Oracle Cloud Infrastructure Vulnerability Scanning Servicehelps improve your security posture by routinely checking hosts and container images for potential vulnerabilities. The service gives developers, operations, and security administrators comprehensive visibility into misconfigured or vulnerable resources, and generates reports with metrics and details about these vulnerabilities including remediation information.
Tip
Watch a video introduction to the service.
All Vulnerability Scanning resources and reports are regional, but scan results are also visible as problems in your Cloud Guard global reporting region.
The Vulnerability Scanning service identifies vulnerabilities in the following resources:
- Computeinstances (also known as hosts)
- Container Registry images
The Vulnerability Scanning service can identify several types of security issues:
- Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
- OS packages that require updates and patches to address vulnerabilities.
- OS configurations that hackers might exploit.
- Industry-standard benchmarks published by the Center for Internet Security (CIS).
The Vulnerability Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.
- Vulnerabilities in third-party applications such as
log4j
andspring4shell
.
Note
Oracle Cloud Infrastructure Vulnerability Scanning Service can help you quickly correct vulnerabilities and exposures, but the service isn’t a Payment Card Industry (PCI) compliant scanner. Don’t use the Vulnerability Scanning service to meet PCI compliance requirements.
The Vulnerability Scanning service only supports Compute instances, or container images, created from supported platform images. Scanning isn’t available for any image with the label end of support.
To scan Compute instances for vulnerabilities, the instance must use an image that supports Oracle Cloud Agent. Port scanning on an instance's public IP address doesn’t require an agent.
Note
Vulnerability Scanning host and container image scans might pick up CVE results from other unsupported operating systems. The results are only covered by NVD data, and can be missing CVEs, or have other false positives. We don't support these other operating systems so use these results with caution.
The Vulnerability Scanning service detects vulnerabilities in the following platforms and using the following vulnerability sources.
Platform | National Vulnerability Database (NVD) | Open Vulnerability and Assessment Language (OVAL) | Center for Internet Security (CIS) |
---|---|---|---|
Oracle Linux | Yes | Yes | Yes |
CentOS | Yes | Yes | Yes |
Ubuntu | Yes | Yes | Yes |
Windows | Yes | No | No |
Note
Because Windows scanning doesn’t include OVAL data, we don't recommend you rely solely on Oracle Cloud Infrastructure Vulnerability Scanning Service to ensure that your Windows instances are up-to-date and secure.
Note
We don't recommend using the Vulnerability Scanning service to identify issues in Virtual Machine DB Systems, and then modifying the OS to address each issue. Instead, follow the instructions at Updating a DB System to apply the latest security updates to the OS.
Note
You can't use the Vulnerability Scanning service on hosts that weren't created directly with the Compute service, such as Exadata Database Service on Dedicated Infrastructure or the Database service. Use the features provided with those services to ensure that hosts have the latest security updates.
The Vulnerability Scanning service supports the following target options:
- Individual Compute instances
- All Compute instances within a compartment and its subcompartments.
If you configure the Vulnerability Scanning service at the root compartment, then all Compute instances in the entire tenancy are scanned.
- Images within a Container Registry repository