Oracle RDBMS (Database and OJVM) Patch Mapping Improvements...
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements Summary Improvements have been made to how Nessus plugins determine the active version of the Oracle RDMS’s Database and OJVM components. How Patch Mapping Works for Oracle Database Scans Prior to these improvements, the Database and OJVM versions were mapped from installed patches and their corresponding versions via a manually maintained mapping library, oracle_database_mappings.inc. Installed patches are enumerated in one of three possible ways: Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Direct connection to the Database via oracle_rdbms_query_patch_info.nbin (plugin ID 45642, requires Database credentials) The patch information is stored by the scanner in a temporary database known as the “scratchpad”, for later reference. Plugin ID 71644, "oracle_rdbms_patch_info.nbin", is then run and sets the patch level (version) by checking the detected patches against the mapping in "oracle_database_mappings.inc". Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As this mapping library is manually maintained, some patches were not mapped in time for vulnerability plugin releases, which is a semi-automated process. In the event that the target system has no patches installed that match a mapping from "oracle_database_mappings.inc", only the base version is reported (e.g 21.17.0.0.0), possibly resulting in False Positive findings. Improvements As we already have a complete list of installed patches and their descriptions stored in the aforementioned “scratchpad” we have added an additional layer of patch mapping over this. Plugin ID 71644, will now first attempt to parse the patch info directly from the scratchpad and map the installed patches to their corresponding versions based on the patch description. The existing mapping library is still checked, and a version comparison is performed to determine the highest patch level present. Plugin ID 71644 will now also report the patch levels (version) for the Database and OJVM components in its output. Expected Impact Improved accuracy in version detections for Oracle Database and OJVM resulting in less false positives in downstream vulnerability detection plugins Impacted plugins 71644, oracle_rdbms_patch_info.nbin 45624, oracle_rdbms_query_patch_info.nbin Targeted Release Date Monday, April 7, 2025
New DISA Oracle Linux 8 STIG audits Summary Customers can...
New DISA Oracle Linux 8 STIG audits Summary Customers can now measure compliance against Oracle Linux 8 using the new DISA Oracle Linux 8 audits. These audits can now be downloaded from Tenable's download portal found at: https://www.tenable.com/downloads/configuration-audit-policies. Tenable Audit Files DISA Oracle Linux 8 STIG v1r1 Target Release Date Immediate Additional Notes: The audits include checks for evaluating Oracle Linux 8 systems. To obtain the latest version of the STIG please visit https://public.cyber.mil/stigs/.Oracle JavaVM (OJVM) Detection Update Summary Authenticated...
Oracle JavaVM (OJVM) Detection Update Summary Authenticated scans launched against Oracle database hosts will no longer report Oracle JavaVM (OJVM) patches as missing if the OJVM component is not installed. Change A series of plugins are used to detect Oracle Database patch levels. With local checks enabled plugin 71644 gathers the patch information of the Oracle Databases detected. With remote checks enabled (i.e. authenticating into the Database without authenticating in the OS) it is plugin 45624 that will gather the patch information from the Database. While plugin 71644 alone cannot detect the presence of OJVM, users can leverage plugin 45624 to detect the installation status of that component.This limitation of 71644 results in Oracle CPU plugins reporting missing OJVM patches, despite OJVM not being installed. Although reporting these missing patches follows Oracle’s best-practice guidelines, numerous customers have requested the ability to silence these reports when enabling Oracle Database remote checks in the same scan. Following this update, scans will no longer report OJVM patches as missing if the component is not found as installed by plugin 45624. To achieve this result, scans need to be provided with both OS credentials and Oracle Database credentials, and successful authentication must occur with both sets of credentials. Impact In remote scans, Oracle JavaVM vulnerabilities will only be reported if Oracle JavaVM is installed when scanned with both OS and Oracle Database credentials. This change has no impact on Nessus Agent scans, as remote database connections are no possible. Impacted Plugins 45624 (Oracle RDBMS Host Name and Patch Info) All Oracle CPU plugins pertaining to Oracle Databases. Target Release Date Tuesday, September 19, 2023New CIS Oracle Linux 9 v1.0.0 Audit Files Summary Customers...
New CIS Oracle Linux 9 v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of the Oracle Linux 9 Benchmark from CIS with the new CIS Oracle Linux 9 v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS Oracle Linux 9 v1.0.0 - Level 1 Server CIS Oracle Linux 9 v1.0.0 - Level 2 Server CIS Oracle Linux 9 v1.0.0 - Level 1 Workstation CIS Oracle Linux 9 v1.0.0 - Level 2 Workstation The audits can be downloaded from the Tenable Audits Portal Target Release Date ImmediateClient Certificate Authentication for Oracle Databases...
