When a new CPU/PSU comes out a package is known to be vulnerable e.g. SYS.DMP_SYS (CVE-2009-1007) but applying the patch may be too risky and/or take too long to test before deployment. CPUs are complex and their effect cannot be predicted. The strategy has to be one of install on QA and stand well back [...]
Hi Folks,
Here is an Oracle Security Summary:
Alexandre has published some PoC code for CVE-2009-1991 at http://dsecrg.com/pages/vul/show.php?id=110.
The new UKOUG SCENE Journal has been published with an emphasis on “Security in the City“ and UKOUG have kindly highlighted an article of mine on Database Application Monitoring systems used for financial transparency. The main thrust of [...]
Security in a multi-user system relies on individuality of account access and Identity Integrity.
The ability to assume the identity of another user is one of the most powerful privileges that exists and should be monitored and logged using a Database Activity Monitoring System both for compliance, assurance and good practice.
Client supplied identity information passed [...]
Hello Oracle Security folks,
So what’s been happening in Oracle Security recently?
The delayed CPU has settled down and testing will begin. Some will install the PSU and some the CPU. Others will actually work out what the vulnerabilities are and manually mitigate thus reducing the risk of taking a step backwards. Revoking PUBLIC execute is safer [...]
I have written a new paper entitled CREATE TABLE to OSDBA with reverse shell. The paper includes demo code for 11.1.0.7 Windows and UNIX (but not 10g).
The demo shows that granting EXECUTE on a directory in 11g to a user that possesses the common CREATE TABLE privilege is effectively equivalent to granting them OSDBA.
Once an [...]
Question: Why escalate to SYSDBA when one can shortcut directly to OSDBA?
JAVA_ADMIN is a role in the Oracle DB which is granted to application accounts which wish to take advantage of Java integration. Given the recent US Anti-Trust go-ahead for the Oracle and Sun deal, this is likely to be an increasing phenomena.
–Interestingly a user [...]
A lot of folks think that implementing VPD has to be complex and time consuming. This is not the case.
VPD can be used to implement a DENY on a table very quickly indeed.
For example, in order to stop a person selecting a table just need to create the function which adds a predicate which is [...]
July 2009 CPU PoCs are out in force. The CPU’s criticality is measured via the CVSS number which is from 1 to 10 being the most critical. This CPU has a vulnerability of 9 as the maximum criticality bug that has been fixed for the DB. However that is only on Windows. For *nix the [...]
It is important for a SYS user to know the identity of a package that they are executing as their privileges will overide the DEFINER rights of the package owner.
The method of identifying an object’s identity in Oracle is traditionally the pairing of the schema.object names.
I have shown in “CREATE USER to SYSDBA” paper that [...]
San Francisco and speaking at RSA Moscone was a great experience and being invited to Oracle’s Head Office in Redwood for a tour and to talk security was an unexpected highlight of the trip. Oracle’s Head office is a pleasant excursion with a lake and growing bird sanctuary. One reason for the visit was to [...]
