Risk Matrix Glossary (2024)

Table of Contents
Risk Matrix Glossary – Terms and Definitions for Critical Patch Update Risk Matrices Purpose Scope and Application FAQs
  • Skip to content
  • Accessibility Policy

Risk Matrix Glossary – Terms and Definitions for Critical Patch Update Risk Matrices

Revised October 2020.

Purpose

This page explains the information presented in Critical Patch Update Advisory risk matrices published since October 2016. Several changes to the format of these matrices have been made over the years, the most significant of these changes being the adoption of new versions of the Common Vulnerability Scoring System (CVSS) as follows:

  • CVSS version 3.1 - from July 2020
  • CVSS version 3.0 - from April 2016 to April 2020
  • CVSS version 2.0 - from October 2007 to April 2016
  • CVSS version 1.0 - from October 2006 to July 2007

Scope and Application

The column headings are listed below in the order they appear in the risk matrices. A summary of their purpose is also provided.

Starting with the October 2020 Critical Patch Update, Oracle will list in a separate section beneath each risk matrix, the vulnerabilities in third-party components which are non-exploitable in the context of the Oracle products in which they are included. See Announcements of Third-Party Component Updates for details.

CVE#

The unique identifier for a vulnerability.

Since the July 2008 Critical Patch Update, Oracle has used industry standard Common Vulnerabilities and Exposure (CVE) identifiers. These simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.

Prior to the use of CVE identifiers, Oracle used a proprietary identification where the vulnerability identifier was composed of a two to four character prefix identifying the product suite containing the affected product, and a two character suffix that created a unique identifier within the product suite. As a result, the vulnerability identifiers were unique only within a single Critical Patch Update Advisory.

Product

The Oracle product containing the vulnerability.

Component

The product component containing the vulnerability. It typically identifies the subsystem or functionality with the issue, such as an administrative interface, web listener or cryptography service.

If the vulnerability is in a third-party component, or another Oracle product, that is included in this Oracle product its name is given in parentheses. For example, a component of “LDAP Gateway (Spring Framework)” indicates that the Oracle product’s LDAP Gateway component contains vulnerable code from the Spring Framework third party component.

Protocol

The protocol used to communicate with the component that contains the vulnerability. It may be possible to reduce the risk of attack by limiting access to this protocol. For example, the risk posed by a vulnerability in a database component that communicates using the Oracle Net protocol could be reduced by preventing network connections using this protocol, or by limiting access to only trusted machines. Such restrictions are typically achieved using firewalls or managed switches.

Package and/or Privilege Required

Packages, privileges, roles, responsibilities or other preconditions required by an attack for it to potentially be successful. It may be possible to reduce the risk of attack by changing a required precondition. For example, if a vulnerability may be exploited only by users with access to a certain database package, revoking untrusted users' access to that package will reduce the number of people who can exploit the vulnerability. Oracle strongly recommends that such changes are first made on a test system as some changes may cause loss of functionality or other unwanted side effects in custom code or other Oracle software.

Remote Exploit Without Authentication?

Indicates whether the vulnerability may be exploited by a remote attacker who does not have authentication credentials for the targeted system. Vulnerabilities which may be exploitable from a remote network and without authentication are higher risk and are marked with a Yes. Vulnerabilities that cannot be exploited remotely, or which require authentication, are marked with a No.

The value in this column is derived from CVSS information presented in the risk matrix. This column is Yes only if:

  • For CVSS versions 3.0 and 3.1, Attack Vector is Network and Privileges Required is None and Base Score is > 0.0;
  • For CVSS version 2.0, Access Vector is Network and Authentication is None and Base Score is > 0.0;
  • For CVSS version 1.0, Attack Vector is Remote and Authentication is Not Required and Base Score is > 0.0;

CVSS Version 3.1 Risk

The CVSS Base Score, an assessment of risk defined by the Common Vulnerability Scoring Standard (CVSS). The CVSS Base Metrics is defined in CVSS v3.1 specification. The "Oracle's Use of CVSS Scoring" page explains Oracle's implementation of the CVSS standard. Full details of all versions of the CVSS standard, as maintained by the Forum of Incident Response and Security Teams (FIRST), can be found on FIRST's web site at https://www.first.org/cvss.

