Oracle October 2025 Critical Patch Update Addresses 170 CVEs
On October 21, Oracle released its Oracle Critical Patch Update Advisory - October 2025, the fourth and final quarterly update of the year. This CPU contains fixes for 170 unique CVEs in 374 security updates across 29 Oracle product families. Out of the 374 security updates published this quarter, 10.7% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.3%, followed by high severity patches at 39.0%. This quarter, the Oracle TimesTen In-Memory Database product family contained the highest number of patches at 73, accounting for 19.5% of the total patches, followed by Oracle Spatial Studio at 64 patches, which accounted for 17.1% of the total patches. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Oracle E-Business Suite Zero-Day Exploited by Cl0p Ransomware Group (CVE-2025-61882)
On October 4, Oracle published a Security Alert Advisory for a zero-day in its E-Business Suite (EBS) solution: CVE Description CVSSv3 CVE-2025-61882 Oracle Concurrent Processing Remote Code Execution Vulnerability 9.8 This vulnerability was reportedly exploited in the wild by the Cl0p ransomware group. It followed earlier reports of extortion emails being sent to EBS customers by the Cl0p ransomware group. Initially, Oracle indicated that attacks used flaws in Oracle’s July 2025 CPU release. For more information about this zero-day vulnerability and associated vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group. As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post: Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates. In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS: CVE Product CVSSv3 CVE-2025-30743 Oracle Lease and Finance Management 8.1 CVE-2025-30744 Oracle Mobile Field Service 8.1 CVE-2025-50105 Oracle Universal Work Queue 8.1 CVE-2025-50071 Oracle Applications Framework 6.4 CVE-2025-30746 Oracle iStore 6.1 CVE-2025-30745 Oracle MES for Process Manufacturing 6.1 CVE-2025-50107 Oracle Universal Work Queue 6.1 CVE-2025-30739 Oracle CRM Technical Foundation 5.5 CVE-2025-50090 Oracle Applications Framework 5.4 Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion. If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements...
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements Summary Improvements have been made to how Nessus plugins determine the active version of the Oracle RDMS’s Database and OJVM components. How Patch Mapping Works for Oracle Database Scans Prior to these improvements, the Database and OJVM versions were mapped from installed patches and their corresponding versions via a manually maintained mapping library, oracle_database_mappings.inc. Installed patches are enumerated in one of three possible ways: Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Direct connection to the Database via oracle_rdbms_query_patch_info.nbin (plugin ID 45642, requires Database credentials) The patch information is stored by the scanner in a temporary database known as the “scratchpad”, for later reference. Plugin ID 71644, "oracle_rdbms_patch_info.nbin", is then run and sets the patch level (version) by checking the detected patches against the mapping in "oracle_database_mappings.inc". Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As this mapping library is manually maintained, some patches were not mapped in time for vulnerability plugin releases, which is a semi-automated process. In the event that the target system has no patches installed that match a mapping from "oracle_database_mappings.inc", only the base version is reported (e.g 21.17.0.0.0), possibly resulting in False Positive findings. Improvements As we already have a complete list of installed patches and their descriptions stored in the aforementioned “scratchpad” we have added an additional layer of patch mapping over this. Plugin ID 71644, will now first attempt to parse the patch info directly from the scratchpad and map the installed patches to their corresponding versions based on the patch description. The existing mapping library is still checked, and a version comparison is performed to determine the highest patch level present. Plugin ID 71644 will now also report the patch levels (version) for the Database and OJVM components in its output. Expected Impact Improved accuracy in version detections for Oracle Database and OJVM resulting in less false positives in downstream vulnerability detection plugins Impacted plugins 71644, oracle_rdbms_patch_info.nbin 45624, oracle_rdbms_query_patch_info.nbin Targeted Release Date Monday, April 7, 2025
New DISA Oracle Linux 8 STIG audits Summary Customers can...
