Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

VeriSign boosts security with iDefense acquisition

I was made aware of the fact that the security company iDefence was recently purchased by Verisign for $40 Million. Joris Evers has written a news article titled "VeriSign boosts security with iDefense acquisition". Verisign has acquired the Security intelligence specialist for $40 Million cash. Verisign has said it will be better placed to protect its approximately 1000 managed services customers. This is quite an interesting development especially considering my post yesterday about iDefence "iDefense ups the bidding for bugs".

Grid Group Issues Security Requirements

I saw an interesting news item by Lisa Vaas on eWeek a few days ago and made a note to have a look. The article is titled "Grid Group Issues Security Requirements" and talks about a recent development by the Enterprise Grid Alliance to release a set of security requirement documents that discuss potential grid related security holes and how to patch them. One example is provisioning and de-provisioning of grid components where the media needs to be wiped of any sensitive data. This is an interesting article that has implications for Oracle and its Grid product direction.

iDefense ups the bidding for bugs

When reading the article written by Mary Ann Davidson last night I made a note of a link in it about idefense. The news report is written by Joris Evers and is titled "iDefense ups the bidding for bugs". This is an interesting article for a number of reasons. Firstly iDefense has offered money for details of security bugs that it can then pass on details of to its clients and also break the news to the public when the bugs are fixed. This is not just about bugs in Oracle of course but security bugs in any software product.

iDefense have increased the money they are willing to offer because their rival Tipping point started to offer rewards for pinpointing bugs. This means that hackers can legally earn money for their efforts in finding bugs. Mary Ann talks about researchers threatening to sell details of unfixed bugs to iDefense if Oracle did not provide a fix in a certain time scale. If the market for selling details of bugs evolves then hackers and researchers are likely to report bugs to the vendor (or not!) and simply sell them on to companies like iDefense anyway simply to earn money. This could happen more and more regularly. This could be a worrying trend for software manufacturers. Potentially a lot of their customers (and rivals?) could become aware of the details of vulnerabilities that vendors are not fixing fast enough. We could end up with a two tier society of a software vendors customers, those that know about the bugs (because they subscribe to companies such as iDefense) and those that do not know about the bugs. If companies have outstanding lists of bugs that need to be fixed and if more and more researchers sell details of bugs would we end up in a situation where vendors would recommend their customers to subscribe to companies such as iDefense even if they themselves do not give out advance details of bugs?

Mary Ann Davidson fights back - When security researchers become the problem

I just saw that Mary Ann Davidson - Oracle's Chief Security Officer - has written a news article for news.com titled "When security researchers become the problem". This is a very interesting article and is quite clearly a rebut against recent challenges to Oracle to fix bugs more quickly by releasing advisories for unfixed bugs. This is a good article where Mary Ann tries to defend her position whilst attacking the position of those who have released details of exploits. It is also interesting that she tries to justify Oracles timescales which is fair enough - her argument is good but she doesn't actually explain why it takes 2 years to fix bugs.

The article doesn't mention the recent problems with the April CPU and subsequent problems with the fixes to the April CPU or the issues raised by Cesar on the July CPU. It also doesn't say when the outstanding lists of bugs on the likes of Alex, David Litchfields and Argeniss's sites will be fixed, a lot of which were reported more than one year ago.

The article has a link at the bottom where it is possible to leave a comment for Mary Ann.


Oracle's encryption not secure, researcher says - Alexander Kornbrust plans to detail his findings at Black Hat

Rado has made a post in my Oracle Security Forum today titled "Alexander Kornbrust - Black Hat 2005 Presentation" that raises some good points about the effectiveness of the security imposed by Oracles built in database encryption methods. He is referring to Alex's presentation at the Black Hat conference going on now in Las Vegas. He also mentions a news article written by Robert McMillan on Computer World titled "Oracle's encryption not secure, researcher says - Alexander Kornbrust plans to detail his findings at Black Hat".

This news article starts by talking about the content of Alex Kornbrusts presentation at Black Hat in Las Vegas where he is going to say that Oracles standard database encryption mechanisms are weak and can be easily circumvented. Alex says most customers think that if they encrypt data with Oracles tools then it is safe - He says that this is not the case and a hacker can easily retrieve data such as credit card numbers from production databases. There are some interesting reactions from Paul Needham, the Oracle director of product management and some discussions about TDE and its cost per processor. This is a good article and worth reading. It is a two page article and page two is here.

Oracle Patches Its Security Patches - Database patches fix flaws found in previous fixes

I found a news article on Monday night on PC World.com. The article was written by Matthew Broersma of Techworld.com and was published Monday 25 July and is titled "Oracle Patches Its Security Patches - Database patches fix flaws found in previous fixes". This is an interesting news article that sums up quite well the embarrassing problems Oracle seem to be having recently with its patch releases. The author says that Oracle has supplied recently a patch for a patch for a patch...

The article goes on to discuss Oracle's woes and also a new security issue in MySQL.

New Oracle Security Forum opened

I have over the weekend installed forum software on my site so that I can host an Oracle security forum. This forum is now live and open for questions, comments and anything Oracle else Oracle security related. Please have come and have a look and join in if you wish.

The Oracle Security Forum has a General section for news about the forum and site and also for posting feedback, an Oracle Security section that includes sections for anything Oracle security (anything related to Oracle security, auditing databases, features functions ect), application server security (anything security related to the security of the application server), Oracle security tools (talk about tools, scripts, announe new scripts and tools), Oracle internals (anything hard to find, undocumented or internal) and finally an Oracle security jobs section (if anyone needs Oracle security professionals or has jobs available then post here. Also if anyone is looking for work in this field then you can post requests).

There is also a general security section to discuss anything security related that is not directly Oracle.

OK, the the Oracle Security foum is up and available.

