OraNA :: Security

Upcoming Webinar: Oracle Critical Patch Update July 2010 Database Impact

Stephen Kost — Wed, 28 Jul 2010 12:09:11 PDT

Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:

A review of the security vulnerabilities fixed in this CPU,
An analysis of the required CPU patches,
A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for this webinar.

The second IOUG / Oracle Security Assurance Survey

(author unknown) — Tue, 27 Jul 2010 12:46:10 PDT

I wrote about the first IOUG joint security survey with Oracle two years ago here in my blog in a post titled " An Oracle Security Survey by The IOUG and Oracle " and I encouraged participation on the survey....[Read More]

Posted by Pete On 27/07/10 At 08:53 PM

Upcoming presentation with McAfee for their ‘Hacking Exposed’ Webcast series

Slavik — Thu, 15 Jul 2010 18:29:36 PDT

Next week I’ll be doing a really fun webcast, as a guest speaker for McAfee’s ‘Hacking Exposed Live’ series. The series takes a look at current and evolving hacks and what you can do to protect your environment. The topic is officially: ‘Understanding Threat Vectors for Database Breaches’, and I’ll be showing some sample attacks [...]

59 Security bugs fixed, 28 remotely expolitable, 13 in the database

(author unknown) — Wed, 14 Jul 2010 06:30:07 PDT

Oracle yesterday released the latest in its series of quarterly security patches known as CPU's Critical Patch Updates. Oracle released an advisory detailing the fixes. The patch set contains 59 new security fixes. For me the interesting part are the....[Read More]

Posted by Pete On 14/07/10 At 02:20 PM

Oracle Critical Patch Update July 2010 Pre-Release Analysis

Stephen Kost — Sun, 11 Jul 2010 20:12:11 PDT

Here is a brief analysis of the pre-release announcement for the upcoming July 2010 Oracle Critical Patch Update (CPU) -

Overall, 38 Oracle security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
The Oracle product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

Database = 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
Application Server = 10.1.2.3.0
E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x

The highlight of this CPU is 4 of 6 Oracle Database security vulnerabilities are remotely exploitable without authentication. It is rare to have a single remotely exploitable without authentication vulnerability in the database. Most likely these 4 vulnerabilities are in the Listener, Net Foundation Layer, Network Layer, and/or APEX Application Builder. If the remotely exploitable vulnerabilities are in the Listener component, then this could only be a denial of service vulnerabilities.
There are no major version support changes in for this CPU.
Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2010 CPU E-Business Suite Impact Webinar Thursday, July 22, 2pm ET and (2) Oracle July 2010 CPU Oracle Database Impact Webinar Thursday, July 29, 2pm ET.

Oracle Database

There are 6 database vulnerabilities and four are remotely exploitable without authentication.
Since at least one database vulnerability has a CVSS 2.0 metric of 7.8 (practical maximum for a database vulnerability), this is a fairly important CPU. Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.

Oracle Application Server

There are seven new Oracle Application Server vulnerabilities, five of which are remotely exploitable without authentication. For Oracle Application Server implementations, there is only one vulnerability in the Application Server Control. Usually, vulnerabilities in the control utilities are only locally exploitable and require a local operating system account to exploit.

Oracle E-Business Suite 11i and R12

There are 7 new Oracle E-Business Suite 11i and R12 vulnerabilities, five of which are remotely exploitable without authentication.
The vulnerabilities are in the Oracle Advanced Product Catalog, Oracle Applications Framework (OAF), Oracle Applications Manager, and Oracle Knowledge Management. Of most interest will be the vulnerabilities in the Oracle Applications Framework (OAF) and these might exploitable in externally accessible web pages.

Planning Impact

We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in the Oracle Applications Framework to determine if these pages are blocked by the URL firewall. If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.

Upcoming Webinars: Oracle Critical Patch Update July 2010

Stephen Kost — Fri, 09 Jul 2010 12:38:21 PDT

Integrigy's CTO, Stephen Kost, will be presenting a series of webinars on Oracle's Critical Patch Update for July 2010.

