Hi All,
Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David.
I noticed that David’s 11g presentation is up at YouTube http://www.youtube.com/watch?v=IZq3D2pvyNE ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the door to [...]
Hello World,
Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog.
http://www.scmagazineus.com/scawards2010-finalists/section/1309/
Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security.
http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html
Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured [...]
Hi Folks,
Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk.
http://www.securityfocus.com/archive/1/509460
Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress.
Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business [...]
Updated Securing Java in Oracle paper here.
David’s work has drawn attention.
http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html
http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1
etc..
What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way.
Oracle have provided some guidance in the absence of a patch:
- revoke execute on “oracle/aurora/util/Wrapper” from public;
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms [...]
David Litchfield’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not [...]
Hello Folks,
So back in the saddle and Jan CPU is 7.5 for Linux so needs to be taken seriously. The PSU containing the CPU installs nicely for 10.2.0.4.3 and gives full detail of the vulnerabilities being fixed whilst installing…makes interesting reading. The Jan CPU does not fix all the bugs I was expecting it to [...]
Been ill this week with man flu ~ not bird or swine flu, much more serious than that..
..So back to the plot.. In the current absence of Definer’s Rights Roles, there is a temptation for Devs to GRANT EXECUTE to PUBLIC on their new packages so the privs can carry through to other schema’s packages. [...]
The dust has now settled so let’s see what has survived in the memory banks..
Tom’s presentation was entertaining with an application development security theme. I missed Alex Keh’s talk on AD which was a shame as looking at the slides it was a good talk (download password is at the bottom of the printed [...]
So UKOUG next week, where I will be attending Monday and Tuesday. There are quite a few Oracle security presentations some of which are listed below. Many of the presentation pdfs have already been posted on UKOUG’s site, so you can print them off before attending if you wish.
10:45 – 11:45 Hall 1
Server Technology Keynote: [...]
Hi All,
I received Applied Oracle Security in the post this weekend from Amazon. Yes they are still selling actual books, as well as offering Amazing Elastic Clouds to the masses.
Being Oracle Press I expected the book to be from the Oracle vendor perspective, but having said that David Knox’s previous Oracle Press book was a [...]