[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package

I also noticed another post to the bugtraq mailing list this evening from Cesar Cerrudo of Argeniss titled "[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package". The post describes the issue that Esteban Martinez Fayo found some months ago in the package OLAPSYS.CWM2_OLAP_AW_AWUTIL. Basically Oracle told Esteban that the issue was fixed in the July CPU but when he tested a patched 9iR2 system it was not fixed, 10gR1 was fixed. Esteban and Cesar contacted Oracle's security team and asked why it was not fixed, the said "Our development teams neglected to do the backports. We are working on creating those backports now". Oracle has said the issue will be fixed in the October CPU. Argeniss say this is high risk vulnerability and Oracle should care more about protecting customers so they have released a workaround in the meantime. This workaround can be found here : http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql

This workaround uses a procedure to loop through all users and roles granted execute privileges on CWM2_OLAP_AW_AWUTIL and also from PUBLIC. Beware that running this could break applications that depend on these execute privileges. The script states this at the top.

Oracle's correction to the April CPU patch email has been posted to Bugtraq

I saw a post to the Bugtraq mailing list this evening that attracted my interest. The post is titled "Critical Patch Update April 2005 for Database 9.2 and 10.1 Update - Correction". I talked about this issue yesterday in a post titled "More problems with the April Critical Patch Update - does it ever stop?".

The post to Bugtraq is the email that was sent out to all Oracle customers who had previously received the email on July 6 or 7 stating that the April CPU patch set had problems. This email as you will read corrects the problems with the fix in the July 6 / 7 email.

Oracle Confirms Holes in Two Latest Patch Sets

Lisa Vaas has released a news article this evening (22 July 2005) titled "Oracle Confirms Holes in Two Latest Patch Sets" that details the ongoing problems Oracle seem to be having with their latest two patch sets. Basically Oracle released April's Critical Patch Update (CPU) fixing 70 bugs and then in early July Oracle sent out two emails detailing problems with the patch. Oracle has now sent out a new email detailing why the fixes for the April patch have still not worked. Also the July CPU has its own problems. Oracle re-issued the patches only a few days after the original release. A researcher Cesar Cerrudo has also identified a problem with the July patch and also there are performance issues related to the July patch reported on Metalink.

The news report goes on to discuss the problems with the patches and also the state of Oracles patching process. Lisa also quotes Alex and myself about the issue of whether these emails are phishing attempts. There is also a discussion about the fact that Oracle has not disclosed these latest flaws in their patches on OTN or Metalink. This article is worth looking at.

David Litchfield sets the record straight

Alex let me know about a post by David on the Bugtraq mailing list that sets the record straight about his own issues with Oracle and bugs at last years Black Hat conference. The post is titled "Oracle and setting the record straight". Basically David is saying that it has been reported in a few places in the last few days because of Alex's advisories that David supposedly did the same thing a Black Hat last year. David did not release any information about unfixed bugs last year at Black Hat. Read the full bugtraq post for the background to this. I have not re-read my own posts here but I think I am also probably guilty of propagating the myth that he did release information - If I did then I apologise to David for this error.

More problems with the April Critical Patch Update - does it ever stop?

Today Oracle has sent out yet another email to customers who have previously downloaded the April 2005 CPU patches to let them know that there are yet more problems with it. The email starts by saying that if you have installed the later July CPU patch set then you do not have a problem. This email follows two previous emails from Oracle that concerned problems with the April CPU.

I wrote about this issue at the time - "Oracle have issued an email alert that CPU April 2005 is vulnerable to exploit" and "Oracle have issued a second email with another exploitable vulnerability in 10.1.0.2 in CPU 12APR" and also "David Litchfield has released an advisory for the recent CPU 12 April vulnerabilities" and finally "Is it possible to check whether Oracles CPU update emails are *real*?".

The email sent out today goes on to say that the recipients are getting the email because they received the email titled "Critical Patch Update April 2005 for Database 9.2 and 10.1 Update" sent out on July 6 or 7. That email said that a step was missing in the upgrade that caused a jar file to not be loaded to the database. That email gave instructions on how resolve the problems with the April Critical Patch Update.

This email now says that there were two problems with the last correction email. The first is that it said that database version 9.2.0.6 was affected. This is not now the case. Only versions 9.2.0.5 and 10.1.0.2, 10.1.0.3 and 10.1.0.4 are affected.

The email then goes on to say that the steps detailed in the previous correction email were themselves not correct. This current email now details the correct procedure and commands. The email also states that another work around is to apply CPU July as this includes the correct fix.

A list of all the news articles about Alex Kornbrusts advisories

OK, last post on this subject, I promise (I might be lying though :)) - I have never seen so many news articles about one Oracle security subject. I had planned to list all of the news articles that I had found and those that Alex found here as a record of the story. But Alex beat me to it and created a Red Database Security in the news page that now looks more impressive than my in the news page. So there is no real point in me recounting the whole list here. If anyone would like to read a large quantity of news reports about Alex Kornbrusts six advisories for bugs that have not been fixed then please visit his Red Database Security in the news page.

An Oracle spokeswoman speaks to TheAge

An interesting article has appeared on TheAge about the recent advisories released about 6 unfixed Oracle bugs. This article is titled "Researcher bugs Oracle over unfixed flaws" and was written by Sam Varghese. This article needs registration on TheAge's website to be able to read it.

The interesting thing in this news item is the fact that an Oracle spokeswoman was named who gave some comments to the author. She first said (paraphrased) that when security vulnerabilities are found and reported that Oracle responds quickly to ensure that customers data is protected. This does not obviously sit well with the fact that these bugs were reported about 2 years ago.

The spokeswoman, Tracy Postill then said that Oracle take security seriously and that their first priority is to reduce customer risk and that Oracle's policy is t fix security bugs in a priority order, the highest risk bugs first. She then advised anyone who finds a bug to inform Oracle and that they are disappointed that any disclosures have been occurred.

