3 Replies Latest reply: May 1, 2013 10:29 AM by cgrim RSS

    Issue with Oracle False Positives?

    dieder15

      I have a problem with MVM reporting Oracle false positives and identifying High vulnerabilities with databases when in fact they are not vulnerable at all.

       

      For example:

       

      CVE-2010-0860 - Oracle Database Core RDBMS Component Vulnerability

       

      Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to the Create User privilege.

       

       

      When the scan runs and checks the response from the system for this vulnerability my system returns the DB version as 10.2.0.3 to MVM which is not vulnerable to this CVE but MVM still reports it in the scan results as being a High vulnerability which does not make sense since the system is not vulnerable. Is this normal or is it something that should be reported to McAfee for a fix, solution or workaround?

       

      Thanks for any responses or help on this.

        • 1. Re: Issue with Oracle False Positives?

          Hi dieder15,

           

          You might have an older version of that script.  I can see the script was updated on April-5th, and the documentation actually now says:

           

          An unspecified vulnerability exists in the core RDBMS component for some versions of Oracle Database that allows malicious remote network traffic to affect the confidentiality,integrity, and availability of a target system.

           

          Which is slightly different than what you quoted, and that is why I think you have an older (possibly FP prone) version of the script.

           

          Can you make sure to run FSUPdate to get the latest FSL Content Package, and re-scan to confirm.

           

          If you still see the issue, follow the instructions here (https://kc.mcafee.com/corporate/index?page=content&id=KB55996)  to run FSDiag using the script (misc-oracle-core-rdbms-component-vuln-CVE-2010-0860.fasl3), and open a Service Request to address it.

           

          I hope that helps!
          Cathy

          • 2. Re: Issue with Oracle False Positives?
            dieder15

            HI Cathy:

             

            Thanks for your reply, I checked and the FSL contect packages are up to date and have the same observation as what you specified above. What I originally quoted was the vulnerability details from the NIST site (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0860) when you click the CVE link in the Vulnerability Details from the scan. The NIST site lists the affected versions for this vulnerability which does not list our version - 10.2.0.3

             

            I guess opening a Service Request would be the next step to have it addressed?

             

            Thanks,

             

            Mike

            • 3. Re: Issue with Oracle False Positives?

              Hi Mike,

               

              Yes, run FSDiag using the tool+instructions in the link I gave above, and attach the results to the Service Request.  If it's a real FP, they are usually pretty quick to fix them.

               

              Have a great day!
              Cathy