Changes in This Release for Oracle Database Security Assessment Tool

The Oracle Database Security Assessment Tool 4.2 (March 2026) release has been updated to detect CVEs from the latest Critical Patch Update for Oracle Database versions 19c, 21c, and 26ai.

The Oracle Database Security Assessment Tool supports Oracle AI Database 26ai and Oracle Autonomous AI Databases.

• Updated sections/checks:

  INFO.PATCH: Enhanced with CVE detection for comprehensive vulnerability assessment.

• General:

  • Secure Authentication: Oracle recommends that you use a secure method to run the Oracle Database Security Assessment Tool (DBSAT), and avoid entering the authentication password on the command line. DBSAT now issues a warning message to encourage secure authentication.

    The command-line password based authentication method is now deprecated and will be desupported in a future release.

  • Oracle JRE Requirement: Oracle Java Runtime Environment (Oracle JRE) 17 (Oracle JDK 17) is now the minimum prerequisite.

  • Best Practices Terminology: "Oracle Best Practices (OBP)" findings are now labeled "Oracle Recommended Practices (ORP)".

Downloading and Installing Oracle Database Security Assessment Tool

• To download the Oracle Database Security Assessment Tool, visit oracle.com, and click the Download DBSAT link. Alternatively, go to My Oracle Support Doc ID 2138254.1.

• See Installing the Database Security Assessment Tool for information about completing the installation of Database Security Assessment Tool.

Known Issues

Microsoft Excel Font Size Display

Some versions of Microsoft Excel may display text on the screen with a font too large to fit in spreadsheet cells, even though it prints at the correct size output. If this happens, resize the columns slightly to make the text visible.

DBSAT Reporter Warning

The DBSAT Reporter is supported only with Oracle JDK. Running the tool with a non-Oracle JDK distribution may result in the following warning message:

[engine] WARNING: Unable to load the TruffleAttach library.
As a result, the optimized Truffle runtime is unavailable, and Truffle 
cannot provide native access to languages and tools.
To customize the behavior of this warning, use the 
'polyglotimpl.AttachLibraryFailureAction' system property.
DBSAT Reporter ran successfully.

Running DBSAT with a non-Oracle JDK may complete successfully but produce a warning. You can ignore this warning if the execution completes successfully. However, certain features and optimizations may be limited. To ensure full support and optimal functionality, Oracle recommends that you run DBSAT using the supported Oracle JDK 17 or later.

---

Title and Copyright Information

Oracle Database Security Assessment Tool Release Notes, Release 4.2

G50298-02

Copyright ©2025,2026,

Oracle and/or its affiliates.

Primary Authors: Ramya P, Prakash Jashnani, Jim Womack

Contributors: Anant Bhasu, Abhinav Singh, Gopal Mulagund, Pedro Lopes, Shyamsundar KG, Vivek PV