IBM Support

What does 'Unsupported CVE database patch detected' mean ?

Question & Answer


Question

We have two Oracle database servers. One of them - with SAP on Oracle is seeing error 'Unsupported CVE database patch detected' when we run VA. What does the error mean ? How to rectify it ?

Cause


Here is the error example when VA runs on Oracle 11.1.0.7:


The same Oracle version 11.1.0.7 and this one has no error:


For Oracle 12c, you may see the same error in different form:


    CVE-2016-3454
    Test category: Conf.   Severity: Major
    Unspecified vulnerability in the Java VM component in Oracle Database
    Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to
    affect confidentiality, integrity, and availability via unknown vectors.
    Ext. Reference: CVE-2016-3454
    Unsupported CVE database patch detected     CVE-2016-3454 patch was not
    detected for ORACLE 12.1.0.2.0 PATCH0.
    Recommendation:
    Oracle VA
    Datasource type: ORACLE   Severity: Low

Answer


The reason you are seeing the error is that Guardium, at the time this document is written, does not correctly verify non-native Oracle patches. The Oracle version is tied to SAP (in this case "SBP 11.2.0.4160119") which is not a standard Oracle patch. The patch is downloadable using SAP applications itself. It is not properly recorded inside the Oracle patch history (SYS.REGISTRY$HISTORY) which is the source where Guardium gathers different variation of Oracle patches.

To avoid the error, the non-standard patch number needs to be made available in SYS.REGISTRY$HISTORY.

Workarounds:

1. Have SAP populate the SYS.REGISTRY$HISTORY table just as Oracle does it

2. The Oracle DBA can update or create a record in the SYS.REGISTRY$HISTORY using the exact convention as Oracle does.


    MANUALLY CREATE A RECORD

      Oracle 11 insert and 12.1.0.1


        --Database Patch insert example

          INSERT INTO "SYS"."REGISTRY$HISTORY" VALUES (sysdate, 'APPLY', 'SERVER','11.2.0.4', 160419, 'PSU 11.2.0.4.160419', 'PSU');

        --OJVM Patch insert example

          INSERT INTO SYS.REGISTRY$HISTORY (action_time, action, namespace, version, id, comments) values(SYSTIMESTAMP, 'jvmpsu.sql', 'SERVER', '11.2.0.4.160419OJVMPSU', 99, 'RAN jvmpsu.sql');



      Oracle 12.1.0.2 insert and higher release


        --Database Patch insert example

          INSERT INTO DBA_REGISTRY_SQLPATCH VALUES (22291127, 19694308, '12.1.0.2', 'NB', 'APPLY', 'SUCCESS', SYSDATE, 'Database Patch Set Update : 12.1.0.2.160419 (22291127)', 'PSU', 160419, NULL, NULL);


        --OJVM Patch insert example

          INSERT INTO DBA_REGISTRY_SQLPATCH VALUES (22674709, 20057886, '12.1.0.2', 'UJJ', 'APPLY', 'SUCCESS', SYSDATE, 'Database PSU 12.1.0.2.160419, Oracle JavaVM Component (Apr2016)', NULL, NULL, NULL, NULL);


    This will create a record just like Oracle would do and keep it consistent. The Guardium CVE and patch test will work just like any Oracle patches.

    Note: It must be done each time after the Oracle DBA patches the database. The DBA will have to substitute the correct values each time after applying the SAP Oracle patches.

    Only then will you be able to get accurate CVE and Patch tests with no errors.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;10.0.1;10.1;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21985688

Page Feedback