Oracle to Enhance Patch Documentation with CVSS

Oracle's next batch of critical patch updates, which are issued quarterly, are due out on October 17. Beginning with that release, the company will introduce enhanced documentation to better help system administrators and management to understand the impact of a vulnerability that a given patch is designed to correct.

Writing in the company's blog, Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said that Oracle will now provide an executive summary in its documentation that gives a high-level overview of the vulnerabilities covered by a quarterly update. The company will also specifically point out when a vulnerability is remotely exploitable without requiring authentication. Perhaps the most significant change is Oracle's adoption of the Common Vulnerability Scoring System (CVSS), an emerging standard that helps vendors rank the severity of vulnerabilities as well as their potential impact.

"Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication," Maurice said.

CVSS was developed as an open standard by the Forum of Incident Response and Security Teams (FIRST) as a solution to the incompatibilities of various ranking systems used by different vendors. FIRST said that CVSS "provides the foundation for a standard process for stakeholders to prioritize their actions and respond to the threat vulnerabilities present."

CVSS consists of three scores: A base score, a temporal score, and an environmental score. According to FIRST documentation, "Base Scoring is computed by the vendor or originator with the intention of being published and once set, is not expected to change. It is computed from 'the big three' confidentiality, integrity and availability. This is the 'foundation' which is modified by the Temporal and Environmental metrics. The base score has the largest bearing on the final score and represents vulnerability severity."

"Temporal Scoring is also computed by vendors and coordinators for publication, and modifies the Base score. It allows for the introduction of mitigating factors to reduce the score of a vulnerability and is designed to be re-evaluated at specific intervals as a vulnerability ages. The temporal score represents vulnerability urgency at specific points in time."

"Environmental Scoring is optionally computed by end-user organizations and adjusts combined Base-Temporal score. This should be considered the final score and represents a snapshot in time, tailored to a specific environment. User organizations should use this to prioritize responses within their own environments."

The base score involves seven metrics, the temporal score includes three metrics, and the environmental score includes two metrics.

Companies and organizations that use CVSS include Symantec, Qualys, PatchAdvisor, and Cisco, as well as Computer Emergency Response Team (CERT). PatchAdvisor provides an online CVSS calculator that shows what a score might look like for a given vulnerability.