We are beginning to scan databases for the first time here, and weren't sure really what we would see for results. We worked with the DBA team to get an authentication account setup, and then scanned a database in dev first. The results showed a couple things that apparently are cause for concern:
1) The report showed a bunch of a patches missing for Oracle 12c, but this was an 11g database and thus not applicable. Since it already showed the missing patches for 11g (more on that below), unsure why it would show 12c as well.
2) The report showed that they basically hadn't patched at all. In the numbering sequence of Oracle patches, it went all the way back to the first patch for 11g as missing, which was released in January of 2014. However, the team states they definitely do patch and they have an Oracle engineer assist them each time through the long process to do so. They haven't yet put in the October 2017 patch, but they've installed all the previous. This is obviously a huge discrepancy.
Does anybody have any experience with vulnerability scanning of databases and have any idea what could be causing such issues? Obviously as long as these errors are present, we won't be doing any further scanning of other databases, and we really want to expand our scanning footprint.