Java Forensics In Oracle ~ Part 1
As discussed in last week’s post there is a serious threat in all patched Oracle databases due to vulnerabilities in the Java privilege model as originally published by David. Last week I added the example of recreating the password file with a new SYS password in order to [...]
Hi All,
The recent Java Security research from David, formerly of NGSSoftware, could be summarised simply in that DBMS_JVM_EXP_PERMS can be used to grant Java privileges in the Oracle DB which can then be leveraged via DBMS_JAVA or DBMS_JAVA_TEST packages to gain DBA, therefore one should revoke public execute from those packages and grant to the [...]
Hi All,
Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David.
I noticed that David’s 11g presentation is up at YouTube http://www.youtube.com/watch?v=IZq3D2pvyNE ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the door to [...]
Hello World,
Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog.
http://www.scmagazineus.com/scawards2010-finalists/section/1309/
Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security.
http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html
Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured [...]
Hi Folks,
Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk.
http://www.securityfocus.com/archive/1/509460
Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress.
Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business [...]
