Forum Discussion
Oracle JavaVM (OJVM) Detection Update Summary Authenticated...
Thanks @Ferenc Gazsi .
Unfortunately, the changes outlined in this highlight can only be leveraged to detect if OJVM is actually installed if the scan is provided with both sets of credentials (OS and DB credentials). This is because the most reliable method of determining if OJVM is installed is by querying the database directly, which requires database credentials.
If you or your team are aware of better method to detect this, would be be delighted to hear it. You can log such suggestions in our Suggestions Portal .
In the meantime, I'll request that your ticket gets picked up ASAP and an official response to this affect is provided.
Regards,
Rob M.
Similarly the most reliable method to detect missing OS patches is to perform some file system operations which requires OS credetials. However if the credetial is not available Nessus won't list all the possible vulnerabilities for that OS. I don't understand why DB is different in this aspect. Especially if the 'Avoid potential false alarms' is enabled in the policy.
There's no need for better detection, you should only omit the guessing. False negatives are reasonable in the case of missing credentials but false positives are not.