New DISA Oracle Linux 8 STIG audits Summary Customers can now measure compliance against Oracle Linux 8 using the new DISA Oracle Linux 8 audits. These audits can now be downloaded from Tenable's download portal found at: https://www.tenable.com/downloads/configuration-audit-policies. Tenable Audit Files DISA Oracle Linux 8 STIG v1r1 Target Release Date Immediate Additional Notes: The audits include checks for evaluating Oracle Linux 8 systems. To obtain the latest version of the STIG please visit https://public.cyber.mil/stigs/.Oracle JavaVM (OJVM) Detection Update Summary Authenticated...
Oracle JavaVM (OJVM) Detection Update Summary Authenticated scans launched against Oracle database hosts will no longer report Oracle JavaVM (OJVM) patches as missing if the OJVM component is not installed. Change A series of plugins are used to detect Oracle Database patch levels. With local checks enabled plugin 71644 gathers the patch information of the Oracle Databases detected. With remote checks enabled (i.e. authenticating into the Database without authenticating in the OS) it is plugin 45624 that will gather the patch information from the Database. While plugin 71644 alone cannot detect the presence of OJVM, users can leverage plugin 45624 to detect the installation status of that component.This limitation of 71644 results in Oracle CPU plugins reporting missing OJVM patches, despite OJVM not being installed. Although reporting these missing patches follows Oracle’s best-practice guidelines, numerous customers have requested the ability to silence these reports when enabling Oracle Database remote checks in the same scan. Following this update, scans will no longer report OJVM patches as missing if the component is not found as installed by plugin 45624. To achieve this result, scans need to be provided with both OS credentials and Oracle Database credentials, and successful authentication must occur with both sets of credentials. Impact In remote scans, Oracle JavaVM vulnerabilities will only be reported if Oracle JavaVM is installed when scanned with both OS and Oracle Database credentials. This change has no impact on Nessus Agent scans, as remote database connections are no possible. Impacted Plugins 45624 (Oracle RDBMS Host Name and Patch Info) All Oracle CPU plugins pertaining to Oracle Databases. Target Release Date Tuesday, September 19, 2023New CIS Oracle Linux 9 v1.0.0 Audit Files Summary Customers...
New CIS Oracle Linux 9 v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of the Oracle Linux 9 Benchmark from CIS with the new CIS Oracle Linux 9 v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS Oracle Linux 9 v1.0.0 - Level 1 Server CIS Oracle Linux 9 v1.0.0 - Level 2 Server CIS Oracle Linux 9 v1.0.0 - Level 1 Workstation CIS Oracle Linux 9 v1.0.0 - Level 2 Workstation The audits can be downloaded from the Tenable Audits Portal Target Release Date ImmediateClient Certificate Authentication for Oracle Databases...
Client Certificate Authentication for Oracle Databases Summary Support for x509 client certificate authentication to Oracle databases will be added soon to Tenable vulnerability management and detection products. Change Customers will be able to select a new "Client Certificate" database credential type for Oracle databases. When this credential is equipped with a client certificate, private key and trusted CA certificate it will be used to authenticate vulnerability and compliance scans to Oracle databases. Here is what the new credential type looks like: In order to use X509 certificates to authenticate to an Oracle database, the database and certificates must be properly configured. Product documentation for this feature is incomplete and difficult to find. The following is a list of requirements, which combined with official documentation, should at least contribute to the correct configuration. The trusted certificate in the Oracle Database server's secure wallet must be used to sign the client certificate. The distinguished name of the client certificate must match the external name configured for that user in the database. For example, if the user certificate has a distinguished name "CN=Scott", then the following has to be executed on the target server at some point: alter user Scott identified externally as 'CN=Scott'; The wallet location has to be correctly specified in both sqlnet.ora and listener.ora on the server. The TCPS protocol must be supported in the server configuration. The sqlnet.ora file on the server must have the following settings: SSL_CLIENT_AUTHENTICATION = TRUE DISABLE_OOB = ON More information can be found at: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG070, and https://docs.oracle.com/database/121/DBSEG/authentication.htm#DBSEG003 If Oracle client certificates from a client-side Oracle secure wallet are used, they must be extracted individually into PEM encoded files. The following OpenSSL command can be used to unpack a wallet into PEM form: openssl pkcs12 -in ewallet.p12 -out certs.crt At this point the individual client certificate, private key and CA certificate must be individually copied out of certs.crt into individual files using a text editor. These files can then be used to populate the Tenable database credential. Note Some versions of Nessus do not support encrypted private keys. It may be necessary to decrypt your private key using openssl before uploading it to the new database credential. Rest assured, Tenable will never transmit your private key and will always store private keys in an encrypted format. Impact Customers will be able to use X509 client certificates in Tenable vulnerability scans to authenticate to target databases. Affected Components Nessus Professional, T.sc, T.io and other Nessus based products such as Nessus Manager. Target Release Date 19 Jan 2022 - Nessus and Tenable.ioTenable Audits Being Retired Summary With the release of...
