[VIM] April Oracle advisory - drowning in the wrong data

Sat May 14 08:22:33 EDT 2005

: I'e been slugging it out with the April 2005 Oracle advisory, trying to 
: apply CVE's usual content decisions to it, which makes for small 
: clusters of vulns if they all affect the same versions.

good..

: I was all ready to create about 25 new candidates.  The only remaining 
: task was to map them to existing published advisories.

bad!

the last two months of dealing with Oracle advisories have taught me this 
is a futile effort. even by a week after the advisory is released, only a 
small percent of people speak up and post details about the flaws. this 
last time was worse I think. ended up making a ton of entries and only 
seeing half a dozen correspond to researcher's posts.

: There's not enough published data to figure out which public 
: researchers' advisories go with which Oracle bug ID's.  Also, I can't 
: tell which issues already have CANs, and which ones don't.

i even mailed a few of the people credited with finding flaws. one 
replied "no clue if issue X in the advisory matches issue Y that I 
disclosed". Oracle's wording and description was vague enough so that the 
researcher could not confirm it, even after I picked 1 entry out of a 
hundred that I thought was a match.

: NGSSoftware have published a generic advisory at 
: http://www.ngssoftware.com/advisories/oracle-03.txt but they only 
: mention "multiple" vulnerabilities and you can't infer from the affected 
: versions which vulns they're talking about, either.

.. and they wait 90 days =) bleh

: Red Database Security posted some rather detailed comments here:
: 
:   http://www.red-database-security.com/wp/comments_oracle_cpu_april_2005_us.pdf

He will respond to your mails fast, but i'm fairly sure this is who I 
refer to above as not being able to match up the issues himself.

: The obvious conclusion here is to contact the Oracle people and the 
: researchers, and try to sort everything out, which I will.  But I wish 
: it didn't take me the better part of a day before realizing that I was 
: mostly back to Square One.

I hate to be the dark spot on a sunny day.. but even if you contacted 100% 
of the researchers mentioned, and they could confirm 100% that their vuln 
matched a specific oracle entry.. you'd still only be hitting about 5% =)

I ended up spending about two full days breaking this out according to 
OSVDb standards. I mailed the researches I could that might answer 
questions (not NGSS), and got nowhere. Oracle abstracts the issues a bit 
farther by including their idea of the vulnerable module/function/routine 
that doesn't necessarily match the researcher. I imagine this is due to 
what an end user sees vs a developer.

OSVDB 15554 - 15616, 15736. So I ended up making 63 entries for Apr 12, 
2005 advisory. Of those, I was not able to get a single researcher 
confirmation of any of the issues.

.b