This response from Oracle is strange for a couple of reasons. First they say they fix bugs quickly to protect customers but why did they not act for two years with these bugs. Secondly if they fix bugs in severity order then they must have a list of higher risk bugs that need to be fixed first if these bugs have been held up. Remember one of these can be exploited remotely. Also why did Oracle release fixes for bugs that are clearly a lower risk in CPU July 2005? I would say the bugs "Jdeveloper stores passwords in plaintext in different files" and Oracle Formsbuilder stores plaintext password in a temp file in c:\temp are lower risk than those talked about by Alex in his advisories.


More trouble looming for Oracle? - Black Hat is next week - there are 4 talks about Oracle Security

In the wake of Alex Kornbrusts advisories yesterday follows the Black Hat USA 2005 conference in Las Vegas starting next week. Four of the presenters (That I know of) will be talking about Oracle security issues. Some of these look like they may also be controversial.

Judging by the number of news articles published (I have never seen to many about one Oracle security issue - I still have a list of quite a few more that I will report here later) about Alex's advisories I would say Oracle could do without any new revelations next week. The Black Hat briefings have been used in the past to disclose Oracle vulnerabilities.

The four speakers are:

Alexander Kornbrust : Circumvent Oracle’s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms - Alex will talk about the architectural flaws in Oracles database encryption packages DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT. Alex will show how the encryption key can be "sniffed" and also if a flexible key algorithm is used how the algorithms can be reverse engineered.

Esteban Martínez Fayó : Advanced SQL Injection in Oracle Databases - Esteban will talk about new ways to attack Oracle databases and advanced SQL injection in particular. He will also show how to see the internal PL/SQL code in Oracle built in procedures that is vulnerable. he will show some attacks and also how to protect from them

Cesar Cerrudo : Demystifying MS SQL Server & Oracle Database Server Security - Cesar will talk about the security differences between MS SQL Server and Oracle and talk about how each vendor deals with security issues and patches.

David Litchfield : All New Ø-Day - Details of David's talk are not on the Black Hat site but I can be sure that he will talk about Oracle as he usually does. David has a wild card and doesn't usually announce what he will talk about. I thought I heard that he will talk about patch management - but I cannot remember from where - maybe this is true with his recent discovery about CPU April 2005.

The Register talks about the bugs

Robert Lemos of Security focus has an interesting angle in his news article "Oracle taken to task for time to fix vulnerabilities". In this article a detailed discussion of Alex's advisories takes place along with some insight into the length of time taken and also a quote from an Oracle source. Finally the interesting point is in relation to the fact that evidence shows that announcements like this have a negative effect on the share price of the company involved. This was the case for Oracle.

Oracle researcher announces high-risk database flaws

Shawna McAlearney the news editor at SearchSecurity.com has written an article today titled "Oracle researcher announces high-risk database flaws" where she has interviewed Alex Kornbrust. Shawna talks with Alex about his decision to release the advisories and also about it not being just his issue. He cites similar problems with other researchers. Shawna finishes with a quote from Alex:

"Customers should also ask Oracle why does it take so long to fix security issues," Kornbrust concluded. "Is Oracle's security team too small to handle all these issues?"

This is a nice interview from Shawna.

A couple of bloggers talk about Oracle's unpatched bugs

I found a couple of bloggers talking about the un-fixed security bugs found by Alex. These are "Oracle Vulnerabilities" by Amit Riswadkar - he talks about the fact that Oracle criticised Alex for releasing the information but says that hackers might simply find it out themselves anyway. He then goes on to talk about Oracle changing its licensing policy for chips with multiple cores.

The second blog I found is "Oracle replaces 'unbreakable' with 'unpatchable'" posted on Silicon valley Sleuths blog. It first talks about Oracle's unbreakable marketing and then Oracle's backlash to Alex.


Oracle Simplifies SOA, Web Services Security

I found a short news article on IT Observer this evening published on Monday 18 July and titled "Oracle Simplifies SOA, Web Services Security". This article talks about Oracle's recent announcement of the first industry standards based business process platform that simplifies web services and security oriented architectures. This is the integrated components of Oracle Fusion. The article talks about the technology and benefits.

Why it is important to encrypt credit card information

Alex pointed me at a good article on TheRegister yesterday. This article is written by John Leyden and published Tuesday 19 July 2005 and is titled "Visa cuts CardSystems over security breach". This article talks about a card processing firm that has been dumped by Visa for allowing card numbers to be disclosed from its systems. The company should not have even had the card details in its systems. The company held the data unencrypted and security vulnerabilities allowed the car data to be stolen.

Even though the article doesn't actually say that the data in question was held in a database or even if it was then whether it was an Oracle database. That said this is still an interesting article for anyone running an Oracle database and storing in that database critical data such as credit cards. It is a lesson in why credit card data should be encrypted.


Oracle dragging heels on unfixed flaws, researcher says

Following on from Red Database Security's announcement yesterday of six security bugs in Oracle's products that have not been fixed is a news article about this by Joris Evers of CNET. The article is titled "Oracle dragging heels on unfixed flaws, researcher says".

The article starts by saying that Oracle has some serious un-patched flaws in its software that they have known about for about two years. The article includes a conversation with Alex Kornbrust who revealed the bugs to the world. Alex talks about the seriousness of the bugs and also how he tried to pressure Oracle into releasing fixes. Oracle did not comment on the release but said it believes that details of bugs should not be revealed until patches are available. A spokesperson said:

"We are disappointed when researchers act contrary to this industry best practice"

Joris also interviewed Steve Manzuic of Eeye Digital Security and also Michael Sutton of iDefense. Joris also interviewed me about this release and I am quoted as well (I have updated my in-the-news section to include links to this article)

Alex found a lack of response from Oracle on fixing these bugs. I asked him this morning about Oracle's spokesman's response in this news article and he said:

"Oracle should know it better. They are a core member of OIS. The OIS suggests to send status updates every week."