The CVSS Base Score is a numeric value between 0.0 and 10.0 which indicates the relative severity of the vulnerability, where 10.0 represents the highest severity. Each risk matrix is ordered using this value, with the most severe vulnerability at the top of each risk matrix.

Supported Versions Affected

This column lists the versions of the product that are affected by the vulnerability. Product versions that are no longer supported are not tested for the presence of the vulnerability and are excluded.

In the case of products that follow a patch set model, the column lists the last patch set in the release that is affected. Patch sets preceding the one listed should be assumed vulnerable.

In January 2011, the column name was changed from Last Affected Patch set (per Supported Release) to Supported Versions Affected. No other changes were made to the definition of this column or its values.

Notes

This column refers to comments in a Notes section immediately below the risk matrix when additional information is provided.

See Also
Addressing CVE-2023-25136: OpenSSH Pre-Authentication Double Free Vulnerability Detection and remedy. - vsociety
Risk Matrix Glossary (2024)

FAQs

What are the terms used in risk matrix? ›

The probability or likelihood of risk is usually presented using rows in the risk matrix. These rows are divided into degrees of likelihood of risk occurrence. Although low, medium and high are the most commonly used, other terms used for the probability rows are very likely, likely, and unlikely.

Know More
What is a risk matrix in simple terms? ›

A risk matrix is a tool that is normally used to assess the level of risk and assist the decision-making process. It takes into consideration the category of probability, or likelihood, against the category of consequence severity.

Discover More Details
How do you read a risk matrix? ›

The risk assessment matrix works by presenting various risks as a chart, color-coded by severity: high risks in red, moderate risks in yellow, and low risks in green. Every risk matrix also has two axes: one measuring the likelihood of occurence and one measuring impact.

Continue Reading
What are the 5 risk rating levels in the risk assessment matrix? ›

The levels of risk severity in a 5×5 risk matrix are insignificant, minor, significant, major, and severe.

Learn More
What are the components of the risk matrix? ›

Risk matrices can come in many shapes and sizes, but every matrix has two axes: one that measures the likelihood of a risk, and another that measures its severity. In other words, the impact the risk would have on operations.

Learn More
Is there a standard for risk matrix? ›

Although standard risk matrices exist in certain contexts (e.g. US DoD, NASA, ISO), individual projects and organizations may need to create their own or tailor an existing risk matrix.

Keep Reading
How to prepare a risk control matrix? ›

Create a Risk Control Matrix: Step-by-Step
  1. Step 1: Identify the Risks. ...
  2. Step 2: Determine the Risk Controls. ...
  3. Step 3: Assess the Risk. ...
  4. Step 4: Assign Ownership. ...
  5. Step 5: Review and Update.
Aug 21, 2023

Get More Info Here
What is risk breakdown structure matrix? ›

The Risk Breakdown matrix essentially helps project managers comprehend the extent and the manner of risk at hand. RBS PMP is the most important element in project management because it makes it much easier to pinpoint and assess the risks associated with your project.

Read More
What is the formula for calculating risk? ›

Risk is the combination of the probability of an event and its consequence. In general, this can be explained as: Risk = Likelihood × Impact.

Explore More
What is the interpretation of risk matrix? ›

The risk matrix can be interpreted as follows: Green risks – The risk here is low, so risks can usually be accepted. Risk avoidance or mitigation actions are likely not necessary. Yellow risks – The risk here is medium, so you should consider risk mitigation actions to reduce or resolve the consequences.

See More

How do you interpret risk scores? ›

Making score-based decisions

For example, a risk of 9 out of 10 will usually be considered as "high risk", but a risk of 7 out of 10 can be considered either "high risk" or "medium risk" depending on context. ensures a 1-to-1 translation.

Get More Info
How to determine risk severity? ›

A common method of assessing the level of risk is to assign a value to each of two component parts – Likelihood and Severity. As explained in the video and shown on the risk matrix below, a combination of Severity x Likelihood = Risk.

Keep Reading
What is the risk matrix model? ›

A risk matrix is a risk analysis tool to assess risk likelihood and severity during the project planning process. Once you assess the likelihood and severity of each risk, you can chart them along the matrix to calculate risk impact ratings.

