Three Tier Oracle Security in London ~ Paul M. Wright

Hello World,
Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog.
http://www.scmagazineus.com/scawards2010-finalists/section/1309/
Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security.
http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html
Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured [...]

March 8th, 2010 | Category: Uncategorized | Comments Off

Hi Folks,
Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk.
http://www.securityfocus.com/archive/1/509460
Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress.
Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business [...]

March 1st, 2010 | Category: Uncategorized | Comments Off

Updated Securing Java in Oracle paper here.
David’s work has drawn attention.
http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html
http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1
etc..
What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way.
Oracle have provided some guidance in the absence of a patch:
- revoke execute on “oracle/aurora/util/Wrapper” from public;
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms [...]

February 25th, 2010 | Category: Uncategorized | Comments Off

David Litchfield’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not [...]

February 7th, 2010 | Category: Uncategorized | Comments Off

Hello Folks,
So back in the saddle and Jan CPU is 7.5 for Linux so needs to be taken seriously. The PSU containing the CPU installs nicely for 10.2.0.4.3 and gives full detail of the vulnerabilities being fixed whilst installing…makes interesting reading. The Jan CPU does not fix all the bugs I was expecting it to [...]

January 26th, 2010 | Category: Uncategorized | Comments Off

Been ill this week with man flu ~ not bird or swine flu, much more serious than that..
..So back to the plot.. In the current absence of Definer’s Rights Roles, there is a temptation for Devs to GRANT EXECUTE to PUBLIC on their new packages so the privs can carry through to other schema’s packages. [...]

December 13th, 2009 | Category: Uncategorized | Comments Off

The dust has now settled so let’s see what has survived in the memory banks..
Tom’s presentation was entertaining with an application development security theme. I missed Alex Keh’s talk on AD which was a shame as looking at the slides it was a good talk (download password is at the bottom of the printed [...]

December 6th, 2009 | Category: Uncategorized | Comments Off

So UKOUG next week, where I will be attending Monday and Tuesday. There are quite a few Oracle security presentations some of which are listed below. Many of the presentation pdfs have already been posted on UKOUG’s site, so you can print them off before attending if you wish.
10:45 – 11:45 Hall 1
Server Technology Keynote: [...]

November 29th, 2009 | Category: Uncategorized | Comments Off

Hi All,
I received Applied Oracle Security in the post this weekend from Amazon. Yes they are still selling actual books, as well as offering Amazing Elastic Clouds to the masses.
Being Oracle Press I expected the book to be from the Oracle vendor perspective, but having said that David Knox’s previous Oracle Press book was a [...]

November 22nd, 2009 | Category: Uncategorized | Comments Off