Again as I said yesterday anyone using Forms or Reports is advised to follow Alex's workarounds.

Sun has released an alert notification (15 July 2005) about multiple security vulnerabilities in Oracle affecting SunMC

Sun has released an alert notification (Sun Alert ID 101782) dated 15 July 2005 and titled "Mulitple Security Vulnerabilities in Oracle Affect SunMC" - The synopsis states that unprivileged local or remote users can execute arbitary code on Solaris systems which have installed and enabled Sun Management Center (SunMC). The SunMC software runs typically as the user "smcorau" which is unprivileged but it uses the Oracle listener. Therefore it is affected by multiple listener vulnerabilities in Oracle Alert #68. This affects SunMC 3.5 on Solaris 8,9 and 10 that have not had Sun patch 118829-04 applied.

Sun recommends installing patch 118829-04 or later and also installing Oracle's latest Critical Patch Update.

Why release a note now about bugs in Alert #68? - This could be symptomatic of a bigger issue. How many companies use Oracle because another supplier uses it and its part of some other software? If the supplier assumes the person running it has patched or vice versa - then how many Oracle systems are out there not patched?

A Russian language news article about unfixed Oracle security bugs disclosure

There is a news article in the Russian language about Red Database Security's disclosure of 6 unfixed security bugs today in Oracle's products. The article is titled "Множественные уязвимости в продуктах Oracle" and it summarises Alex's bugs with some examples. It is possible to translate the page into English by using babelfish - just add the URL in the relevant box and choose Russian to English. This is a very useful site by the way. The translations nowadays are not bad from one language to another.

Red Database Security releases security advisories for high risk unfixed Oracle bugs

Today Alex Kornbrust has released new advisories for security bugs that Oracle has not fixed and has known about in most cases for around 2 years. The longest period is 718 days and the lowest 663 days. Three of the bugs are high risk, two that are medium risk and one that is low risk.

This is what Alex said in his announcement:

"3 months ago (15-april-2005) I informed the Oracle Security Team (secalert_us@oracle.com) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time.

Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet.

I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories.

Kind Regards

Alexander Kornbrust



The bug details are:

"Overwrite any file via desname in Oracle Reports" - high risk - a hacker can overwrite any file on the application server (Windows) and any file owned by the Oracle software owner (Unix). Alex provides a work around but no exploit although the exploit is obvious.

"Run any OS Command via unauthorized Oracle Forms" - high risk - A hacker can create a special form that allows him to run OS commands as the Application server owner. The hacker needs to upload the form but complete server control is possible. Alex gives an example and workaround.

"Run any OS Command via unauthorized Oracle Reports" - high risk - This issue is essentially the same as the one above but this time for the Reports server - Again Alex gives an example and workarounds.

"Read parts of any file via desformat in Oracle Reports" - medium risk - In this bug the parameter desformat can be used to display the contents of any file on the server. Alex gives an example and a potential workaround.

"Read parts of any XML-file via customize parameter in Oracle Reports" - medium risk - The parameter CUSTOMIZE can be used to read any file on the server. Again Alex gives an example and also a workaround.

"Various Cross-Site-Scripting Vulnerabilities in Oracle Reports" - Low risk - In this advisory Alex shows some 4 examples and this time no possible workarounds.

This is a significant announcement as Alex has told us about 6 security bugs that are not fixed (let's re-iterate, these are not fixed) and he tells us that Oracle are not interested in fixing these bugs. If you use Oracle Forms or Oracle Reports or any product that uses them in the background then you need to be aware of these bugs as your systems are in danger. Please use the workarounds suggested and ask Oracle for proper patched fixes. If your systems are internet facing then be aware that each of these advisories includes enough information to exploit them and that hackers will find your systems using Google hacking techniques.

More news on silent fixes in CPU July 2005

I was searching technorati.com and found a blog entry about Alex's silent security bug fixes done in the latest Critical Patch Update. The post is a copy of a bugtraq entry titled "AW: Silently fixed security bugs in Oracle Critical Patch Update July 2005".

This post is Alex's original announcement in the Bugtraq mailing list and David Litchfield’s reply to him and the list and Alex's subsequent reply. Basically the DAV_PUBLIC bug was fixed in "Alert 52, Security Vulnerabilities in Oracle9i Application Server" (dated 2003) and this is what David was reporting to the list and Alex. So at least this bug was not fixed silently after all.

OK, so the DAV_PUBLIC bug was found by Mark and David Litchfield and fixed two years ago in a previous patch. So maybe I am missing the point but why is it mentioned again (at least in the patch readme files) for CPU July 2005 two years later?

A good German new item on CPU 12 July 2005

Alex sent me over a link to a good German language news item about the latest Critical Patch Update. The article is titled "Verwirrung um Oracle-Patches" which translates to "Confusion around Oracle patches". This short article summarises the email sent out today by Oracle telling customers to re-apply the patches, Alex's discovery of undocumented security bug fixes and also Cesar Cerrudo's finding of a fix that has not been done in the patch set.

Oracle are asking customers to download CPU July 2005 for 10.1.0.x again as there is a problem

Oracle has sent out an email to all customers who have downloaded the July 2005 Critical Patch Update for Oracle 10.1.0.3 or 10.1.0.4 before the patch was re-uploaded on July 13 or July 14 depending on the platform involved. This email went on to say that the reason for the updating of the patch already is that a problem was found that when a new database is created when it is discovered in Enterprise Manager it can show a state of pending, the issue affected all platforms but if Enterprise Manager is not used then there is not an issue. Oracle goes on to say that if you have not already applied the patches then make sure you get the latest ones and apply them, if you have already applied the patch the download them again and re-apply them.

