Research Spotlight: Oracle Patch Auditing
Oracle has implemented a quarterly patch release cycle for its customers. Patches for all Oracle products are released on this schedule, and typically fix dozens of vulnerabilities in their database software, Sun Java (recently acquired) and other enterprise products.. They have a similar rating system to other major vendors (such as Microsoft and Cisco) with regular patch release cycles. Oracle describes the severity of each vulnerability using the Common Vulnerability Scoring System (CVSS): "Access Vector", "Access Complexity", "Authentication", "Confidentiality", "Integrity" and "Availability". It is a great way to categorize vulnerabilities; however, this still leaves you with the important task of scheduling, testing and applying the updates.
Tenable's Research team has added the ability to perform an Oracle patch audit into the Nessus vulnerability scanner. A new plugin was created (oracle_rdbms_query_patch_info.nbin) that logs into an Oracle database and runs a set of queries to determine which patches are missing:
- Query 1 - Determines the hostname of the system the database is running on (important when Nessus is testing an Enterprise Manager Grid Controller that contains patch information of other hosts).
- Query 2 - This query pulls the installed "PatchID" and the "Oracle_home" it is installed in.
- Query 3 - If Nessus found any PatchIDs in Query 2, it looks up all the bugs that were superseded by each PatchID that was found in Query 2.
The patch information comes from the same tables that are used by Oracle Enterprise Manger and Oracle Enterprise Manager Grid Controller for patch management.
Oracle patch auditing requires credentials to the database, which can be entered into Nessus on the “Preferences” tab, and then by choosing "Database settings":
The patch auditing queries require the use of the "sysman" Oracle account or an account with equivalent privileges. As with other Oracle plugins, the SID for the database is necessary. The Oracle database must be Oracle 10 at a minimum (the tables that are queried by this plugin are not available in Oracle 9). Nessus can currently check for Oracle patches on 32 or 64-bit Windows, Linux/Unix, HP-UX, IBM/AIX and Mac OS X Server.
When you query an Oracle database that has no patches installed, you will see output as shown below:
As patches are applied, the plugin will audit which patches have been applied, producing the following output:
If a "CPU" (Critical Patch Update) is missing, Nessus will also detect the missing updates (using separate plugins) and produce an alert:
It is no secret that databases contain information that can be labeled "critical" or "sensitive". From an attacker’s perspective, this represents an area that can be the most profitable. Information such as credit card numbers, Social Security numbers or proprietary information can command a high value on the black market and is widely sought after by attackers. While databases can be very complex, careful planning and execution of updates and patches are a critical task that prevents software vulnerabilities that will be exploited by would-be attackers. Nessus provides extra insurance and allows you to audit your databases (including others such as SQL Server, DB2 and more) to be absolutely certain that all relevant patches have been applied. Tenable offers several forms of Oracle security auditing, besides performing patch audits, including :
- Nessus audits Oracle SQL settings against DISA STIG and CIS standards
- The PVS and LCE can be used to perform Database Activity Monitoring
- Oracle patching, scanning and Database Activity Monitoring are all managed with the Tenable SecurityCenter
Contributions to this post were made by Luke Tamagna-Darr, Tenable security researcher and primary author of the Oracle patch auditing plugins.