Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group. As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post: Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates. In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS: CVE Product CVSSv3 CVE-2025-30743 Oracle Lease and Finance Management 8.1 CVE-2025-30744 Oracle Mobile Field Service 8.1 CVE-2025-50105 Oracle Universal Work Queue 8.1 CVE-2025-50071 Oracle Applications Framework 6.4 CVE-2025-30746 Oracle iStore 6.1 CVE-2025-30745 Oracle MES for Process Manufacturing 6.1 CVE-2025-50107 Oracle Universal Work Queue 6.1 CVE-2025-30739 Oracle CRM Technical Foundation 5.5 CVE-2025-50090 Oracle Applications Framework 5.4 Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion. If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.Oracle E-Business Suite Zero-Day Exploited by Cl0p Ransomware Group (CVE-2025-61882)
On October 4, Oracle published a Security Alert Advisory for a zero-day in its E-Business Suite (EBS) solution: CVE Description CVSSv3 CVE-2025-61882 Oracle Concurrent Processing Remote Code Execution Vulnerability 9.8 This vulnerability was reportedly exploited in the wild by the Cl0p ransomware group. It followed earlier reports of extortion emails being sent to EBS customers by the Cl0p ransomware group. Initially, Oracle indicated that attacks used flaws in Oracle’s July 2025 CPU release. For more information about this zero-day vulnerability and associated vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
Oracle JavaVM (OJVM) Detection Update Summary Authenticated...
Oracle JavaVM (OJVM) Detection Update Summary Authenticated scans launched against Oracle database hosts will no longer report Oracle JavaVM (OJVM) patches as missing if the OJVM component is not installed. Change A series of plugins are used to detect Oracle Database patch levels. With local checks enabled plugin 71644 gathers the patch information of the Oracle Databases detected. With remote checks enabled (i.e. authenticating into the Database without authenticating in the OS) it is plugin 45624 that will gather the patch information from the Database. While plugin 71644 alone cannot detect the presence of OJVM, users can leverage plugin 45624 to detect the installation status of that component.This limitation of 71644 results in Oracle CPU plugins reporting missing OJVM patches, despite OJVM not being installed. Although reporting these missing patches follows Oracle’s best-practice guidelines, numerous customers have requested the ability to silence these reports when enabling Oracle Database remote checks in the same scan. Following this update, scans will no longer report OJVM patches as missing if the component is not found as installed by plugin 45624. To achieve this result, scans need to be provided with both OS credentials and Oracle Database credentials, and successful authentication must occur with both sets of credentials. Impact In remote scans, Oracle JavaVM vulnerabilities will only be reported if Oracle JavaVM is installed when scanned with both OS and Oracle Database credentials. This change has no impact on Nessus Agent scans, as remote database connections are no possible. Impacted Plugins 45624 (Oracle RDBMS Host Name and Patch Info) All Oracle CPU plugins pertaining to Oracle Databases. Target Release Date Tuesday, September 19, 2023Oracle October 2025 Critical Patch Update Addresses 170 CVEs
On October 21, Oracle released its Oracle Critical Patch Update Advisory - October 2025, the fourth and final quarterly update of the year. This CPU contains fixes for 170 unique CVEs in 374 security updates across 29 Oracle product families. Out of the 374 security updates published this quarter, 10.7% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.3%, followed by high severity patches at 39.0%. This quarter, the Oracle TimesTen In-Memory Database product family contained the highest number of patches at 73, accounting for 19.5% of the total patches, followed by Oracle Spatial Studio at 64 patches, which accounted for 17.1% of the total patches. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Oracle RDBMS (Database and OJVM) Patch Mapping Improvements...
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements Summary Improvements have been made to how Nessus plugins determine the active version of the Oracle RDMS’s Database and OJVM components. How Patch Mapping Works for Oracle Database Scans Prior to these improvements, the Database and OJVM versions were mapped from installed patches and their corresponding versions via a manually maintained mapping library, oracle_database_mappings.inc. Installed patches are enumerated in one of three possible ways: Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Direct connection to the Database via oracle_rdbms_query_patch_info.nbin (plugin ID 45642, requires Database credentials) The patch information is stored by the scanner in a temporary database known as the “scratchpad”, for later reference. Plugin ID 71644, "oracle_rdbms_patch_info.nbin", is then run and sets the patch level (version) by checking the detected patches against the mapping in "oracle_database_mappings.inc". Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As this mapping library is manually maintained, some patches were not mapped in time for vulnerability plugin releases, which is a semi-automated process. In the event that the target system has no patches installed that match a mapping from "oracle_database_mappings.inc", only the base version is reported (e.g 21.17.0.0.0), possibly resulting in False Positive findings. Improvements As we already have a complete list of installed patches and their descriptions stored in the aforementioned “scratchpad” we have added an additional layer of patch mapping over this. Plugin ID 71644, will now first attempt to parse the patch info directly from the scratchpad and map the installed patches to their corresponding versions based on the patch description. The existing mapping library is still checked, and a version comparison is performed to determine the highest patch level present. Plugin ID 71644 will now also report the patch levels (version) for the Database and OJVM components in its output. Expected Impact Improved accuracy in version detections for Oracle Database and OJVM resulting in less false positives in downstream vulnerability detection plugins Impacted plugins 71644, oracle_rdbms_patch_info.nbin 45624, oracle_rdbms_query_patch_info.nbin Targeted Release Date Monday, April 7, 2025Client Certificate Authentication for Oracle Databases...
