Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Sentrigo release Hedgehog vPatch"] [Next entry: "Lateral SQL Injection needs no database privileges"]

July 2008 Critical Patch Update (CPU) is the first to use CVE-ID numbers

One thing I forgot to mention the other day in my post July 2008 Critical Patch Update is out - a remote un-authenticated exploit revealed is that one of the major changes you will notice with this CPU is that Oracle have started to identify each vulnerability with a CVE-ID number. The reason Oracle can do this is because they have become a candidate naming authority and are now allowed to issue unique numbers for each vulnerability. Whilst as Eric Maurice points out in his post July 2008 Critical Patch Update Released Oracle's own advisory is the primary source for details of Oracle vulnerabilities this change will certainly allow all other sources to report further details about vulnerabilities with consistency that can be tracked back to Oracles own advisory.

This is a good step in my opinion and should allow some emphasis of consistency. Duncan has told me that this change was made due to customer feedback and took quite some efforts to set up. I think we should acknowledge that Oracle do listen to customer feedback on CPU's and do want to make the whole process better for customers if they can. I am talking to customers of mine about this to get opinions, I already had a chat on Wednesday with one person who welcomed the changes.

I would like to hear others opinions here about this change, comments are open!