Oracle Database QIDs - Confirmed vs Potential

The severity of a database QID is decided by authentication status of the scan. Depending on the various outcomes of the authentication status, the QID could be reported as potential (yellow) or confirmed (red) in the report.

Consider authenticated scan of the Oracle database. If the authentication is successful and the vulnerability is detected, the severity for the QID would be reported as confirmed (red). In case of unsuccessful authentication, it would be reported as potential (yellow) vulnerability.

The following table outlines the various possibilities of the two factors that decide the severity of the database QIDs and accordingly the severity of the QID.

Authentication Type/Status

QID Severity Reported

Remote Scan - No Authentication

POTENTIAL (yellow)

Internal Scan - No Authentication

POTENTIAL (yellow)

OS Authentication Failed

POTENTIAL (yellow)

OS Authentication Successful

POTENTIAL (yellow)

Database Authentication Failed

POTENTIAL (yellow)

Database Authentication Successful

CONFIRMED (red)

OS and Database Authentication Successful

CONFIRMED (red) - since DB Auth Successful

 

To evaluate whether patches present or not you need to use OS and Oracle DB authentication. When both authentication types are used and when authentication is successful during the scan, the vulnerability is reported as Confirmed (red) if patch not present.