Anyone that has ever tried to truly understand Oracle vulnerabilities most likely thought this would be a much needed improvement. The whole easy, difficult, wide, low, high ratings Oracle used previously made it almost impossible to figure out just how critical are the issues and then to prioritize the patch implementation.
Shortly after the October CPU was released, researchers started to question the CVSS ratings leading many to believe that Oracle is downplaying the true risk of the vulnerabilities.
Oracle also patched 13 remotely exploitable holes in its Application Server software, the highest of which the vendor rated as 4.7 out of 10. However, a closer examination of the flaws suggest that many of the ratings should be in the 8.0 range, said Caleb Sima, CTO of SPI Dynamics, an Atlanta-based security vendor that also reported bugs to Oracle. “The problem is, Oracle didn’t give enough details [for third parties] to be able to say exactly what the score should be,” Sima said. – Source
Oracle claims that they are listening to their customers and trying to help organizations really understand the true risk. However, it appears that for many of the vulnerabilities there contained even less detail with the new format than previously. Was the only real improvement to the advisories that questionable CVSS ratings were included?