I was trying to find out if this email can be backed up from other sources. I checked the advisory and found that no updates had been applied to the actual advisory, the same with the security alerts page on OTN. I also checked out Metalink headlines and the advisory there on Metalink, again no updates referring to this issue. When I checked out the actual patches on Metalink the last update dates where 14 July and 13 july. So I guess this email can be confirmed by this fact.

If you have downloaded the patches for 10.1.0.x before 14 July then you should check that you have the correct versions and re-apply newer ones if necessary.

Oracle has been silently fixing security bugs in CPU July 2005

It looks like Oracle have been fixing security bugs in CPU July 2005 that are not included in the bugs listed in the risk matrix's that are in the advisory released on Wednesday. This fact has been discovered by Alex and I have been discussing this with him for a couple of days now. This is not a new phenomenon as other patch sets and point increases in version have also silently fixed security bugs.

Alex has issued a paper today titled "Oracle CPU July 2005 - Silently fixed bugs" that discusses this issue in relation to CPU July 2006.

What is the issue here? - are Oracle silently fixing security bugs reported to them or are these internally found security bugs? - maybe, the issue is that the bugs found are not reported as security bugs in the first place and they then go though the system remaining as non-security bugs? - but why then are there so many found by Alex this time in this CPU?

Internet News talks about Oracles latest Critical Patch Update

I was looking around the net tonight at all the usual suspects looking for any new Oracle security news when I found another news story about the July CPU published today, 14 July, written by Jim Wagner and titled "Oracle Issues Critical Patch". This article starts with some facts gleaned from the CPU July advisory and then goes on to quote CERT's response to the patch set and advisory. There is then some very interesting discussions on Oracles non-disclosure policy and some comparisons are made with other manufacturers such as The Mozilla Foundation and also Microsoft. Michael Sutton is quoted as saying Oracle do not make it easy for customers to decide what to patch as there is not good enough information released to allow customers to decide whether to patch or not. He goes on further to talk about patch reverse engineering to find out what is fixed and that this method can be used to write exploits by hackers.


Same problem again as April CPU - CPU July 2005 failed to fix a bug it says it did fix

I got an email this afternoon from Cesar Cerrudo of Argeniss about my post yesterday "SearchSecurity.com has a good news story about CPU July 2005" - Cesar was quoted in the news article as saying that his opinion was that Oracle's CPU patches should not be applied to production until they had been tested for a few months first. Cesar wanted to comment further on my point that it is better to install the patch now even if it could have problems like the CPU April patch did. I said even if something is not fixed it is better to at least have fixes for the other issues that are corrected properly. Cesar said this to me;

"I know that applying a patch no matter if it won't fix some vulns it's better to not installing at all, but this is on a "perfect world" which is far from "Oracle world". Basically i recommended to not install the Oracle patch because April CPU failed to fix some bugs and this "clearly" indicates that Oracle is not doing at all QA on patches! so the better thing that can happen to you is that the patch fails to fix a bug, but what about if after you applied the patch the system doesn't work any more and you have to have a production system down for a couple of hours, i know this is an extreme scenario but on "Oracle world" this could happen, people must be very careful when applying Oracle patches."

I can see Cesar's point but I think I would still say that applying the security patches earlier to production, rather than waiting for months for thorough testing is a risk that has to be taken. If a patch fixes 50 bugs (I know litterally no one would benefit from all 50 bug fixes due to product choices and implementations) then most customers would get quite a few fixes. But Cesar is right to worry about any other risks of applying patches without testing first. The biggest risk of all is that you can take a risk to apply the patch and then find that it did not actually fix the bugs it was supposed to. This is what Cesar went on to tell me:

"Let me tell you a little secret, guess what? Oracle did it again! July CPU doesn't fix one of the bugs on 9iR2 but it does fix it on 10g, the risk matrix is wrong because it says that the Earliest Supported Release Affected is 10g but 9iR2 is affected(prior versions could be affected also, we are still working on this), so Oracle has left 9iR2 users unpatched, we will release more info about this later."

This is bad news for this CPU. I for one am looking to Cesar and his guys to release information on this quickly so that everyone can get a new fix from Oracle.

Oracle Simplifies SOA Security

Whilst searching for news articles this evening about the latest Critical Patch Update July 2005 I found this article by Darryl K. Taft posted today 13 July and titled "Oracle Simplifies SOA Security". It starts by saying that Oracle have announced today an integrated business process platform intended to simplify the security of SOA and Web services. The article talks about a tight integration between the BPEL process manager and the Oracle web services manager to provided end-to-end security and management. This is a very interesting news item and it says that this new initiative should help provide secure web services without hard coding security policies, location transparency, transformations and version control. The article goes on to talk about the fact that Oracle are also stealing the march in the identity management area with its recent purchase of Oblix. It goes on to talk about seven integrators who have signed up to Oracles new identity management product included as a core component of Oracle Fusion. These seven integrators used to work with Oblix.

As I said an interesting news item for Oracle and security.

SearchSecurity.com has a good news story about CPU July 2005

Shawna McAlearney, a news editor with SearchSecurity.com com has written a nice article titled "Oracle issues patches, but misses the mark, again". This news article is good because its the first I have seen that expresses some opinion and of course because it quotes me..:-) - well maybe not!

The article starts by saying how many bugs have been fixed and also the fact that many outstanding security bugs have not been fixed and a second concern that at least one fix from the last patch didn’t work. Then there are some quotes from me and then from David Litchfield and finally from Cesar Cerrudo who recommends that the patch sets should not be installed on a production server until they have been tested for a few months. I am not sure I would go this far. Installing the patches even if some fixes do not work as announced as seen in the last couple of weeks for the last patch set is surely better than not installing at all. The patch sets will fix more than they miss. Although I can see Cesars point of view that if even one bug fix does not work properly then the patch is essentially useless. It is all down to Q&A as Cesar says.

Read Shawna's article, it’s very good. I also updated my Pete Finnigan in the news page.

