Oracle has released another monster quarterly security update containing 136 fixes for flaws in a wide range of products including Oracle Database Server, E-Business Suite, Fusion Middleware, Oracle Sun Products, Java and MySQL.
The biggest change is Oracle’s adoption of the Common Vulnerability Scoring System (CVSS) version 3.0, which more accurately reflects the impact of flaws than CVSS 2.0. This Oracle Critical Patch Update (CPU) has both CVSS 3.0 and CVSS 2.0 scores for vulnerabilities, providing a chance to compare how the new rating system might affect Oracle patch prioritization inside organizations.
One immediately noticeable change is that there are five vulnerabilities rated with the maximum score of 10.0 based on the CVSS 2.0 scale, but none when using the CVSS 3.0 rating. At first glance, this would suggest that based on CVSS 3.0, flaws are rated as less critical, but that’s not true.
While there are no flaws with a 10.0 score, the number of flaws in this CPU that are considered critical based on their CVSS 3.0 score is 17, compared to 9 based on CVSS 2.0. Similarly, 25 flaws are rated as high severity using CVSS 3.0, compared to only 12 using CVSS 2.0.
The number of low severity flaws also decreased from 28, based on CVSS 2.0, to only 10 based on CVSS 3.0. This shows that overall, CVSS 3.0 increases the severity rating of vulnerabilities compared to CVSS 2.0.