Announcements of Third-Party Component Updates

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Announcements of Third-Party Component Updates

Critical Patch Update patches address vulnerabilities in Oracle code as well as vulnerabilities in third-party components included with Oracle products. Oracle separately lists, below each risk matrix, the updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in the Oracle product family they are listed under. When applicable, the CVE identifiers associated with such third-party updates are listed under the “Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family” section under their respective risk matrix.

“Non-exploitable CVEs” refers to the Common Vulnerabilities and Exposures identifiers of vulnerabilities in third-party components (e.g., glibc, GNU Bash), that Oracle has determined cannot be exploited in the context of the listed Oracle product distribution. For example, a non-exploitable CVE would be reported when an Oracle product includes a third-party component that has a vulnerability in functionality that the Oracle product never uses.

Note that:

A given CVE may be reported as a “non-exploitable CVE” for a given Oracle product and may be exploitable in other Oracle products. Always refer to the appropriate section of the CPU Advisory.
Additionally, the technical conditions that have prompted Oracle to determine that a given CVE is non-exploitable for a given product distribution are specific to supported configurations of the Oracle product. The CVE may be exploitable if the affected third-party component has been installed separately or if the Oracle product distribution has been deployed in an unsupported configuration.

Starting with the October 2020 Critical Patch Update, Oracle lists in a separate section beneath each risk matrix, the vulnerabilities in third-party components which are not exploitable in the context of the Oracle products in which they are included. Before this change, the previous Critical Patch Update advisories listed all updates for third-party components in the risk matrixes. These vulnerabilities not exploitable in the context of Oracle products are identified by their respective CVE identifiers and are assigned CVSS Base Scores of 0.0.

FREQUENTLY-ASKED QUESTIONS

How does Oracle determine that a vulnerability is not exploitable in a given Oracle product distribution?

Every vulnerability in a third-party component is assessed to determine whether it could negatively impact the security of Oracle products using the component. The vulnerability is considered not exploitable in Oracle products when the Oracle products use the third-party component in a way that does not expose the vulnerability. This occurs when the vulnerable functionality is never used or is used in a way that prevents it being used as part of an attack. Oracle independently determines whether a vulnerability in a third-party component is exploitable for each Oracle product, as each Oracle product may use the same third-party component in a different way.

Can a vulnerability reported as non-exploitable for an Oracle product I use be exploitable in my environment?

Yes - the technical conditions that have prompted Oracle to determine that a given CVE is non-exploitable for a given product distribution are specific to supported configurations of the Oracle product. The CVE may be exploitable if the affected third-party component has been installed separately or if the Oracle product distribution has been deployed in an unsupported configuration.

How does Oracle handle non-exploitable (CVSS Base Score 0.0) vulnerabilities in Oracle code?

Typically, non-exploitable vulnerabilities in Oracle code are considered Security-In-Depth issues and may be addressed in normal upgrade releases.

Can I selectively choose which CPU update(s) I can apply for a given Oracle product?

Generally, CPU patches are cumulative and do not allow for the application of a subset of updates.

Why did Oracle make a change to the format of the CPU Advisory to identify non-exploitable vulnerabilities in third-party components?

Oracle made the update to the CPU Advisory to allow Oracle customers to better prioritize patching efforts. For example, a customer may choose to defer the application of a CPU for a given product if the updates associated with the product solely include updates associated with non-exploitable CVEs.

What should I do if I have a question about CPU updates?

Customers should contact Oracle technical support or open a Service Request (SR) on My Oracle Support.

How are non-exploitable vulnerabilities in third-party components reported by Oracle in the Critical Patch Update Advisory?

Non-exploitable vulnerabilities in third-party components associated with a given Oracle product family are separately listed following the Oracle product family’s risk matrix in the Advisory. These vulnerabilities are identified with Common Vulnerabilities and Exposures (CVE) identifiers and are assigned a CVSS Base Score of 0.0 as these vulnerabilities have not been found to be exploitable in their supported product deployments.

For more information:

“Risk Matrix Glossary – Terms and Definitions for Critical Patch Update Risk Matrices” located at https://www.oracle.com/security-alerts/advisorymatrixglossary.html

“October 2020 Critical Patch Update: Executive Summary and Analysis” (Doc ID 2712240.1) located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2712240.1