Computer World is also talking about CPU July 2005

I just found another news article on Computer World written by James Niccolai and titled "Oracle releases critical security updates - Quarterly batch includes nearly 50 patches". This is like the ZDNet article quite short and sweet. It starts off by talking about the release yesterday of CPU July 2005 and then talks about Oracles reasoning for adopting a quarterly patch release schedule. It goes on to discuss the products affected and points out that a large number of the fixes are in E-Business Suite.

ZDNet news talks about the Critical Patch Update 2005

I was browsing some news sites and found an article written by Renai LeMay for ZDNet Australia and published today 13 July 2005. The article is titled "Oracle update fixes security flaws". The short article mainly talks about the issued found by Stephen Kost of Integrigy Inc based in Chicago. He says that there are a number of high risk SQL Injection and parameter manipulation vulnerabilities in the E-Business Suite. Stephen added that it is possible for an attacker with only a browser internally or externally to execute malicious SQL statements as the APPS database user.

Security advisories released detailing 4 of the bugs fixed in CPU July 2005

Alex emailed me this morning to let me know that he had put his 4 security advisories on his website this morning. These are for 4 bugs he found in Oracle's products that have been fixed in the CPU July 2005 patch set released yesterday. Alex's Published Security Alerts page lists all 4. The bugs are:

"Oracle JDeveloper passes plaintext password" :- This bug is low risk and involves password and username leakage when a program such as SQL*Plus is started externally. The advisory gives an example and a workaround - do not start SQL*Plus from JDeveloper.

"Oracle JDeveloper Plaintext Passwords" :- This bug is low risk and involves un-encrypted database passwords being leaked from three configuration files - IDEConnections.xml, XSQLConfig.xml and settings.xml - Alex gives examples of all three.

"Oracle Forms Builder Password in Temp Files" :- Again this is a low risk bug and involves a bug where Formsbuilder creates temp files that contain the current database username and password for the connection used. When formsbuilder is closed these files are not deleted. Alex points out the bug was introduced as part of a fix for a previous bug (clear text passwords in the Apache log file). Again Alex gives an example and a workaround. The Workaround is to set the environment variables TMP, TEMP and TMPDIR to a secure location and delete the temp directorys on a regular basis.

"Oracle Forms Insecure Temporary File Handling" :- This bug is a medium risk one and involves a data leakage issue in Oracle Forms. If the number of records returned is greater than the parameter buffered records then Oracle stores the fetched records locally in a file on the application server. The records are stored un-encrypted (assuming they were encrypted) and the file permissions on the files created allow any Unix user to read the contents. Alex again gives an example and also suggests a workaround. This is to set the environment variables TMP, TEMP and TMPDIR to a secure location and to delete the temp files created on a regular basis.

Again each bug has a time to fix detail added. The shortest is 148 days for three of them and a horrendous 693 days for the Forms unsecured file handling issue. This is quite unsatisfactory for the finder of the bugs (Alex in this case) and also for customers of Oracle's Forms product. It is unacceptable that a security bug remained unfixed for almost 2 years.

Considering there is a large list of unfixed Oracle bugs on Alex's site (35 bugs) and on Esteban Mart�nez Fay�'s site (100+ bugs) plus some on others sites such as NGS Software's (17 bugs) I think Oracle need to seriously look at quickly fixing these outstanding bugs. Many security researchers are most likely aware of what they are and most probably a lot of other people as well. A lot of these bugs are checked for in vendor�s products and also are subject to advanced vulnerability notification services (under an NDA) from others. Just from these three sites there are 152 outstanding Oracle security bugs, quite a lot of them for a long time. Maybe it is time some of Oracle's big customers who demand the highest levels of security from vendors should start to ask Oracle about when these outstanding bugs will be fixed?

Self signed SSL certificates with JInitiator

I saw Wilfred van der Deijl's post to his blog a few days ago titled "Using self-signed SSL certificates with JInitiator" and made a note to go and have a look. Wilfred wanted to test if a performance issue still existed if he used Oracle's JInitiator instead of the Sun JPI. He uses self sign certificates on all non production webservers but he says JInitiator refuses to make connections and fails. He then details the steps to include a self-signed certificate in the JInitiator store.

Wilfred then details the failure conditions and errors and then shows how to get the self-signed certificate and manually add it to the certdb.txt file and then how to close and restart so that it should work. This is an interesting post as its security related and worth reading if you use Oracle's JInitiator.

CPU 12 July 2005

There are 47 security bugs fixed in this Critical Patch Update and these are spread across quite an array of Oracles products. The database is affected for versions 8.0.6, 8i Release 3, 9i release 1 and 2 and 10g Release 1. This time Enterprise manager Grid Control 10g, 10g Database Control and Application Server Control 9.0.4.0(1) are affected. Oracle 9i Application server 9i release 1 and 2 and 10g are affected as are Collaberation Suite release 2 and E-Business Suite and applications 11.0 and 11i. Finally Workflow 11.5.1 to 11.5.9.5, Forms and Reports 4.5.10.22 and 6.0.8.25, JInitiator, versions 1.1.8, 1.3.1, Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2 and Express Server, version 6.3.4.0.

There are no vulnerabilities affecting installed clients that are not accompanied by a database server install. This CPU July 2005 does not need to be installed on client only installations if a previous CPU has been applied or alert #68.

There is a pre-installation note and risk matrix for each group of products. It is interesting to note that Oracle says it has tested each vulnerability in isolation and has not tested for blended attacks using more than one of the reported vulnerabilities.

Quite a few people are credited with discovering bugs. These include Alex Kornbrust, Esteban Mart�nez Fay�, Gerhard Eschelbeck, Stephen Kost , David Litchfield, Michael Murray, Aaron C. Newman and Mike Sues. There are a few new names that we have not normally seen in the recent times of Oracle Security bugs.

It is also quite interesting that this time there are no PeopleSoft fixes included in this patch update.

