======================
What is CVE
======================
What is CVE
======================
CVE - Common Vulnerabilities and Exposures
It is a list of publicly disclosed information security vulnerabilities and exposures.
CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware.
CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware.
CVE provides a free dictionary for organizations to improve their cyber security.
MITRE is a nonprofit that operates federally funded research and development centers in the United States.
Vulnerabilities vs. Exposures
A vulnerability is a weakness that can be exploited in a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system.
Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data.
An Exposure is a mistake that gives an attacker access to a system or network.
Exposures can lead to data breaches, data leaks, and personally identifiable information (PII) being sold on the dark web.
What is the Goal of CVE?
The goal of CVE is to make it easier to share information about known vulnerabilities so that cybersecurity strategies can be
updated with the latest security flaws and security issue.
CVE does this by creating a standardized identifier for a given vulnerability or exposure.
CVE identifiers (also called CVE names or CVE numbers) allow security professionals to access information about specific cyber threats
across multiple information sources using the same common name.
For example, UpGuard is a CVE compatible product, and its reports reference CVE IDs.
This allows you to find fix information on any CVE compatible vulnerability database.
The goal of CVE is to make it easier to share information about known vulnerabilities so that cybersecurity strategies can be
updated with the latest security flaws and security issue.
CVE does this by creating a standardized identifier for a given vulnerability or exposure.
CVE identifiers (also called CVE names or CVE numbers) allow security professionals to access information about specific cyber threats
across multiple information sources using the same common name.
For example, UpGuard is a CVE compatible product, and its reports reference CVE IDs.
This allows you to find fix information on any CVE compatible vulnerability database.
CVSS - Common Vulnerability Scoring System
CVSS is a set of open standards for assigning a number to a vulnerability to assess its severity.
CVSS scores are used by the NVD, CERT, UpGuard and others to assess the impact of a vulnerability.
A CVSS score ranges from 0.0 to 10.0. The higher the number the higher degree of security severity.
CVSS is a set of open standards for assigning a number to a vulnerability to assess its severity.
CVSS scores are used by the NVD, CERT, UpGuard and others to assess the impact of a vulnerability.
A CVSS score ranges from 0.0 to 10.0. The higher the number the higher degree of security severity.
Who Sponsors CVE?
CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT.
CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT.
CNA - CVE Numbering Authorities
CNAs are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities.
CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups.
CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA.
There are currently 104 CNAs in 18 countries including many household names like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce.
CNAs are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities.
CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups.
CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA.
There are currently 104 CNAs in 18 countries including many household names like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce.
======================
Oracle CPU
======================
Oracle CPU
======================
CPU - Critical Patch Update
A Critical Patch Update is a collection of patches for multiple security vulnerabilities.
These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products.
These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory.
Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.
Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.
======================
How to Start?
======================
Oracle releases it Critical Patch Update periodically
How to Start?
======================
Oracle releases it Critical Patch Update periodically
For Example:
Critical Patch Update for April 2023 Documentation Map (Doc ID 2921643.1)
It has a list of Critical Patches per product
For Golden Gate:
CVE-2022-42003 Oracle Database (Oracle GoldenGate) [5757] Oracle Critical Patch Update April 2023
For Golden Gate:
CVE-2022-42003 Oracle Database (Oracle GoldenGate) [5757] Oracle Critical Patch Update April 2023
Following Oracle Critical Patch Update April 2023 link for correct Golden gate version:
Oracle GoldenGate, versions prior to 19.1.0.0.230418, prior to 21.10.0.0.0 -> Oracle GoldenGate Risk Matrix
Oracle Critical Patch Update Advisory - April 2023
Oracle GoldenGate, versions prior to 19.1.0.0.230418, prior to 21.10.0.0.0 -> Oracle GoldenGate Risk Matrix
Oracle Critical Patch Update Advisory - April 2023
This Critical Patch Update contains 433 new security patches across the product families listed below. But now focus on Golden Gate.
Oracle GoldenGate Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle GoldenGate
CVE-2022-42003 Oracle GoldenGate
Oracle GoldenGate Risk Matrix
This Critical Patch Update contains 2 new security patches, plus additional third party patches noted below, for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found
CVE-2022-42003
Oracle GoldenGate
Prior to 19.1.0.0.230418, Prior to 21.10.0.0.0
Searching for Golden gate Critical Patch Update (CPU) Apr 2023:
Critical Patch Update (CPU) Program Apr 2023 Patch Availability Document (DB-only) (Doc ID 2923348.1)
Oracle GoldenGate Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle GoldenGate
CVE-2022-42003 Oracle GoldenGate
Oracle GoldenGate Risk Matrix
This Critical Patch Update contains 2 new security patches, plus additional third party patches noted below, for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found
CVE-2022-42003
Oracle GoldenGate
Prior to 19.1.0.0.230418, Prior to 21.10.0.0.0
Searching for Golden gate Critical Patch Update (CPU) Apr 2023:
Critical Patch Update (CPU) Program Apr 2023 Patch Availability Document (DB-only) (Doc ID 2923348.1)
section 3.1.9 Oracle GoldenGate, for Golden gate 19.1 for oracle version 12.2
Oracle GoldenGate 19.1.0.0.230418 for Oracle 12c Patch 35275313 or later
Search for Patch 35275313:
Patch 35275313: Oracle GoldenGate 19.1.0.0.230418 for Oracle 12c: This Patch is Obsolete. and was replaced by patch 35326271
So next it to download an apply patch 35326271
Minimum Opatch version for Oracle GoldenGate 19.1.0.0.230418 opatches is v12.2.0.1.36.
The Oracle OPatch downloads can be found at Patch 6880880
=================
======================
How to get Oracle and Golden Gate version
How to get Oracle and Golden Gate version
======================
/software/ogg/191>% ./ggsci
Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.1 OGGCORE_19.1.0.0.0_PLATFORMS_190524.2201_FBO
Linux, x64, 64bit (optimized), Oracle 12c on May 25 2019 12:43:32
Operating system character set identified as UTF-8.
/software/ogg/191>% ./ggsci
Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.1 OGGCORE_19.1.0.0.0_PLATFORMS_190524.2201_FBO
Linux, x64, 64bit (optimized), Oracle 12c on May 25 2019 12:43:32
Operating system character set identified as UTF-8.
SQL> SELECT * FROM V$VERSION;
BANNER
--------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
PL/SQL Release 12.2.0.1.0 - Production
CORE 12.2.0.1.0 Production
TNS for Linux: Version 12.2.0.1.0 - Production
NLSRTL Version 12.2.0.1.0 - Production
BANNER
--------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
PL/SQL Release 12.2.0.1.0 - Production
CORE 12.2.0.1.0 Production
TNS for Linux: Version 12.2.0.1.0 - Production
NLSRTL Version 12.2.0.1.0 - Production
/software/oracle/122/OPatch>% /software/oracle/122/OPatch/opatch version
OPatch Version: 12.2.0.1.17
OPatch succeeded.
uname -a
Linux 3.10.0-1160.71.1.el7.x86_64 #1 SMP Wed Jun 15 08:55:08 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 7.9 (Maipo)
OPatch Version: 12.2.0.1.17
OPatch succeeded.
uname -a
Linux 3.10.0-1160.71.1.el7.x86_64 #1 SMP Wed Jun 15 08:55:08 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 7.9 (Maipo)
No comments:
Post a Comment