Oracle RDBMS (Database and OJVM) Patch Mapping Improvements...
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements Summary Improvements have been made to how Nessus plugins determine the active version of the Oracle RDMS’s Database and OJVM components. How Patch Mapping Works for Oracle Database Scans Prior to these improvements, the Database and OJVM versions were mapped from installed patches and their corresponding versions via a manually maintained mapping library, oracle_database_mappings.inc. Installed patches are enumerated in one of three possible ways: Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Direct connection to the Database via oracle_rdbms_query_patch_info.nbin (plugin ID 45642, requires Database credentials) The patch information is stored by the scanner in a temporary database known as the “scratchpad”, for later reference. Plugin ID 71644, "oracle_rdbms_patch_info.nbin", is then run and sets the patch level (version) by checking the detected patches against the mapping in "oracle_database_mappings.inc". Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As this mapping library is manually maintained, some patches were not mapped in time for vulnerability plugin releases, which is a semi-automated process. In the event that the target system has no patches installed that match a mapping from "oracle_database_mappings.inc", only the base version is reported (e.g 21.17.0.0.0), possibly resulting in False Positive findings. Improvements As we already have a complete list of installed patches and their descriptions stored in the aforementioned “scratchpad” we have added an additional layer of patch mapping over this. Plugin ID 71644, will now first attempt to parse the patch info directly from the scratchpad and map the installed patches to their corresponding versions based on the patch description. The existing mapping library is still checked, and a version comparison is performed to determine the highest patch level present. Plugin ID 71644 will now also report the patch levels (version) for the Database and OJVM components in its output. Expected Impact Improved accuracy in version detections for Oracle Database and OJVM resulting in less false positives in downstream vulnerability detection plugins Impacted plugins 71644, oracle_rdbms_patch_info.nbin 45624, oracle_rdbms_query_patch_info.nbin Targeted Release Date Monday, April 7, 2025Oracle JavaVM (OJVM) Detection Update Summary Authenticated...
Oracle JavaVM (OJVM) Detection Update Summary Authenticated scans launched against Oracle database hosts will no longer report Oracle JavaVM (OJVM) patches as missing if the OJVM component is not installed. Change A series of plugins are used to detect Oracle Database patch levels. With local checks enabled plugin 71644 gathers the patch information of the Oracle Databases detected. With remote checks enabled (i.e. authenticating into the Database without authenticating in the OS) it is plugin 45624 that will gather the patch information from the Database. While plugin 71644 alone cannot detect the presence of OJVM, users can leverage plugin 45624 to detect the installation status of that component.This limitation of 71644 results in Oracle CPU plugins reporting missing OJVM patches, despite OJVM not being installed. Although reporting these missing patches follows Oracle’s best-practice guidelines, numerous customers have requested the ability to silence these reports when enabling Oracle Database remote checks in the same scan. Following this update, scans will no longer report OJVM patches as missing if the component is not found as installed by plugin 45624. To achieve this result, scans need to be provided with both OS credentials and Oracle Database credentials, and successful authentication must occur with both sets of credentials. Impact In remote scans, Oracle JavaVM vulnerabilities will only be reported if Oracle JavaVM is installed when scanned with both OS and Oracle Database credentials. This change has no impact on Nessus Agent scans, as remote database connections are no possible. Impacted Plugins 45624 (Oracle RDBMS Host Name and Patch Info) All Oracle CPU plugins pertaining to Oracle Databases. Target Release Date Tuesday, September 19, 2023