Summary

Improvements have been made to how Nessus plugins determine the installed version of the following Oracle products:

• Oracle Business Process Management
• Oracle Business Intelligence Publisher
• Oracle Business Intelligence Enterprise Edition
• Oracle Analytics Server
• Oracle GoldenGate

How Patch Mapping Works for these Oracle products

Prior to these improvements, the product version was determined by mapping installed patch IDs to a version number based on a lookup/mapping table that we maintain and ship to scanners as part of the feed.

Installed patches for most Oracle products, including Enterprise Manager Cloud Control and Agent, are enumerated in one of two possible ways:

1. Linux Local Detections: oracle_enum_products_nix.nbin (plugin ID 71642, requires SSH credentials)
2. Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials)

Problem

This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As our mapping table is manually maintained, some patches are not mapped in time for vulnerability plugin releases, which is a semi-automated process. We have had several instances where our mapping table was not updated in a timely manner - either because Oracle released a new patch ID in an out of band cycle or they released a patch ID that we do not have visibility on. If our scan fails to identify a patch ID that exists in our mapping table, only the base version is reported (e.g. 13.5.0.0.0), possibly resulting in False Positive findings.

Improvements

We have identified additional methods of determining the version number, including the patch level, without depending solely on the mapping tables. These Oracle detection plugins (see “Impacted Plugins” section below) will now attempt to determine the current patch version based on the Tenable managed static mapping table and also by parsing the description of the patches.

Expected Impact

Improved accuracy in version detections for these Oracle products, resulting in fewer false positives in downstream vulnerability detection plugins.

Impacted Plugins

• 172516 - oracle_analytics_server_installed.nbin
• 123684 - oracle_goldengate_installed.nbin
• 76708 - oracle_bi_publisher_installed.nbin
• 136765 - oracle_bpm_installed.nbin
• 170905 - oracle_business_intelligence_enterprise_edition_installed.nbin

All Oracle vulnerability plugins dependant upon the individual plugins listed above.

Targeted Release Date

Tuesday 18 and Wednesday 19 November 2025.