If you have read my overviews of Oracle database patches long enough, you probably are aware of my bias against the CVSS scoring system. It’s a yardstick to measure the relative risk of the vulnerability, but it’s a generic measure, and a confusing one at that. You have to start somewhere, but it’s just a single indicator, and you do need to take the time to understand how the threats apply (or don’t) to your environment. In cases where I have had complete understanding of the nature of a database threat, and felt that the urgency was great enough to disrupt patching cycles to rush the fix into production, CVSS has only jibed with my opinion around 60% of the time. This is because access conditions typically push the score down, and most developers have pre-conceived notions about how a vulnerability would be exploited. They fail to understand how attackers turn all of your assumptions upside down, and are far more creative in finding avenues to exploit than developers anticipate. CVSS scores reflect this overconfidence.

Oracle announced the July 2009 “Critical Patch Update Advisory” today. There are three fairly serious database security fixes, and two more for serious issues for secure backup. The problem with this advisory (for me, anyway) is that none of my contacts know the specifics behind CVE-2009-1020, CVE-2009-1019 or CVE-2009-1963. Further, NIST, CERT, and Mitre have not published any details at this time. The best information I have seen in Eric Maurice’s blog post, but it’s little more than the security advisory itself. Most of us are in the dark on these, so meaningful analysis is really not possible at this time. Still, remotely exploitable vulnerabilities that bypass authentication are very high on my list of things to patch immediately. And compromise of the TNS service in the foundation layer, which two of the three database vulnerabilities appear to be, provides an attacker both a method of probing for available databases and also exploitation of peer database trust relationships.

I hate to make the recommendation without a more complete understanding of the attack vectors, but I have to recommend that you patch now.