Bookmark Go to End

Doc ID: Note:293956.1
Subject: Oracle Critical Patch Update Risk Matrix Glossary
Type: REFERENCE
Status: PUBLISHED
Content Type: TEXT/X-HTML
Creation Date: 15-DEC-2004
Last Revision Date: 18-JAN-2005

Risk Matrix Glossary
Critical Patch Update – January 2005

Access Required

This is the type of access that an attacker must have in order to exploit the given vulnerability.

  • Local
    An attacker must be able to run executables on the server running the database.

  • SQL
    An attacker must have access to the database in order to execute SQL statements. This may be through SQL*PLUS, iSQL*PLUS, a mod_plsql DAD, or other mechanisms.

  • Network
    An attacker must have network access to the server on which the database is running.

Authorization Needed (Package or Privilege Required)

This is the account type and privilege (or package access) that an attacker must have in order to exploit a given vulnerability. If a privilege or package is not specified, PUBLIC privileges are assumed.

  • Database
    An attacker must be successfully authenticated into the database.

  • OS
    An attacker must have an operating system account on the server on which the database is running.

  • Valid Session
    An attacker must be successfully authenticated into the application.

  • None
    An account is not needed to exploit the given vulnerability.

Component

This is the product component that contains the vulnerability.

Earliest Supported Release Affected

This is the earliest supported release and patch set vulnerable to a given issue. Note that, although they haven't been tested, it is likely that previous unsupported versions of the given release are also affected by the given vulnerability.

Last Affected Release (Patch set)

For a given vulnerability, this is the last patch set for each release that is affected by the issue.

Risk Category

This is the risk type. Confidentiality, Integrity and Availability may be specified for either Database, or OS (Operating System). The following definitions are taken from FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, December, 2003.

  • Confidentiality
    A loss of confidentiality is the unauthorized disclosure of information.

  • Integrity
    A loss of integrity is the unauthorized modification or destruction of information.

  • Availability
    A loss of availability is the disruption of access to or use of information or an information system.

Ease

This is the difficulty of crafting and successfully exploiting a given vulnerability.

  • Easy
    No specialized knowledge is required in order to craft and successfully exploit a given vulnerability.

  • Difficult
    Specialized knowledge is required in order to craft and successfully exploit a given vulnerability.

  • ---
    This risk category is not applicable to this vulnerability.

Impact

This is the breadth of the effect of the exploit, if successful.

  • Wide
    The exploit affects a wide range of resources. Examples include all tables in a database, or all files on a system.

  • Limited
    The exploit affects a limited range of resources. Examples include all a given role's tables, or a small set of files on a system.

  • ---
    This risk category is not applicable to this vulnerability.

Vuln #

A vulnerability unique identifier.

Workaround

This is a procedure that mitigates the effects of a given vulnerability without applying a patch.

  • Yes
    The vulnerability has a workaround, detailed in the Workaround section of the Appendix.

  • ---
    No complete workaround exists for the vulnerability.

.
Copyright (c) 1995,2000 Oracle Corporation. All Rights Reserved. Legal Notices and Terms of Use.