Oracle WebLogic: Patch Mapping Improvements

Summary

Improvements have been made to how Nessus plugins determine the installed version of Oracle WebLogic.

How Patch Mapping Works for Oracle WebLogic Scans

Prior to these improvements, the WebLogic version was determined by mapping installed patch IDs to a version number based on a lookup/mapping table that we maintain and ship to scanners as part of the feed.

Installed patches for most Oracle products, including WebLogic, are enumerated in one of two possible ways:

1. Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials)
2. Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials)

Both of the above plugins store patch information in a temporary database known as the “scratchpad” (a temporary SQLite Database), for later reference. Plugin ID 73913, oracle_weblogic_server_installed.nbin, collects this information, and then reports the install and its determined version (patch level).

Problem

This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As our mapping table is manually maintained, some patches are not mapped in time for vulnerability plugin releases, which is a semi-automated process. We have had several instances where our mapping table was not updated in a timely manner - either because Oracle released a new patch ID in an out-of-band cycle, or they released a patch ID that we do not have visibility on. If our scan fails to identify a patch ID that exists in our mapping table, only the base version is reported (e.g. 14.2.1.0.0.0), possibly resulting in False Positive findings.

Improvements

We have identified additional methods of determining the version number, including the patch level, without depending solely on a mapping table.  Plugin ID 73913 will now first attempt to use the new method of determining the version directly and will fall back to the findings of the mapping table if needed. The existing mapping table is still checked, and a version comparison is performed to determine the highest patch level present.

In its output, plugin ID 73913 will now also report all of the installed patches for the ORACLE_HOME in which the detected WebLogic application resides.

Expected Impact

Improved accuracy in version detections for Oracle WebLogic resulting in fewer false positives in downstream vulnerability detection plugins.

Impacted Plugins

• 73913,  oracle_weblogic_server_installed.nbin
• Potentially any Oracle WebLogic local vulnerability check plugins

Targeted Release Date

• Monday, June 9, 2025