Forum Discussion
Oracle HTTP Server: Patch Mapping Improvements
Oracle HTTP Server: Patch Mapping Improvements
Summary
Improvements have been made to how Nessus plugins determine the active version of Oracle HTTP Server.
How Patch Mapping Works for Oracle Enterprise Manager Scans
Prior to these improvements, the HTTP Server version was determined by mapping installed patch IDs to a version number based on a lookup/mapping table that we maintain and ship to scanners as part of the feed.
Installed patches for most Oracle products, including HTTP Server, are enumerated in one of two possible ways:
- Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials)
- Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials)
Both of the above plugins store patch information in a temporary database known as the “scratchpad” (a temporary SQLite Database), for later reference. Plugin ID 76617 - oracle_http_server_installed.nbin, collects this information, and then reports the install and its determined version (patch level).
Problem
This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As our mapping table is manually maintained, some patches are not mapped in time for vulnerability plugin releases, which is a semi-automated process. We have had several instances where our mapping table was not updated in a timely manner - either because Oracle released a new patch ID in an out of band cycle or they released a patch ID that we do not have visibility on. If our scan fails to identify a patch ID that exists in our mapping table, only the base version is reported (e.g. 12.2.1.4.0), possibly resulting in False Positive findings.
Improvements
We have identified additional methods of determining the version number, including the patch level, without depending solely on a mapping table. Plugin ID 76617 will now first attempt to use the new method of determining the version directly and will fall back to the findings of the mapping table if needed. The existing mapping table is still checked, and a version comparison is performed to determine the highest patch level present.
In its output, plugin ID 76617 will now also report all of the installed patches for the ORACLE_HOME in which the detected HTTP Server resides.
Expected Impact
Improved accuracy in version detections for Oracle HTTP Server, resulting in fewer false positives in downstream vulnerability detection plugins.
Impacted Plugins
- 76617 - oracle_http_server_installed.nbin
- Potentially any Oracle HTTP Server local vulnerability check plugins
Targeted Release Date
- Monday, June 16, 2025
