Three Tier Oracle Security in London ~ Paul M. Wright

ORACLE SECURITY AND COMPUTER FORENSICS

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Archive for February, 2010

Securing Java in Oracle Update and escalating to SYSDBA

Updated Securing Java in Oracle paper here.
David’s work has drawn attention.
http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html
http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1
etc..
What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way.
Oracle have provided some guidance in the absence of a patch:
- revoke execute on “oracle/aurora/util/Wrapper” from public;
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms [...]

February 25th, 2010 | Category: Uncategorized | Leave a comment

Securing Java In Oracle and DBMS_JVM_EXP_PERMS

David Litchfield’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not [...]

February 7th, 2010 | Category: Uncategorized | Leave a comment