There are then five sections detailing the bugs found. There is not a great deal of detail as usual. Only sparse mention of components and packages that are vulnerable. Sometimes this is enough to get an idea of the type of bug involved.


A great new free Oracle instance discovery tool - WinSID

I was emailed a few weeks ago by Paul Breniuc who let me know about his new free tool WinSID that can be used to discover Oracle instances. This is a great free tool. The tool does not need an Oracle client and is not a wrapper on top of the Oracle client. It can be used to interrogate the Oracle listener to display information about remote (and local) listeners - For instance services, SID, listener statistics on established connections. The Paul's main page for this tool is titled "WinSID (free) - Oracle instance discovery tools" and it gives some details of the tool and also some graphics of it in use. A great feature is the fact that a working TNSNAMES.ORA connection string is stored in the Windows clipboard. As I said the tool does not use Oracle libraries / OCI etc. It uses native network calls to send packets to the listener in similar manner to tnscmd I assume. The free version does not support all listener commands, the Pro version does. The free version does not support TNSPings but Paul has a free TNSPinger for this - It doesn't look like it has been released yet.

The WinSID tool is available for free download from Paul's site and there is also a professional version WinSID Pro that can scan complete networks looking for Oracle listeners. The free version of WinSID Oracle instance recovery tool is available here.

I have included the tool in the free section of my Oracle security tools page and I must apologise to Paul for not adding it sooner as he emailed me a few weeks ago.

Two security bugs found and reported to Oracle in 10g Release 2 already!

I have been in conversation a number of times with Alex Kornbrust about 10g Release 2 and security bugs in it. Alex has found two new security bugs in 10g Release 2 and has this evening reported them to Oracle's security alerts team. Alex will add them to his list of upcoming alerts soon.

You will understand that i cannot go into explanations or example code here. the descriptions that Alex has come up with are: "unencrypted TDE key in the SGA" and "unencrypted TDE key logged to trace file with special events". These issues are in my opinion high priority considering the effect of leaking a key and the new functionality being heralded. The only saving grace is that it is unlikely that there are many, if any customers live in production on 10g R2 unless there are some beta customers who are using this version.

I was also discussing with Alex my opinion that some of the usual suspects in the Oracle security world should maybe invited to participate in the beta (or even alpha) programs of new releases so that fresh eyes are applied from a security perspective to new versions and new functionality that is going to be unleashed on the public.

The next Critical Patch Update is due tomorrow - 12 July

The time has come around again for the next scheduled patch update from Oracle to be released tomorrow. This will be CPU 12 July. What will be in it? - Only Oracle know that for sure. I am aware of some fixes included as the finders of them have told me. Let's hope that the testing phase has learned lessons from the recent issues (Oracle have issued an email alert that CPU April 2005 is vulnerable to exploit, Oracle have issued a second email with another exploitable vulnerability in 10.1.0.2 in CPU 12APR) advised to Oracle customers via email.

Watch out for the Critical Patch Update - July 2005, it should be out tomorrow.

Paying a ransom to read your data

I saw an interesting short article in the Computer Active magazine today about some research done by a company Websense Security Labs. The article said that a new hacker trend had started where by a hacker gains access to a persons PC via a worm, virus or bug ( in this case it was a bug in IE) and installs some software that encrypts a certain set of files on the unfortunate persons PC, the deletes the originals. Then the hacker leaves a note that says pay a sum of money - a few hundred dollars - and he (the hacker) will send a program that allows the unfortunate persons files to be restored.

The article is a very interesting one. I have no idea how wide spread or not this type of attack is or if it will grow in occurrences. The attack described is aimed at PC's but could move to other areas such as databases, even Oracle databases. What if an attacker, hacker, malicious employee or criminal decided to deprive your company of its data? OK, its not absolutely trivial but he could quite easily encrypt key tables / columns with built in packages such as DBMS_OBFUSCATION or DBMS_CRYPTO and then ask you for money or other goods to be supplied with the key used and also the algorithm used. What can you do to prevent such a situation? A situation like this would never be totally preventable as it could be done by someone with admin access but it is prudent to ban PUBLIC access to these packages and any other encryption routines held in the database. Use audit to know who has done what and when. In 10g Release 2 ensure that no one can add transparent encryption to any critical columns of data. Perform a security audit on your databases or get someone like me in to do it for you and then secure the database.

Is it possible to check whether Oracles CPU update emails are *real*?

I was emailed by Wilfred van der Deijl this morning who asked me an interesting question. He said:

"Just read the notes on your weblog (via orablogs) about the CPU emails. Does Oracle also state if and how you can verify the validity of such emails. I get tons of these emails claiming to be from Microsoft asking me to install or delete something. These are known viruses/hoaxes. How can I make sure that this is not the case with such emails from "Oracle"?"

This is an interesting question. First off I didn't get the emails, Alex did and let me know. The first check is the email headers which show that the email was indeed sourced from Oracle's domain. If it were a phishing attempt the email would be sourced from another domain. I know that these can be forged but there are no other signs of phishing in these emails unlike the emails Wilfred mentions. There are no links to click on asking for username, password info, or asking you to download or install anything. Therefore a mail like this if it were not genuine would not serve much purpose.

The emails do contain instructions though so it could be possible fakes could be made in a similar manner. A hacker could create an email like these and make it look like they were from Oracle and instruct the receiver to make configuration changes or install something. It could therefore be possible for a hacker to send an email to a company that uses Oracle and instruct them to run some devious code (but not obvious code) such as grant all permission to java via a special package:


SQL> exec sys.dbms_java.loadjava('-v -f -r -s -g public rdbms/jlib/CDC.jar');


Thanks to Alex for this example!