Client Certificate Authentication for Oracle Databases Summary Support for x509 client certificate authentication to Oracle databases will be added soon to Tenable vulnerability management and detection products. Change Customers will be able to select a new "Client Certificate" database credential type for Oracle databases. When this credential is equipped with a client certificate, private key and trusted CA certificate it will be used to authenticate vulnerability and compliance scans to Oracle databases. Here is what the new credential type looks like: In order to use X509 certificates to authenticate to an Oracle database, the database and certificates must be properly configured. Product documentation for this feature is incomplete and difficult to find. The following is a list of requirements, which combined with official documentation, should at least contribute to the correct configuration. The trusted certificate in the Oracle Database server's secure wallet must be used to sign the client certificate. The distinguished name of the client certificate must match the external name configured for that user in the database. For example, if the user certificate has a distinguished name "CN=Scott", then the following has to be executed on the target server at some point: alter user Scott identified externally as 'CN=Scott'; The wallet location has to be correctly specified in both sqlnet.ora and listener.ora on the server. The TCPS protocol must be supported in the server configuration. The sqlnet.ora file on the server must have the following settings: SSL_CLIENT_AUTHENTICATION = TRUE DISABLE_OOB = ON More information can be found at: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG070, and https://docs.oracle.com/database/121/DBSEG/authentication.htm#DBSEG003 If Oracle client certificates from a client-side Oracle secure wallet are used, they must be extracted individually into PEM encoded files. The following OpenSSL command can be used to unpack a wallet into PEM form: openssl pkcs12 -in ewallet.p12 -out certs.crt At this point the individual client certificate, private key and CA certificate must be individually copied out of certs.crt into individual files using a text editor. These files can then be used to populate the Tenable database credential. Note Some versions of Nessus do not support encrypted private keys. It may be necessary to decrypt your private key using openssl before uploading it to the new database credential. Rest assured, Tenable will never transmit your private key and will always store private keys in an encrypted format. Impact Customers will be able to use X509 client certificates in Tenable vulnerability scans to authenticate to target databases. Affected Components Nessus Professional, T.sc, T.io and other Nessus based products such as Nessus Manager. Target Release Date 19 Jan 2022 - Nessus and Tenable.ioTenable Audits Being Retired Summary With the release of...
Tenable Audits Being Retired Summary With the release of alternative guidance by CIS, DISA and product vendors or the End of Life (EOL) of products, a number of Tenable audits are being retired. Where applicable, a suggested replacement audit has been noted. Removed Tenable Audits Unix TNS IBM WebSphere Application Server 9 Linux Replacement: DISA IBM WebSphere Traditional v1r1 TNS Oracle WebLogic 10 Security Guide Linux Replacement: DISA Oracle WebLogic Server 12c v2r1 TNS Oracle WebLogic 11 Security Guide Linux Replacement: DISA Oracle WebLogic Server 12c v2r1 Windows DISA STIG Access 2007 v4r9 Replacement: DISA Office 2010 Access or newer DISA STIG Excel 2007 v4r9 Replacement: DISA Office 2010 Excel or newer DISA STIG InfoPath 2007 v4r9 Replacement: DISA Office 2010 InfoPath or newer DISA STIG MS Office Access 2003 v4r3 Replacement: DISA Office 2010 Access or newer DISA STIG MS Office Excel 2003 v4r3 Replacement: DISA Office 2010 Excel or newer DISA STIG MS Office Infopath 2003 v4r3 Replacement: DISA Office 2010 InfoPath or newer DISA STIG MS Office Outlook 2003 v4r3 Replacement: DISA Office 2010 Outlook or newer DISA STIG MS Office PowerPoint 2003 v4r3 Replacement: DISA Office 2010 PowerPoint or newer DISA STIG MS Office Word 2003 v4r3 Replacement: DISA Office 2010 Word or newer DISA STIG OfficeSystem 2007 v4r9 Replacement: DISA Office System 2010 or newer DISA STIG Outlook 2007 v4r9 Replacement: DISA Office 2010 Outlook or newer DISA STIG PowerPoint 2007 v4r9 Replacement: DISA Office 2010 PowerPoint or newer DISA STIG Word 2007 v4r9 Replacement: DISA Office 2010 Word or newer TNS IBM WebSphere Application Server 9 Windows Replacement: DISA IBM WebSphere Traditional v1r1 TNS Oracle WebLogic 10 Security Guide Windows DISA Oracle WebLogic Server 12c v2r1 TNS Oracle WebLogic 11 Security Guide Windows Replacement: DISA Oracle WebLogic Server 12c v2r1 Juniper TNS Juniper ScreenOS Best Practices Audit Please see https://support.juniper.net/support/eol/product/netscreen_hw/ for end of life status of NetScreen/ScreenOS products Target Release Date January 4, 2022 Additional Notes: As with any new audit or significant update, the items tested may vary and the results of a scan could be very different. We urge customers to always review and understand the contents of any new audit files before they are implemented in a scan.New DISA Oracle MySQL 8 STIG v1r1 Summary Customers with...
