Research Spotlight: Oracle Patch Auditing

Oracle has implemented a quarterly patch release cycle for its customers. Patches for all Oracle products are released on this schedule, and typically fix dozens of vulnerabilities in their database software, Sun Java (recently acquired) and other enterprise products.. They have a similar rating system to other major vendors (such as Microsoft and Cisco) with regular patch release cycles. Oracle describes the severity of each vulnerability using the Common Vulnerability Scoring System (CVSS): "Access Vector", "Access Complexity", "Authentication", "Confidentiality", "Integrity" and "Availability". It is a great way to categorize vulnerabilities; however, this still leaves you with the important task of scheduling, testing and applying the updates.

Tenable's Research team has added the ability to perform an Oracle patch audit into the Nessus vulnerability scanner. A new plugin was created (oracle_rdbms_query_patch_info.nbin) that logs into an Oracle database and runs a set of queries to determine which patches are missing:

Query 1 - Determines the hostname of the system the database is running on (important when Nessus is testing an Enterprise Manager Grid Controller that contains patch information of other hosts).

Query 2 - This query pulls the installed "PatchID" and the "Oracle_home" it is installed in.

Query 3 - If Nessus found any PatchIDs in Query 2, it looks up all the bugs that were superseded by each PatchID that was found in Query 2.

The patch information comes (continue reading...)