Question & Answer
Question
We have two Oracle database servers. One of them - with SAP on Oracle is seeing error 'Unsupported CVE database patch detected' when we run VA. What does the error mean ? How to rectify it ?
Cause
Here is the error example when VA runs on Oracle 11.1.0.7:
The same Oracle version 11.1.0.7 and this one has no error:
For Oracle 12c, you may see the same error in different form:
CVE-2016-3454
Test category: Conf. Severity: Major
Unspecified vulnerability in the Java VM component in Oracle Database
Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors.
Ext. Reference: CVE-2016-3454
Unsupported CVE database patch detected CVE-2016-3454 patch was not
detected for ORACLE 12.1.0.2.0 PATCH0.
Recommendation:
Oracle VA
Datasource type: ORACLE Severity: Low
Answer
The reason you are seeing the error is that Guardium, at the time this document is written, does not correctly verify non-native Oracle patches. The Oracle version is tied to SAP (in this case "SBP 11.2.0.4160119") which is not a standard Oracle patch. The patch is downloadable using SAP applications itself. It is not properly recorded inside the Oracle patch history (SYS.REGISTRY$HISTORY) which is the source where Guardium gathers different variation of Oracle patches.
To avoid the error, the non-standard patch number needs to be made available in SYS.REGISTRY$HISTORY.
Workarounds:
1. Have SAP populate the SYS.REGISTRY$HISTORY table just as Oracle does it
2. The Oracle DBA can update or create a record in the SYS.REGISTRY$HISTORY using the exact convention as Oracle does.
MANUALLY CREATE A RECORD
Oracle 11 insert and 12.1.0.1
--Database Patch insert example
INSERT INTO "SYS"."REGISTRY$HISTORY" VALUES (sysdate, 'APPLY', 'SERVER','11.2.0.4', 160419, 'PSU 11.2.0.4.160419', 'PSU');
--OJVM Patch insert example
INSERT INTO SYS.REGISTRY$HISTORY (action_time, action, namespace, version, id, comments) values(SYSTIMESTAMP, 'jvmpsu.sql', 'SERVER', '11.2.0.4.160419OJVMPSU', 99, 'RAN jvmpsu.sql');
Oracle 12.1.0.2 insert and higher release
--Database Patch insert example
INSERT INTO DBA_REGISTRY_SQLPATCH VALUES (22291127, 19694308, '12.1.0.2', 'NB', 'APPLY', 'SUCCESS', SYSDATE, 'Database Patch Set Update : 12.1.0.2.160419 (22291127)', 'PSU', 160419, NULL, NULL);
--OJVM Patch insert example
INSERT INTO DBA_REGISTRY_SQLPATCH VALUES (22674709, 20057886, '12.1.0.2', 'UJJ', 'APPLY', 'SUCCESS', SYSDATE, 'Database PSU 12.1.0.2.160419, Oracle JavaVM Component (Apr2016)', NULL, NULL, NULL, NULL);
This will create a record just like Oracle would do and keep it consistent. The Guardium CVE and patch test will work just like any Oracle patches.
Note: It must be done each time after the Oracle DBA patches the database. The DBA will have to substitute the correct values each time after applying the SAP Oracle patches.
Only then will you be able to get accurate CVE and Patch tests with no errors.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21985688