RE: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (Oracle CPU April 2008 DB11)

["Integrigy Alerts" <alerts () integrigy com>]

The main problem with the Oracle CVSS base scores is more with CVSS than
Oracle.  Under the CVSSv2 definition of
Confidentiality/Integrity/Availability impact, if the entire database is
compromised but not the "entire system" then the metric value will be
Partial rather than Complete.  Since the large majority of Oracle database
vulnerabilities require a valid database session unless exploited via a
blended threat (i.e., such as SQL injection which is completely ignored by
Oracle in any analysis), the maximum realistic score for an Oracle database
vulnerability is 6.5 since CIA impact will only ever be Partial except in
rare occasions.  Oracle does include a "Partial+" in the advisories to
indicate where the entire database is compromised.  The CVSS definitions
around system vs. service vs. application should be strengthened in a future
version.

Additional information on the Oracle CVSS scores is at
http://www.integrigy.com/oracle-security-blog/archive/2006/10/27/oracle-cvss

Regarding the quality of information released by Oracle in the CPU
advisories,  I can easily understand why there are discrepancies between a
researcher's advisory and Oracle's.  Having worked with Oracle on over 50
vulnerabilities, my experience is that the Oracle security team generally
does not spend much effort to fully research, validate, and explore each
vulnerability.  Rather the focus is on confirming the vulnerability and
coordinating with development to fix the vulnerability as qualified and
documented by the security researcher.  If the researcher does not provide
full details or does not document a specific attack vector, then Oracle
probably won't include this in the fix or advisory.  This has resulted in a
few well publicized cases where the same vulnerability had to be fixed
multiple times since Oracle only fixed the bug based on the exact exploit
details/code provided by the security researcher.

-----Original Message-----
From: Joxean Koret [mailto:joxeankoret () yahoo es] 
Sent: Saturday, January 10, 2009 12:27 PM
To: security curmudgeon
Cc: Team SHATTER; bugtraq () securityfocus com; secalert_us () oracle com
Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow
in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)

Hi,

This is very typical and, in my opinion, you should only consider
trustworthy the Team Shatter's advisory, not the Oracle's one.

Take for example the bug APPS01[1] in Oracle Critical Patch Update of
April 2007 [2], it was a preauthenticated remote bug (with remote I mean
"from internet", not from "adjacent network"). CVSS2 Score would be 9/10
(calcule it yourself [3]), however, the Oracle advisory says that a
"Valid session" was needed and that the CVSS2 score was 4.2. It's funny.

> As a responsible security professional, I have to assume their research
> is accurate and their advisory should be taken more seriously than
> Oracle's.

Yes, don't trust the Oracle's advisories, the aren't real.

[1]http://www.zerodayinitiative.com/advisories/ZDI-08-088
[2]
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpua
pr2007.html
[3] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thanks,
Joxean Koret

On Sat, 2009-01-10 at 11:11 +0000, security curmudgeon wrote:
> Summary: Team SHATTER says this is a remote overflow that allows for
> the 
> execution of arbitrary code (CVSS2 9.0). Oracle says this is a
> limited 
> DoS condition (CVSS2 4.0). That is a big discrepancy.