Oracle July 2010 CPU - Oracle E-business Suite Impact
Thursday, July 22, 2:00pm - 3:00pm EDT

This quarterly eLearning session will focus on the July 2010 CPU and the impact on E-Business Suite environments.

Topics will include;

a review of the security vulnerabilities fixed in the CPU,
an analysis of the required CPU patches,
a discussion of a high-level patch strategy.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle E-Business Suite webinar.

Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:

A review of the security vulnerabilities fixed in this CPU,
An analysis of the required CPU patches,
A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

Pete Finnigan will be teaching Oracle Security in Tallinn, Estonia and speaking at UKOUG Unix SIG at TVP

(author unknown) — Wed, 07 Jul 2010 06:16:48 PDT

I have just added another public training date to my upcoming Oracle security trainings calendar. This is for November 4th and 5th in Tallinn, Estonia which I am really looking forwards to. I have also just agreed to do two....[Read More]

Posted by Pete On 07/07/10 At 01:31 PM

Do Oracle 11g features weaken security?

(author unknown) — Thu, 01 Jul 2010 04:00:41 PDT

I did a session at the Logica Guru4Pro event a few weeks ago and posted the slides to my site on my Oracle security white papers page . I also talked about this in my blog in a post titled....[Read More]

Posted by Pete On 01/07/10 At 12:01 PM

V3rity has released a redo log mining tool to extract DDL from redo logs

(author unknown) — Tue, 29 Jun 2010 08:49:07 PDT

V3rity is the new company founded by David Litchfield in March 2010 since he left NGS and until recently his site had little on it. I suspected that his new company would focus on Database forensics and I am glad....[Read More]

Posted by Pete On 29/06/10 At 01:18 PM

Leaking information about your database to help a hacker!

(author unknown) — Thu, 24 Jun 2010 03:32:10 PDT

How many of you reading this are DBA's? how many have issues to solve and you turn to the web to find answers or ask and write questions? - quite a few I suspect. When you post to the web....[Read More]

Posted by Pete On 24/06/10 At 11:19 AM

New Public Oracle Security Training Class Dates announced

(author unknown) — Thu, 17 Jun 2010 08:02:51 PDT

I have just agreed four new public Oracle Security classes to be taught this year. All of the new classes are our very popular two day class " How to perform a security audit of an Oracle database ". These....[Read More]

Posted by Pete On 17/06/10 At 03:57 PM

New Oracle Security presentation available

(author unknown) — Tue, 15 Jun 2010 03:02:01 PDT

I was in Holland the week before last on June 2nd, to speak at the Logica Guro4Pro event at their offices close to Den Haag. This was a nice event with some really great questions and discussions during my talk....[Read More]

Posted by Pete On 15/06/10 At 11:07 AM

Turning off SYS auditing from the DB without that fact being recorded

Paul Wright — Tue, 08 Jun 2010 14:41:14 PDT

Hello World, Thanks to the many folks that attended the Sentrigo Webinar a few hours ago. Marketing had a few problems with the GoToWebinar software which were solved by excellent team work, Dunkirk Spirit and a sense of humour ~ but did result in my being unable to show this demo of how CREATE ANY DIRECTORY [...]

Sentrigo Webinar on Tuesday 8th June at 6pm London Time

Paul Wright — Mon, 07 Jun 2010 14:20:59 PDT

First EU timed webinar on “securely recording the use of privilege in Oracle databases” went well. There will be a second later webinar timed for the US on Tuesday at this URL. http://www.sentrigo.com/node/459 June 8, 10:00am PT/01:00pm ET The content will include the following: -Shortcomings of Oracle’s builtin audit trail. -The generic differences between DAMS solutions. -How DAMS contributes to [...]

