iTechNote

Oracle Critical Patch Update or CPU is a collection of patches for multiple security vulnerabilities across all Oracle product lines. The details of the CPU have been announced prior to the actual release of the patches for the first time ever starting this year. The CPU is scheduled to release every quarterly, on January, April, July and October each year.

Oracle makes two efforts to ease the patching process - Pre-Release Announcement and CVSS Risk Matrix. The Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response.

The ability to score information system vulnerabilities is extremely important to the professional computing world. CVSS provides the foundation for a standard process for stakeholders to prioritize their actions and respond to the threat vulnerabilities present. Vulnerabilities with a CVSS base score of 0.0 represent problems that are not exploitable in a default database environment. The higher the base score the greater the severity of the vulnerability.

Oracle deviates from standard practice by only providing the base score for each patch. Customers have to calculate temporal and environmental values to generate an overall CVSS score. The temporal score, usually provided by vendor, represents vulnerability urgency at specific points in time. The environmental score are computed by customers as needed to prioritize responses within their own environments.