[VIM] April Oracle advisory - drowning in the wrong data
Steven M. Christey
coley at mitre.org
Fri May 6 01:12:17 EDT 2005
Just thought I'd share.
I'e been slugging it out with the April 2005 Oracle advisory, trying
to apply CVE's usual content decisions to it, which makes for small
clusters of vulns if they all affect the same versions.
I was all ready to create about 25 new candidates. The only remaining
task was to map them to existing published advisories.
BIG BRICK WALL.
There's not enough published data to figure out which public
researchers' advisories go with which Oracle bug ID's. Also, I can't
tell which issues already have CANs, and which ones don't.
For example, AppSecInc reported SQL injection in
SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET, but I have no idea which
vuln to map it to in the alert - AppSecInc doesn't list the Oracle
Vuln#, and the Oracle alert doesn't say which Vuln# was found by
NGSSoftware have published a generic advisory at
http://www.ngssoftware.com/advisories/oracle-03.txt but they only
mention "multiple" vulnerabilities and you can't infer from the
affected versions which vulns they're talking about, either.
Red Database Security posted some rather detailed comments here:
And it includes several bits of information that aren't in the version
of the Oracle update that I have, e.g. that DB01 is related to SQL
injection in the DBMS_CDC_IPUBLISH package. Where did they GET that
In addition, Oracle has a CVE-to-advisory mapping which is quite nice
for knowing that they've fixed the issues (I was unaware of this -
thanks Red Database!):
Unfortunately, I can't figure out from the April advisory, whether
CAN-2004-0079 - an OpenSSL issue - is associated with Oracle Vuln#
DB06/AS16, DB22/AS14, DB24/AS17, or other vulnerability ID's that are
listed in the SSL-related components (presumably that's where it is
right now). Same with all the other issues.
The obvious conclusion here is to contact the Oracle people and the
researchers, and try to sort everything out, which I will. But I wish
it didn't take me the better part of a day before realizing that I was
mostly back to Square One.
More information about the VIM