Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Archive for Uncategorized

July Security Alert

Hi Oracle Security Folks, The July Oracle Security Alert is out. My part is smaller than last quarter as just an In-Depth Credit, but Mr David Litchfield makes a triumphal return with some excellent new research. http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html There is a CVSS 9 and a remote unauthenticated issue in this patch so worth installing this one. [...]

April 2014 CPU

Hi Oracle Security Folks, Thanks to Oracle for fixing a batch of research I sent over in August 2013 regarding ADVISOR, DIRECTORIES, GAOP(GRANT ANY OBJECT PRIVILEGE) and also a critical privilege escalation which gains 8.5 in the CPU which I am not going to publish here as I want to give folks time to patch. [...]

INDEX to SYSDBA without SELECT

Hello Oracle Security Readers, If we combine the following factors together then we can identify an escalation route from Index on SYSTEM to SYSDBA which does not require SELECT privileges on the indexed table: 1. SYSTEM passes it’s DBA role through it’s procedures. 2. Oracle indexes allow execution from read via functions i.e. INDEX can [...]

Hacktivity

Hi Guys, OOW was the trip of a lifetime. Watching Oracle USA win the cup with Ben Ainslie was great, as was watching Larry’s keynote live. Columnar in memory DB looks interesting and competition for Hana. I presented at the excellent Delphix event with OakTable, and picked up some good information to finalise some more [...]

OOW and Oak Table

Hi Oracle Security Readers, OOW is here again and I will be giving a short “In a nutshell” presentation on 12c security which will include – 3 good and 3 not so good points about 12c, as well as future research directions.  The presentation will be at Table World http://www.kylehailey.com/oaktable-world/agenda/ This can be regarded as [...]

_sys_logon_delay

Hi Oracle Security Folks, Yes indeed, 12c is out. I have been working on 12c for 1.5 years and gave the first external 12c security presentation (of which I am aware) at UKOUG 2012 in Birmingham, so it is good to see that the product has finally been released. I like that the consolidation features [...]

Another Java Security Alert

Hi Oracle Security Folks, Following the tradition for one off Java Security Alerts Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technetwork/topics/security/alerts-086861.html Oracle Security Alert for CVE-2013-1493: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html The reporters http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html say it is an unreliable exploit. Of course it depends on Java being used in the browser so one fix is to unplug the JVM [...]

Oracle Dictionary Integrity Health Check

Hi, It is good to check the integrity or health of a system to avoid future problems. DBMS_HM.RUN_CHECK(‘Dictionary Integrity Check’, ‘my_run’); SET LONG 100000 SET LONGCHUNKSIZE 1000 SET PAGESIZE 1000 SET LINESIZE 512 SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; SQL> SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) ——————————————————————————- ——————————————————————————- ——————————————————————————- ——————————————————————————- Basic Run Information Run Name : my_run Run [...]

Java Security Alert

New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously. Here is the alert – http://www.oracle.com/technetwork/topics/security/alerts-086861.html For an excellent advanced analysis please see [...]

UKOUG 2012 in a nutshell

Hi Oracle Security Folks, UKOUG 2012 in a nutshell: OAK Table day highlight was Julian’s analysis of RAT capture formats, which made reverse engineering proprietory formats look a lot easier than it should do. Christian’s super secret talk was so secret that it was not given, but managed to catch up on that later. Monday [...]