New DISA Oracle MySQL 8 STIG v1r1 Summary Customers with Oracle MySQL 8 instances can now examine their installations’ compliance with Tenable's audit files based on the Oracle MySQL 8 DISA STIG v1r1. DISA STIG DISA Oracle MySQL 8 STIG version 1 release 1 Target Release Date Immediate Release Additional Notes The DISA STIG ZIP package found in the "see also" section includes the U_MySQL80Audit.sql.pdf file that contains example filters that can be created for use with the MySQL Enterprise Audit product to assist in meeting STIG requirements. The STIG is intended for use with MySQL Database version 8.0 installed on a RHEL or CentOS environment.New CIS Linux 6 v3.0.0 Benchmark Summary Customers with Red...
New CIS Linux 6 v3.0.0 Benchmark Summary Customers with Red Hat Enterprise Linux 6, CentOS Linux 6 or Oracle Linux 6 can now examine their installations’ compliance with Tenable's audit files. These audits have been certified by CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. CIS Benchmark Audits CIS_Red_Hat_EL6_v3.0.0_Server_L1.audit CIS_Red_Hat_EL6_v3.0.0_Server_L2.audit CIS_Red_Hat_EL6_v3.0.0_Workstation_L1.audit CIS_Red_Hat_EL6_v3.0.0_Workstation_L2.audit CIS_CentOS_6_v3.0.0_Server_L1.audit CIS_CentOS_6_v3.0.0_Server_L2.audit CIS_CentOS_6_v3.0.0_Workstation_L1.audit CIS_CentOS_6_v3.0.0_Workstation_L2.audit CIS_Oracle_Linux_6_v2.0.0_Server_L1.audit CIS_Oracle_Linux_6_v2.0.0_Server_L2.audit CIS_Oracle_Linux_6_v2.0.0_Workstation_L1.audit CIS_Oracle_Linux_6_v2.0.0_Workstation_L2.audit Target Release Date Immediate
Use Detected SIDs Setting for Oracle Database Change A new...
Use Detected SIDs Setting for Oracle Database Change A new subsection is being introduced to the Assessment section of the scan policy specific to Databases along with a new setting named ‘Use detected SIDs’ for Oracle Database. When this setting is enabled along with specifying Host credentials and Oracle Database credentials, Nessus will attempt to log on to the scan targets with the Host credentials and retrieve the SIDs locally. These SIDs will then be used to connect to any detected Oracle Net listeners on the scan target using the specified Oracle Database credentials. Use detected SIDs for Oracle Database setting enabled in Nessus: Impact Since this is a new feature, there should be no impact to users unless they enable the feature in their scan policy. If the feature is enabled, users may see additional detections of Oracle Database, potentially resulting in additional vulnerability reports. Documentation Nessus: https://docs.tenable.com/nessus/Content/AssessmentSettings.htm#Databases Tenable.io: https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Scans/AssessmentSettings.htm#Databases Release Dates Nessus - Released Tenable.io - Released Tenable.sc - Q1 2021 ------------------------------------------------------------------------------------------------ Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.Changes to Oracle Linux Ksplice Logic Plugin All kernel...
Changes to Oracle Linux Ksplice Logic Plugin All kernel plugins for Oracle Linux Target Release Date Tuesday, September 7th, 2021 Change We currently check CVEs from a security advisory against a list of Ksplice patches installed on the machine. When a Ksplice patch name contains a CVE, we are able to verify that the CVE was patched on the host. Unfortunately, not all Ksplice patch names contain the CVE they patch, and this was found to generate false positives. Rather than relying on CVEs to be found in Ksplice patch names, we now compare the effective kernel version against the kernel version supplied by Oracle Linux in their OVAL Advisory. Impact All Oracle Linux kernel plugins will be affected by this improvement. Customers should see more accurate kernel checks against the effective kernel version since we will no longer rely on the CVE in the Ksplice patch name.
