As an example of the discrepancy Partial+ can bring about, Rothacker points to a pair of nearly identical vulnerabilities found in the network stack of the Oracle database, both discovered by an AppSec researcher. Oracle assigned one vulnerability a CVSS rating of 5 and the other a more severe rating CVSS rating of 7.8, even though the two vulnerabilities differed from one another by only one byte, explained security researcher Esteban Martinez Fayo, in a blog post. The chief difference between the two ratings stemmed from the fact that one ranked with lower severity was given a Partial+ rating while the other one was assigned a Complete.
Of course, AppSec has a vested interest in having security officers revaluate Oracle's own vulnerability reports. The company offers auditing and compliance software for judging database security, and even offers its own revised severity ratings for Oracle database vulnerabilities. But the company does have intimate knowledge of Oracle vulnerabilities: its researchers found four of the six database vulnerabilities Oracle addressed in its last patch update.
AppSec is not alone in questioning Oracle's unique Partial+ rating.
By creating the Partial+ rating, Oracle is in effect creating its own measurement system, said Adrian Lane, chief technology officer and analyst for security research firm Securosis. Lane, who also addressed the issue in a recent blog post, noted that while CVSS provides only an approximation of how severe a vulnerability can be, it is still a useful metric to administrators.
"By altering basic CVSS metrics, Oracle is throwing out the standard yardstick," he said.
Lane agrees with Rothacker's assessment that a vulnerability affecting all the tables of a database is a system-level vulnerability. If the vulnerability only affects a few tables, then it should be considered a Partial vulnerability, but by having control over an entire database, an exploit could disrupt the entire platform, and be given a Complete, he said.