Oracle CPU vulnerabilities and Database Proactive Bundle Patch

Question

I've applied the latest Oracle 12c Database Proactive Bundle Patch (DBBP).

My security team runs scans and April 2015 CPU (amongst other CPUs) continues to show up as vulnerabilities.

I need to prove that DBBP is a cumulative patch and all those old vulnerabilities are fixed.

sys.registry$history doesn't help

select ACTION,NAMESPACE,COMMENTS from registry$history;
ACTION                    NAMESPACE    VERSION     COMMENTS
------------------------- ------------ ------------------------
UPGRADE                   SERVER        12.2.0.1.0 Upgraded from 12.1.0.2.0

opatch lsinventory -bugs_fixed or opatch lsinventory -details isn't giving me what I want.

How can I find out what vulnerabilities are in April 2015 CPU and prove that DBBP has mitigated them???

Answer 1

The key word you're looking for is "cumulative".

Note 1962125.1 (Oracle Database - Overview of Database Patch Delivery Methods), includes this text about Bundle Patches:

Bundle Patch (BP)
- a cumulative collection of fixes to address bugs in a given feature, product, or configuration
     For example: Windows Database Bundle Patch, Database Patch for Exadata, Database Proactive Bundle Patch
- a superset of PSU

So that's all you should need to provide! BPs include all patches previously included in earlier BPs/PSUs.