[VIM] Oracle and CIA

security curmudgeon jericho at attrition.org
Mon Mar 12 20:44:54 UTC 2007


: > Regarding the Jan CPU from Oracle:
: > http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 
: > 
: > Did anyone notice that several of the vulnerabilities listed apparently do
: > not impact Confidentiality, Integrity -or- Availability? Mistake/oversight,
: > or something else?
: > 
: > DB10, DB11, DB12, DB13, etc
: 
: There's a note below the table that clarifies those scores as 
: representing "problems that are not exploitable in a default database 
: environment".

As always, firing off mails before reading the entire thing =)

: There's been some discussion of Oracle's scoring methodology on the 
: CVSS-SIG mailing list. Hopefully now that they've joined the SIG, these 
: sorts of issues will fade away.

Good. Just because it doesn't exist in a default setup doesn't mean the 
vulnerability magically no longer affects C, I or A.


More information about the VIM mailing list