Client Certificate Authentication for Oracle Databases Summary Support for x509 client certificate authentication to Oracle databases will be added soon to Tenable vulnerability management and detection products. Change Customers will be able to select a new "Client Certificate" database credential type for Oracle databases. When this credential is equipped with a client certificate, private key and trusted CA certificate it will be used to authenticate vulnerability and compliance scans to Oracle databases. Here is what the new credential type looks like: In order to use X509 certificates to authenticate to an Oracle database, the database and certificates must be properly configured. Product documentation for this feature is incomplete and difficult to find. The following is a list of requirements, which combined with official documentation, should at least contribute to the correct configuration. The trusted certificate in the Oracle Database server's secure wallet must be used to sign the client certificate. The distinguished name of the client certificate must match the external name configured for that user in the database. For example, if the user certificate has a distinguished name "CN=Scott", then the following has to be executed on the target server at some point: alter user Scott identified externally as 'CN=Scott'; The wallet location has to be correctly specified in both sqlnet.ora and listener.ora on the server. The TCPS protocol must be supported in the server configuration. The sqlnet.ora file on the server must have the following settings: SSL_CLIENT_AUTHENTICATION = TRUE DISABLE_OOB = ON More information can be found at: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG070, and https://docs.oracle.com/database/121/DBSEG/authentication.htm#DBSEG003 If Oracle client certificates from a client-side Oracle secure wallet are used, they must be extracted individually into PEM encoded files. The following OpenSSL command can be used to unpack a wallet into PEM form: openssl pkcs12 -in ewallet.p12 -out certs.crt At this point the individual client certificate, private key and CA certificate must be individually copied out of certs.crt into individual files using a text editor. These files can then be used to populate the Tenable database credential. Note Some versions of Nessus do not support encrypted private keys. It may be necessary to decrypt your private key using openssl before uploading it to the new database credential. Rest assured, Tenable will never transmit your private key and will always store private keys in an encrypted format. Impact Customers will be able to use X509 client certificates in Tenable vulnerability scans to authenticate to target databases. Affected Components Nessus Professional, T.sc, T.io and other Nessus based products such as Nessus Manager. Target Release Date 19 Jan 2022 - Nessus and Tenable.io
New DISA Oracle Linux 8 STIG audits Summary Customers can...
New DISA Oracle Linux 8 STIG audits Summary Customers can now measure compliance against Oracle Linux 8 using the new DISA Oracle Linux 8 audits. These audits can now be downloaded from Tenable's download portal found at: https://www.tenable.com/downloads/configuration-audit-policies. Tenable Audit Files DISA Oracle Linux 8 STIG v1r1 Target Release Date Immediate Additional Notes: The audits include checks for evaluating Oracle Linux 8 systems. To obtain the latest version of the STIG please visit https://public.cyber.mil/stigs/.
Database CSV Enumeration Expansion Introduction Currently,...
Database CSV Enumeration Expansion Introduction Currently, users have to add each database credential set one at a time and apply each of these credentials to a scan policy. Once the scan is started, each of these credential sets is used to authenticate against each detected database listener possibly resulting in multiple undesirable authentication attempts. In October 2020, an option was introduced to the Oracle Database Credential for Tenable.sc which allows users to specify a CSV file with the Oracle Database authentication settings used for the scan policy. Please refer to the original Release Highlight and Oracle Database credentials documentation for more information. Change The Database CSV enumeration feature is being expanded to the MySQL, MSSQL, and DB2 Database Credentials along with support in Tenable.io and Nessus. The CSV format will depend on the database which is specified below. DB2: target, port, database_name, username, cred_manager MySQL: target, port, database_name, username, cred_manager Oracle: target, port, service_type, service_ID, username, auth_type, cred_manager SQL Server: target, port, instance_name, username, auth_type, cred_manager The only credential manager (cred_manager) supported at this time is ‘CyberArk’. Impact Since this is a new feature, there should be no impact to users unless they add a CSV to a Database Credential in their scan policy. If the CSV file is correctly configured, users should see less credential attempts to database listeners and more accurate detections of the specified database, potentially resulting in additional vulnerability reports. Target Release Dates Tenable.sc : Released in SC 5.17 Nessus : Released in feed Tenable.io : 30 December 2020 ---------------------------------------------------------------------------------------------------- Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.Use Detected SIDs Setting for Oracle Database Change A new...
Use Detected SIDs Setting for Oracle Database Change A new subsection is being introduced to the Assessment section of the scan policy specific to Databases along with a new setting named ‘Use detected SIDs’ for Oracle Database. When this setting is enabled along with specifying Host credentials and Oracle Database credentials, Nessus will attempt to log on to the scan targets with the Host credentials and retrieve the SIDs locally. These SIDs will then be used to connect to any detected Oracle Net listeners on the scan target using the specified Oracle Database credentials. Use detected SIDs for Oracle Database setting enabled in Nessus: Impact Since this is a new feature, there should be no impact to users unless they enable the feature in their scan policy. If the feature is enabled, users may see additional detections of Oracle Database, potentially resulting in additional vulnerability reports. Documentation Nessus: https://docs.tenable.com/nessus/Content/AssessmentSettings.htm#Databases Tenable.io: https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Scans/AssessmentSettings.htm#Databases Release Dates Nessus - Released Tenable.io - Released Tenable.sc - Q1 2021 ------------------------------------------------------------------------------------------------ Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.New CIS Oracle Linux 9 v1.0.0 Audit Files Summary Customers...
New CIS Oracle Linux 9 v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of the Oracle Linux 9 Benchmark from CIS with the new CIS Oracle Linux 9 v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS Oracle Linux 9 v1.0.0 - Level 1 Server CIS Oracle Linux 9 v1.0.0 - Level 2 Server CIS Oracle Linux 9 v1.0.0 - Level 1 Workstation CIS Oracle Linux 9 v1.0.0 - Level 2 Workstation The audits can be downloaded from the Tenable Audits Portal Target Release Date Immediate