Explore More
What are the 5 pillars of risk assessment? ›

The pillars of risk are effective reporting, communication, business process improvement, proactive design, and contingency planning. These pillars can make it easier for companies to successfully mitigate risks associated with their projects.

Know More
What are the 4 risk categories? ›

The main four types of risk are:
  • strategic risk - eg a competitor coming on to the market.
  • compliance and regulatory risk - eg introduction of new rules or legislation.
  • financial risk - eg interest rate rise on your business loan or a non-paying customer.
  • operational risk - eg the breakdown or theft of key equipment.

Get More Info Here
What are the three factor risk matrix? ›

A 3x3 risk matrix is a tool used to assess risks based on their likelihood and impact. It consists of three levels each for likelihood and impact, resulting in nine combinations that categorize risks into different levels of severity. Here's an example: Likelihood: Low, Medium, High.

Discover More Details
What are the three dimensions of the risk matrix? ›

Three-Dimensional Risk Assessment - Introduction

The three-dimensional risk assessment framework is a model that considers the three dimensions of risk: The probability that a given event will occur. The severity of the consequences. The impact on the different players along the value chain.

Show Me More
What is step 1 of the 5 steps to risk assessment? ›

Identify the hazards you can reasonably expect and assess the risks from them.

Continue Reading
What does a risk matrix classifies risk according to? ›

A risk matrix identifies the activities of a company, classifies the type of risk according to its intensity and the different factors that can cause it. Similarly, the matrix makes it possible to measure the effectiveness of appropriate risk management.

Read More
Top Articles
Homemade Black Licorice Recipe on Food52
Roast rib of beef with chimichurri Béarnaise sauce recipe | Sainsbury`s Magazine
Blorg Body Pillow
Craigslist Pets Longview Tx
Garrison Blacksmith Bench
Live Basketball Scores Flashscore
Northern Whooping Crane Festival highlights conservation and collaboration in Fort Smith, N.W.T. | CBC News
Back to basics: Understanding the carburetor and fixing it yourself - Hagerty Media
Umn Biology
Crusader Kings 3 Workshop
OSRS Dryness Calculator - GEGCalculators
Nalley Tartar Sauce
Ts Lillydoll
Colts Snap Counts
Best Nail Salon Rome Ga
Unlv Mid Semester Classes
Michigan cannot fire coach Sherrone Moore for cause for known NCAA violations in sign-stealing case
Q Management Inc
Itziar Atienza Bikini
Jellyfin Ps5
Ukc Message Board
Busted Newspaper Fauquier County Va
Raw Manga 1000
Airline Reception Meaning
A Christmas Horse - Alison Senxation
Maine Racer Swap And Sell
Orange Park Dog Racing Results
Will there be a The Tower season 4? Latest news and speculation
The Creator Showtimes Near Baxter Avenue Theatres
Gt7 Roadster Shop Rampage Engine Swap
Sam's Club Gas Price Hilliard
The value of R in SI units is _____?
Otis Offender Michigan
Poster & 1600 Autocollants créatifs | Activité facile et ludique | Poppik Stickers
Pillowtalk Podcast Interview Turns Into 3Some
Quake Awakening Fragments
Today's Gas Price At Buc-Ee's
Koninklijk Theater Tuschinski
Anderson Tribute Center Hood River
Tinfoil Unable To Start Software 2022
Marcal Paper Products - Nassau Paper Company Ltd. -
This Doctor Was Vilified After Contracting Ebola. Now He Sees History Repeating Itself With Coronavirus
American Bully Puppies for Sale | Lancaster Puppies
Tyco Forums
Human Resources / Payroll Information
Whitney Wisconsin 2022
Devotion Showtimes Near Showplace Icon At Valley Fair
Boyfriends Extra Chapter 6
Waco.craigslist
March 2023 Wincalendar
Dr Seuss Star Bellied Sneetches Pdf
Latest Posts
The Best Easy Savory Mushroom Gravy Recipe
The Best Sugar Cookies Recipe
Article information

Author: Neely Ledner

Last Updated:

Views: 6254

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.