Tenable Audits Being Retired Summary With the release of alternative guidance by CIS, DISA and product vendors or the End of Life (EOL) of products, a number of Tenable audits are being retired. Where applicable, a suggested replacement audit has been noted. Removed Tenable Audits Unix TNS IBM WebSphere Application Server 9 Linux Replacement: DISA IBM WebSphere Traditional v1r1 TNS Oracle WebLogic 10 Security Guide Linux Replacement: DISA Oracle WebLogic Server 12c v2r1 TNS Oracle WebLogic 11 Security Guide Linux Replacement: DISA Oracle WebLogic Server 12c v2r1 Windows DISA STIG Access 2007 v4r9 Replacement: DISA Office 2010 Access or newer DISA STIG Excel 2007 v4r9 Replacement: DISA Office 2010 Excel or newer DISA STIG InfoPath 2007 v4r9 Replacement: DISA Office 2010 InfoPath or newer DISA STIG MS Office Access 2003 v4r3 Replacement: DISA Office 2010 Access or newer DISA STIG MS Office Excel 2003 v4r3 Replacement: DISA Office 2010 Excel or newer DISA STIG MS Office Infopath 2003 v4r3 Replacement: DISA Office 2010 InfoPath or newer DISA STIG MS Office Outlook 2003 v4r3 Replacement: DISA Office 2010 Outlook or newer DISA STIG MS Office PowerPoint 2003 v4r3 Replacement: DISA Office 2010 PowerPoint or newer DISA STIG MS Office Word 2003 v4r3 Replacement: DISA Office 2010 Word or newer DISA STIG OfficeSystem 2007 v4r9 Replacement: DISA Office System 2010 or newer DISA STIG Outlook 2007 v4r9 Replacement: DISA Office 2010 Outlook or newer DISA STIG PowerPoint 2007 v4r9 Replacement: DISA Office 2010 PowerPoint or newer DISA STIG Word 2007 v4r9 Replacement: DISA Office 2010 Word or newer TNS IBM WebSphere Application Server 9 Windows Replacement: DISA IBM WebSphere Traditional v1r1 TNS Oracle WebLogic 10 Security Guide Windows DISA Oracle WebLogic Server 12c v2r1 TNS Oracle WebLogic 11 Security Guide Windows Replacement: DISA Oracle WebLogic Server 12c v2r1 Juniper TNS Juniper ScreenOS Best Practices Audit Please see https://support.juniper.net/support/eol/product/netscreen_hw/ for end of life status of NetScreen/ScreenOS products Target Release Date January 4, 2022 Additional Notes: As with any new audit or significant update, the items tested may vary and the results of a scan could be very different. We urge customers to always review and understand the contents of any new audit files before they are implemented in a scan.New DISA Oracle MySQL 8 STIG v1r1 Summary Customers with...
New DISA Oracle MySQL 8 STIG v1r1 Summary Customers with Oracle MySQL 8 instances can now examine their installations’ compliance with Tenable's audit files based on the Oracle MySQL 8 DISA STIG v1r1. DISA STIG DISA Oracle MySQL 8 STIG version 1 release 1 Target Release Date Immediate Release Additional Notes The DISA STIG ZIP package found in the "see also" section includes the U_MySQL80Audit.sql.pdf file that contains example filters that can be created for use with the MySQL Enterprise Audit product to assist in meeting STIG requirements. The STIG is intended for use with MySQL Database version 8.0 installed on a RHEL or CentOS environment.
