Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Archive for Uncategorized

April 2010 CPU ~ Securing Java Applications at Design and in Production

Hello, So it is Oracle patch testing time again which includes Java and Applications too, not just the DB, but it’s a good place to start today… The CPU or PSU is available for 10.2.0.4 and above for most installations, though the next CPU is the last one for 9i. Most I think will be [...]

Oracle Wallet AUTO LOGIN ~ common misconception corrected

Hello Oracle Security interested people, The generic problem of how to automatically invoke an SQL script remotely whilst keeping the password secret from other users of the client OS, is not as trivial as it may at first sound. Consider the common scenario where an SQL script is currently ran from SQL*PLUS invoked from a [...]

Java Forensics In Oracle

Java Forensics In Oracle ~ Part 1 As discussed in last week’s post there is a serious threat in all patched Oracle databases due to vulnerabilities in the Java privilege model as originally published by David. Last week I added the example of recreating the password file with a new SYS password in order to [...]

CREATE SESSION to SYSDBA via Java and orapwd

Hi All, The recent Java Security research from David, formerly of NGSSoftware, could be summarised simply in that DBMS_JVM_EXP_PERMS can be used to grant Java privileges in the Oracle DB which can then be leveraged via DBMS_JAVA or DBMS_JAVA_TEST packages to gain DBA, therefore one should revoke public execute from those packages and grant to [...]

Oracle and Google Nexus

Hi All, Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David. I noticed that David’s 11g presentation is up at YouTube http://www.youtube.com/watch?v=IZq3D2pvyNE ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the [...]

sec_return_server_release_banner Secure by Default?

Hello World, Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog. http://www.scmagazineus.com/scawards2010-finalists/section/1309/ Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security. http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html Nice post and good luck with the new blog. Oracle config issues like these are interesting [...]

E-Business Suite Security and DBMS_LDAP.INIT

Hi Folks, Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk. http://www.securityfocus.com/archive/1/509460 Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress. Google books has a relevant book free of charge named “Security, Audit and [...]

Securing Java in Oracle Update and escalating to SYSDBA

Updated Securing Java in Oracle paper here. David’s work has drawn attention. http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1 etc.. What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way. Oracle have provided some guidance in the absence of a patch: – revoke execute on “oracle/aurora/util/Wrapper” from public; – grant execute on sys.dbms_jvm_exp_perms to [...]

Securing Java In Oracle and DBMS_JVM_EXP_PERMS

David Litchfield’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not [...]

Jan 2010 CPU Update

Hello Folks, So back in the saddle and Jan CPU is 7.5 for Linux so needs to be taken seriously. The PSU containing the CPU installs nicely for 10.2.0.4.3 and gives full detail of the vulnerabilities being fixed whilst installing…makes interesting reading. The Jan CPU does not fix all the bugs I was expecting it [...]