Tenable Research Release Highlights

Forum Discussion

rmoody's avatar
rmoody
Product Team
3 years ago

Oracle JavaVM (OJVM) Detection Update Summary Authenticated...

Oracle JavaVM (OJVM) Detection Update

Summary

Authenticated scans launched against Oracle database hosts will no longer report Oracle JavaVM (OJVM) patches as missing if the OJVM component is not installed.

Change

A series of plugins are used to detect Oracle Database patch levels. With local checks enabled plugin 71644 gathers the patch information of the Oracle Databases detected. With remote checks enabled (i.e. authenticating into the Database without authenticating in the OS) it is plugin 45624 that will gather the patch information from the Database.

While plugin 71644 alone cannot detect the presence of OJVM, users can leverage plugin 45624 to detect the installation status of that component.This limitation of 71644 results in Oracle CPU plugins reporting missing OJVM patches, despite OJVM not being installed. Although reporting these missing patches follows Oracle’s best-practice guidelines, numerous customers have requested the ability to silence these reports when enabling Oracle Database remote checks in the same scan.

Following this update, scans will no longer report OJVM patches as missing if the component is not found as installed by plugin 45624. To achieve this result, scans need to be provided with both OS credentials and Oracle Database credentials, and successful authentication must occur with both sets of credentials.

Impact

In remote scans, Oracle JavaVM vulnerabilities will only be reported if Oracle JavaVM is installed when scanned with both OS and Oracle Database credentials. This change has no impact on Nessus Agent scans, as remote database connections are no possible.

Impacted Plugins

  • 45624 (Oracle RDBMS Host Name and Patch Info)
  • All Oracle CPU plugins pertaining to Oracle Databases.

Target Release Date

Tuesday, September 19, 2023

Ojvm
Oracle
Plugins
Target

5 Replies

  • rmoody's avatar
    rmoody
    Product Team
    2 years ago

    Thanks @Ferenc Gazsi​ .

    Unfortunately, the changes outlined in this highlight can only be leveraged to detect if OJVM is actually installed if the scan is provided with both sets of credentials (OS and DB credentials). This is because the most reliable method of determining if OJVM is installed is by querying the database directly, which requires database credentials.

    If you or your team are aware of better method to detect this, would be be delighted to hear it. You can log such suggestions in our Suggestions Portal .

    In the meantime, I'll request that your ticket gets picked up ASAP and an official response to this affect is provided.

    Regards,

    Rob M.

    • gazsi_ferenc's avatar
      gazsi_ferenc
      Connect Rookie
      2 years ago

      Similarly the most reliable method to detect missing OS patches is to perform some file system operations which requires OS credetials. However if the credetial is not available Nessus won't list all the possible vulnerabilities for that OS. I don't understand why DB is different in this aspect. Especially if the 'Avoid potential false alarms' is enabled in the policy.

      There's no need for better detection, you should only omit the guessing. False negatives are reasonable in the case of missing credentials but false positives are not.

  • rmoody's avatar
    rmoody
    Product Team
    2 years ago

    Hi @Ferenc Gazsi​ ,

    Has the target been scanned with both OS and Oracle Database credentials configured in the scan policy?

    If no, can you try this?

    If yes, and you are still experiencing issues, please log a ticket with out Tech Support team and we will investigate.

    Cheers,

    Rob M.

    • gazsi_ferenc's avatar
      gazsi_ferenc
      Connect Rookie
      2 years ago

      Hello Rob,

      The target was scanned with an OS credential only. Unfortunately, I have no user for the DB.

      The support ticket has been opened 2 weeks ago (01695515). It would be great if you can look into it.

      Thanks,

      Ferenc

  • gazsi_ferenc's avatar
    gazsi_ferenc
    Connect Rookie
    2 years ago

    Nessus Professional still detects uninstalled OJVMs:

    [2023-10-13 08:24:08] [get_oracledb_host_os_and_port][Host/OS][Linux Kernel 4.18.0-477.27.1.el8_8.x86_64 on Red Hat Enterprise Linux release 8.8 (Ootpa)]

    [2023-10-13 08:24:08] [get_oracledb_host_os_and_port][Host/OS][linux][port][0]

    [2023-10-13 08:24:08] vcf::oracle_rdbms::_get_installs(): [_get_installs][patches/local][os][linux][port][0][make_nested_array(

     'Oracle//oracle/xxx/19.0.0/RDBMS Patch Level', '19.20.0.0.230718'

    )]

    [2023-10-13 08:24:08] ojvm_remotely_detected(): Oracle remote and/or local detection did not run, returning NULL.

    [2023-10-13 08:24:08] vcf::oracle_rdbms::_get_installs(): [_get_installs][patches/local][ohome][/oracle/xxx/19.0.0][port][0][make_nested_array(

     'Oracle//oracle/xxx/19.0.0/RDBMS Patch Level', '19.20.0.0.230718'

    )]

    [2023-10-13 08:24:08] Matching RDBMS constraint: NULL

    [2023-10-13 08:24:08] Matching OJVM constraint: make_nested_array(

     'component', 'ojvm',

     'fixed_version', '19.20.0.0.230718',

     'min_version', '19.0',

     'missing_patch', '35354406',

     'os', 'unix'

    )