The Blue Cheese Effect

Deborah Volk — Thu, 03 Jun 2010 15:01:00 PDT

If your refridgerator needs to be cleaned out, everyone living with you probably knows it because the task is usually so far down on your to-do list, you might as well plan a trip to Mars first. The task moves up the list as the odor becomes worse with each door swing. Eventually it reaches crescendo when your friends, neighbors and significant other(s) can stand it no more. This is the point where the "smell" becomes the "stink" or for those of you counting yourselves as fans of Sir David Attenborough, it becomes titan arum.

Back in the 1990s, Kent Beck coined the term "code smell" to refer to symptoms in code that could point to a deeper underlying problem. Typically these symptoms don't break the code and they work, but over time the "smell" can become a "stink". Since Kent, developers have been documenting "code smells" for different languages, contexts, and methodologies. And like any smell, what is perfume to one is blue cheese to another.

Recently I've been thinking about smells in a typical Oracle Identity Manager implementation. As is true for any enterprise-grade software deployed to solve real-world problems (read: abused and exploited) there are patterns that work well and some that don't work so well.

Detecting Blue Cheese in your Oracle Identity Manager deployment:

- Encyclopedia-like User Profile (Xellerate User / USR). I've seen user profiles with as many as 50 attributes. Although this varies with context, I think 10-15 attributes is a reasonable max. If Xellerate User entity represents your "core" identity, you should not have attributes on it that are better placed with the resource/target. Regarding access policies that fire based on groups which are driven by rules that work only on Xellerate User fields, here's a hint: rules are not the only way to become a member of the group.

- Duplication of Adapters aka Copy and Paste Programming. The raison d'etre of adapter mechanism is reuse. If you spend time designing your adapters and (shock! horror!) thinking about a library of adapters just like there are class libraries and frameworks made up of class libraries in various class-friendly languages, you won't see 10 copies of AddThisStringToThatString.

- Large Adapters. Don't click yourself to death and force others to drill down on two pages worth of visual spaghetti that ends up being generated code anyway. If it's more than a screenful (and I don't mean you over there with a 52" screen), it's too much and should be refactored into smaller adapters and/or underlying code.

- Tiny Lookups. Lookups with a few records at the most, sometimes (adding insult to injury) with code (attribute) and decode (value) being the same.

- Bloated Lookups. Perhaps the most frequently encountered smell after Duplicate Adapters and JARs Everywhere. This is when a lookup contains more than 10-15 records, occasionally running into hundreds of lines. OIM can be somewhat blamed for this as there's no good alternative for persisting app-specific metadata in the database unless you want to do it in your own (separate from OIM) tables using your own method.

- Environment-Specific Data Outside of IT Resource. Environment-related data is often spotted as task attributes. In other words, the same logical data element (e.g. server hostname) is present in a number of places. Moving OIM to another environment makes this smell a lot of fun!

- JARs Everywhere. Same JAR in JavaTasks, ScheduleTask, <oim_home>/lib, app server classpath, and (for a truly good measure) a few different directories inside the JDK. Classloaders of the world, unite! You have nothing to lose but your already loaded classes.

All of the things above would work, but over time, these things will start to turn your Provisioning Perfume into something a bit more pungent.

What is your favorite (or dis-favorite) OIM smell?

Upcoming IOUG Webinar - A Journey Through Enterprise Database Security for DBAs

Stephen Kost — Tue, 25 May 2010 14:58:07 PDT

Integrigy's CTO, Stephen Kost, will be presenting an Independent Oracle User's Group (IOUG) educational webinar as part of IOUG's Database Security Technical Education Series.

A Journey Through Enterprise Database Security for DBAs
Stephen Kost, Integrigy
Wednesday, May 26, 1:00pm - 2:00pm CT

This presentation is intended for Database Administrators. It will detail the enterprise database security requirements, regulatory requirements and monitoring of databases.

Click here to register for the webinar.

The webinar is free for IOUG Full Members and $49 for Associate Members and Non-members.

