Saturday, 9 May 2009

Create CVE links on Oracle CPU Page

As you probably know oracle releases CPUs (Critical Patch Updates) in every 3 month now. If you have ever read any of these CPU Advisories you know it does not make too much sense to read these. But they exist. Since CPUJul2008 Oracle replaced its internal numbering (like DBnn) with CVE (Common Vulnerabilities and Exposures) numbering. Does it make any sense? In my opinion it would but it does not in this way. These CVEs does NOT contain any really useful information. The CVE database is an open database anybody can access. If they are using CVE numbers why Oracle not creating links from the Advisory page to the CVE pages? Would not it be more comfortable just to click on a link if you are interested in details instead of searching for CVE numbers manually? I think the missing link is the confession of how useless this numbering is in case of Oracle. If you read a CPU Advisory released after Jul 2008 you will find CVE numbers before every identified security bug but if you want to check the CVE you have to find it by hand and you will find no more info even on that page. So it does not make much sense because the CVE has NO useful info in it but here is a VERY SIMPLE GreaseMonkey script which inserts two links after the CVE you can click on and immediately check the "details" of the CVE.
But I repeat the CVE links are not in the CPU Advisory because the CVE does NOT contain any relevant info about the security problem.
I hope it will change in the near future and CVE or CPU will give us some useful detail.

// ==UserScript==
// @name Oracle CPU Risk Matrix CVE- Link Creator
// @namespace http://tamastarjanyi.blogspot.com/
// @description Replaces simple CVE text on Oracle CPU pages (Like http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html ) to links
// @include http://*.oracle.com/*
// ==/UserScript==


if (!GM_xmlhttpRequest) {
alert('Please upgrade to the latest version of Greasemonkey.');
}
var tds=document.getElementsByTagName("td");
var cve=false;
for (i in tds){
if (tds[i].innerHTML.match("CVE-[0-9][0-9][0-9][0-9]-") ){
cve=true;
var cvetext=tds[i].innerHTML;
tds[i].innerHTML=cvetext+" (<a target=_blank href=http://cve.mitre.org/cgi-bin/cvename.cgi?name="+cvetext+">mitre</a> | <a target=_blank href=http://nvd.nist.gov/nvd.cfm?cvename="+cvetext+">nvd</a> )";
}
}