Having had to get an Oracle DB expert in to update our Oracle database server a rescan with Nessus still shows some vulnerabilities.

c:\> cd \Oracle\product\12.1.0.2\dbhome_1\OPatch
c:\> opatch lsinventory
Oracle Interim Patch Installer version 12.2.0.1.8
Copyright (c) 2017, Oracle Corporation. All rights reserved.


Oracle Home : C:\Oracle\product\1210~1.2\dbhome_1
Central Inventory : C:\Program Files\Oracle\Inventory
 from :
OPatch version : 12.2.0.1.8
OUI version : 12.1.0.2.0
Log file location : C:\Oracle\product\1210~1.2\dbhome_1\cfgtoollogs\opatch\opatc
h2017-03-17_07-42-13AM_1.log

Lsinventory Output file location : C:\Oracle\product\1210~1.2\dbhome_1\cfgtoollo
gs\opatch\lsinv\lsinventory2017-03-17_07-42-13AM.txt

----------------------------------------------------------------------

Local Machine Information::
Hostname: ORACLE.domain.local
ARU platform id: 233
ARU platform description:: Microsoft Windows (64-bit AMD)

Installed Top-level Products (1):

Oracle Database 12c 12.1.0.2.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :

Patch 25433286 : applied on Thu Mar 16 09:17:26 GMT 2017
Unique Patch ID: 21049556
Patch description: "WINDOWS DB BUNDLE PATCH 12.1.0.2.170228(64bit):25433286"
 Created on 25 Feb 2017, 01:01:38 hrs PST8PDT
 Bugs fixed:
 20669434, 20361140, 21972664, 18934948, 24437510, 19414168, 23260854
...
 24609301, 20995667, 12963364, 20832516, 21899588, 19025195, 19538241
 19162308

----------------------------------------------------------------------


OPatch succeeded.

It has the February patches applied, but Nessus still reports that the server is missing the January patches. Oracle patches are meant to be cumulative, so the February patch should include all of January’s too.

Windows Bundle Patch (BP) patches are cumulative. That is, the content of all previous BPs is included in the latest BP patch.

Looks like we need to wait on Nessus to advise what’s going on here as Oracle seem to have changed their patching mechanism and this could be a false positive. But not being an Oracle expert by any stretch of the imagination I’m stuck until someone can advise me better.

Severity Plugin Id Name
Critical (10.0) 86576 Oracle Database Multiple Vulnerabilities (October 2015 CPU)
High (9.0) 80906 Oracle Database Multiple Vulnerabilities (January 2015 CPU)
High (9.0) 82903 Oracle Database Multiple Vulnerabilities (April 2015 CPU)
High (9.0) 84822 Oracle Database Multiple Vulnerabilities (July 2015 CPU)
High (9.0) 88146 Oracle Database Multiple Vulnerabilities (January 2016 CPU)
High (9.0) 94201 Oracle Database Multiple Vulnerabilities (October 2016 CPU)
High (8.5) 92522 Oracle Database Multiple Vulnerabilities (July 2016 CPU) (FREAK)
High (8.5) 96611 Oracle Database Multiple Vulnerabilities (January 2017 CPU)
High (7.6) 90762 Oracle Database Multiple Vulnerabilities (April 2016 CPU)
c:\> opatch lspatches
25433286;WINDOWS DB BUNDLE PATCH 12.1.0.2.170228(64bit):25433286

The patches are located in the home directory under .patch_storage eg. C:\Oracle\product\12.1.0.2\dbhome_1\.patch_storage

For more details about what’s been fixed:

c:\> opatch lsinventory -bugs_fixed

References

https://www.pythian.com/blog/oracle-database-12c-psus-vs-database-proactive-bundle-patches/

https://blogs.oracle.com/UPGRADE/entry/can_i_apply_a_bp

Advertisements