Hello World,
Thanks to the many folks that attended the Sentrigo Webinar a few hours ago.
Marketing had a few problems with the GoToWebinar software which were solved by excellent team work, Dunkirk Spirit and a sense of humour ~ but did result in my being unable to show this demo of how CREATE ANY DIRECTORY [...]
First EU timed webinar on “securely recording the use of privilege in Oracle databases” went well. There will be a second later webinar timed for the US on Tuesday at this URL.
http://www.sentrigo.com/node/459 June 8, 10:00am PT/01:00pm ET
The content will include the following:
-Shortcomings of Oracle’s builtin audit trail.
-The generic differences between DAMS solutions.
-How DAMS contributes to [...]
Just came back from the Oracle Exadata day where there were some well honed presentation skills on offer. The general message seemed to be that Exadata V2 is bigger and better hardware with faster flash memory, but for general purposes can be regarded as being as a bigger 11g/OEL box. It is certainly more secure [...]
The dust has settled after Infosec and so what remains must by definition be memorable. In my case, I remember discussing the etymology of the word Oracle with a charming marketing exec. Yes, even before the Greeks, Alexander consulted Amun’s Oracle at Siwa and it must have been good advice as he went onto [...]
Hello Oracle Security interested folks,
Firstly thanks to Oracle for referencing my Oracle Wallet article on www.oracle.com as well as the interesting comments from our readers. This blog has become quite popular so thank you for your support.
I have some excellent news as my company has been selected as a Channel Partner for Sentrigo covering the [...]
Hello,
So it is Oracle patch testing time again which includes Java and Applications too, not just the DB, but it’s a good place to start today…
The CPU or PSU is available for 10.2.0.4 and above for most installations, though the next CPU is the last one for 9i. Most I think will be installing the [...]
Hello Oracle Security interested people,
The generic problem of how to automatically invoke an SQL script remotely whilst keeping the password secret from other users of the client OS, is not as trivial as it may at first sound.
Consider the common scenario where an SQL script is currently ran from SQL*PLUS invoked from a shell script [...]
Java Forensics In Oracle ~ Part 1
As discussed in last week’s post there is a serious threat in all patched Oracle databases due to vulnerabilities in the Java privilege model as originally published by David. Last week I added the example of recreating the password file with a new SYS password in order to [...]
Hi All,
The recent Java Security research from David, formerly of NGSSoftware, could be summarised simply in that DBMS_JVM_EXP_PERMS can be used to grant Java privileges in the Oracle DB which can then be leveraged via DBMS_JAVA or DBMS_JAVA_TEST packages to gain DBA, therefore one should revoke public execute from those packages and grant to the [...]
Hi All,
Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David.
I noticed that David’s 11g presentation is up at YouTube http://www.youtube.com/watch?v=IZq3D2pvyNE ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the door to [...]
