Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Oracle Security Summary

Hi Folks,

Here is an Oracle Security Summary:

Alexandre has published some PoC code for CVE-2009-1991 at http://dsecrg.com/pages/vul/show.php?id=110.

The new UKOUG SCENE Journal has been published with an emphasis on “Security in the City and UKOUG have kindly highlighted an article of mine on Database Application Monitoring systems used for financial transparency. The main thrust of the article was that Oracle’s own auditing systems run as the Oracle unix user so are vulnerable to buffer overflows, OS access via utl_file and Java as well as DBA actions using the oracle unix account.

The benefit of Sentrigo HH is that it runs as a separate user from Oracle and so cannot be accessed as easily either by attacker’s code or DBA/dev staff. In other words it is not vulnerable to this type of audit trail tampering below.

SQL> call javaos('rm /u01/app/oracle/admin/orcl/adump/ora_563.aud');
Call completed.

The above is basic Java DB to OS functionality and given the unreliability of the Aurora JVM it is worth both taking actions to defend against this as well as providing assurance via a DAMS system … more to come on this..and the metalink article Doc ID:787878.1 I mentioned last week at SEC520.

Cheers,
Paul

Comments are closed.