Exadata day ~ ISSD prep and Sentrigo Webinar

Paul Wright — Wed, 19 May 2010 13:39:29 PDT

Just came back from the Oracle Exadata day where there were some well honed presentation skills on offer. The general message seemed to be that Exadata V2 is bigger and better hardware with faster flash memory, but for general purposes can be regarded as being as a bigger 11g/OEL box. It is certainly more secure [...]

DAMS and AUDIT_SYSLOG_LEVEL

Paul Wright — Wed, 05 May 2010 15:59:21 PDT

The dust has settled after Infosec and so what remains must by definition be memorable. In my case, I remember discussing the etymology of the word Oracle with a charming marketing exec. Yes, even before the Greeks, Alexander consulted Amun’s Oracle at Siwa and it must have been good advice as he went onto [...]

Public Demonstration of PFCLScan in Edinburgh Thursday May 13th

(author unknown) — Wed, 05 May 2010 05:56:33 PDT

We have demonstrated our database security vulnerability scanner product to a lot of our customers and partners customers over the last few months and the reactions and feedback have been amazing. The product has two major modes, which map to....[Read More]

Posted by Pete On 05/05/10 At 01:24 PM

The Age of Scroogle

Deborah Volk — Wed, 28 Apr 2010 16:27:00 PDT

I hear that the Age of Facebook is upon us. While I was busy tending to my identity and access tomatoes, the new dawn has been declared. Apparently right outside my window there be walking people whose identity has been sucked into a space-time deviation yet they're blissfully unaware of this. For those of you in the know (read: in the possession of a secret handshake), the Age of Aquarius is really where things have been happening for a while but I digress.

Astrology and social networking aside (wait, aren't they one and the same?) I think we're in the Age of Fast, Faster and Oops-Reboot-Button-Really-Works. The immediacy of content and the ease of access leads to different expectations versus those that existed merely 5-10 years ago. We want our movies streamed on demand with no network lag, our books in some digital iFormat, our identities to be portable yet private, our chicken wings to taste like 5-star French restuarant fare..

Who's to blame for this massive shift of the entitlement scale? I would like to blame the aliens but those folks at SETI are awuflly slow so I will blame Google. To be more exact, I will blame it on their unwavering belief that a simple search box can yield the answers to just about anything. Once they had consumers convinced, they started replicating the idea everywhere. Notably in GMail one can find emails by combining a few simple and easy to remember operators. For example, to find all messages sent to you from anyone at identigral.com with an attachment, you could enter from:*@identigral.com has:attachment into the search field and voila, you're showered with text.

Now transport yourself back to the land of identity management. A typical IAM application is a bunch of tomatoes on top of a large database (LDAP is only a protocol, don't fool yourself). The content in the repository has a lot of value but only when it's appropriately harvested, extracted and made available in a cupcake format. If there ever was an enterprise application ripe for a pervasive search-as-an-interface-to-everything disruption, IAM is it.

Have you ever had to run a report in your identity or access management tool? Say, give me all users who have been provisioned to Active Directory in the last week. Given a reporting requirement of any sizeable complexity the implementation task would end up being either a nasty SQL query directly to the database or a mini-marathon with a reporting solution.

Enter Scroogle (pronounced SCROO-gul), a kinder, gentler and an entirely textual solution to the reporting problem. Scroogle is a search engine that would be embedded into an identity or access management product. Instead of fiddling with reporting knobs or trying to decide between left and right outer join (both are charities for circus acrobats if you ask me), one would use a very compact domain-specific language a la GMail operators to get results. For example, the Active Directory report above might look like has:AD status:Provisioned when:last week. Right now Scroogle is a figment of my imagination but I am sure IAM product vendors reading this blog will take notice and "borrow" my idea. All I ask in exchange is a six-figure royalty check paid in gold bullion.

P.S. Scroogle is actually a very real and useful ad-free Google proxy service