[VIM] April Oracle advisory - drowning in the wrong data
jericho at attrition.org
Sat May 14 08:22:33 EDT 2005
: I'e been slugging it out with the April 2005 Oracle advisory, trying to
: apply CVE's usual content decisions to it, which makes for small
: clusters of vulns if they all affect the same versions.
: I was all ready to create about 25 new candidates. The only remaining
: task was to map them to existing published advisories.
the last two months of dealing with Oracle advisories have taught me this
is a futile effort. even by a week after the advisory is released, only a
small percent of people speak up and post details about the flaws. this
last time was worse I think. ended up making a ton of entries and only
seeing half a dozen correspond to researcher's posts.
: There's not enough published data to figure out which public
: researchers' advisories go with which Oracle bug ID's. Also, I can't
: tell which issues already have CANs, and which ones don't.
i even mailed a few of the people credited with finding flaws. one
replied "no clue if issue X in the advisory matches issue Y that I
disclosed". Oracle's wording and description was vague enough so that the
researcher could not confirm it, even after I picked 1 entry out of a
hundred that I thought was a match.
: NGSSoftware have published a generic advisory at
: http://www.ngssoftware.com/advisories/oracle-03.txt but they only
: mention "multiple" vulnerabilities and you can't infer from the affected
: versions which vulns they're talking about, either.
.. and they wait 90 days =) bleh
: Red Database Security posted some rather detailed comments here:
He will respond to your mails fast, but i'm fairly sure this is who I
refer to above as not being able to match up the issues himself.
: The obvious conclusion here is to contact the Oracle people and the
: researchers, and try to sort everything out, which I will. But I wish
: it didn't take me the better part of a day before realizing that I was
: mostly back to Square One.
I hate to be the dark spot on a sunny day.. but even if you contacted 100%
of the researchers mentioned, and they could confirm 100% that their vuln
matched a specific oracle entry.. you'd still only be hitting about 5% =)
I ended up spending about two full days breaking this out according to
OSVDb standards. I mailed the researches I could that might answer
questions (not NGSS), and got nowhere. Oracle abstracts the issues a bit
farther by including their idea of the vulnerable module/function/routine
that doesn't necessarily match the researcher. I imagine this is due to
what an end user sees vs a developer.
OSVDB 15554 - 15616, 15736. So I ended up making 63 entries for Apr 12,
2005 advisory. Of those, I was not able to get a single researcher
confirmation of any of the issues.
More information about the VIM