In the case of these two emails sent yesterday, I am 99.99999% sure they are real; there are a number of reasons why. First the domain used, second it is possible to run the necessary exploits to check if the emails are true, that is the bugs supposedly fixed are not fixed. Thirdly David Litchfield issued an advisory in this case. In the case of these emails Oracle only issued them to customers that had downloaded the patches. This method means fewer people know about the issues so there is potentially less chance of a lot of bad publicity. I think Oracle should announce these issues on OTN as a new security advisory so that everyone who uses Oracle's products would be made aware. Also the Metalink site should be used.

What could Oracle do better in the future for issues like this? - This is Alex's ideas:

1. Publish ALL security related information on Oracle's website.
2. Sign emails (I believe this is too complicated)
3. Emails should never contain work instructions.

Thanks to Wilfred for the question, it is always worth being vigilant when security is concerned but in this case they are definitely real and everyone who has installed CPU 12 April should follow these instructions.

David Litchfield has released an advisory for the recent CPU 12 April vulnerabilities

I got an email yesterday from Alex to let me know that he had seen the advisory post by David Litchfield to the Bugtraq mailing list. The post is titled "Problems with the Oracle Critical Patch Update for April 2005" and goes on to explain in more detail than Oracle's emails the issues that have been found. He starts by saying he analysed CPU 12 Apr and found that some bugs were not fixed that should have been. The first set of issues are SQL Injection bugs in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE. The issue is that the CPU Apr 12 patch fails to load the newly fixed Java classes.

The second issue is that the CTXSYS.DRILOAD package on Windows 32 and 64 but for 10.1.0.2 is still vulnerable to exploit. A hacker can gain DBA with this package. This bug is caused by the patch copying the fixed file to the wrong location. If the August 2004 or Jan 2005 patches have been applied then David suggests that the exploit will not work for this version.

Oracle should hold their heads in shame on this one. Surely after finishing a patch fix and before release Oracle would test a patched server to see if it is still vulnerable? Oracle's next quarterly scheduled patch is due on July 12 so let's hope there is some quick re-checking going on behind the scenes!

Oracle have issued a second email with another exploitable vulnerability in 10.1.0.2 in CPU 12APR

What a day for Oracle, two security issues have been found in their Critical Patch Update April 12. This does not look good for their Q&A departments after all the good work making better information available with released patches.

This second email has been sent to customers who have downloaded the patch for CPU 12 April for the Oracle database 10.1.0.2 (Patch 4181849 or 4213305) for Windows 32-bit and 64-bit platforms.

It goes on to say that an installation script was missing causing the context component to not be patched correctly. If Context is not installed there is not an issue and it is only a problem for Windows platforms and version 10.1.0.2. If Context was installed I will repeat the suggested instructions here:-

1. Backup of the file driload.pkh from %ORACLE_HOME%\ctx\admin.
2. Copy the file driload.pkh from "%ORACLE_HOME%\rdbms\admin" to "%ORACLE_HOME%\ctx\admin":

>cp %ORACLE_HOME%\ctx\admin\driload.pkh %ORACLE_HOME%\ctx\admin\driload.pkh.back
>cp %ORACLE_HOME%\rdbms\admin\driload.pkh %ORACLE_HOME%\ctx\admin\driload.pkh

3. Startup all the database instances running out of the ORACLE_HOME being patched.
4. For each database instance running out of the ORACLE_HOME being patched, connect to the database using Sqlplus as sysdba and run driload.pkh:


SQL>@?\ctx\admin\driload.pkh


Again Oracle expresses their apologies for this unfortunate issue. If you are familiar with the bugs discovered and fixed in CPU 12 April you will immediately recognise that it’s possible to escalate privileges to a DBA with this package on Windows even if CPU 12 Apr has been installed so it is important to follow these instructions to secure the problem.

Oracle have issued an email alert that CPU April 2005 is vulnerable to exploit

I got an email from Alex Kornbrust this morning forwarding me an email sent by Oracle today 7th July and issued to all Oracle customers that had downloaded the Critical Patch Update for April 12 from their website. I did not receive this email myself yet. The email starts by saying that the person receiving it is doing so because they downloaded CPU 12 April for Oracle database versions 9.2.0.5, 9.2.0.6, 10.1.0.2, 10.1.0.3 and 10.1.0.4. It goes on to say that a step has been missed from the installation script that caused a JAR file to not be uploaded to the database. If you have not installed the JVM then there is no issue.

It goes on to say how to correct the problem after completing the installation of CPU 12 April. First start up the databases running out of the ORACLE_HOME that has been patched. For each database in the ORACLE_HOME being patched connect to the database with SQL*Plus as SYSDBA and issue the following command:


SQL> exec sys.dbms_java.loadjava('-v -f -r -s -g public rdbms/jlib/CDC.jar');


The email goes on to express apologies.

If you have installed CPU 12 April and if you have also installed the JVM then I urge you to follow these above instructions as your database is currently vulnerable.

I have updated my RSS feed to output 40 words instead of 20

I was emailed recently by David to ask if I could increase the number of words in the extract of each article output in the RSS 1.0 feed. The current number of words, 20 was deemed to not be enough to get a good idea of whether the article was worth visiting to read so I have update it to 40 words. I have talked about the same issue in my other blog in a post titled "How many words should the extract in the RSS 1.0 feed contain?" for anyone interested.

I also noted that my last oracle security blog post was doubled as was my last post on my web development blog. I am not sure why this has happened yet, there have been no changes to the setup to cause me to think I had caused it?

Oracle 10g Release 2 is available for Linux X86

I have just seen that Oracle 10g Release 2 is available for Linux X86 - It can be downloaded from here. The date on Oracle's site says 6th July 2005 so it looks like it has been there since yesterday. A number of bloggers including the Amis Blog, Edward Stangler, Justin Kestelyn and Wilfred van der Deijl are all talking about it.

I am finally back in my office and I have just kicked off a complete download of 637MB of zip file, its coming down at 110kb/Sec, so should run for about 1.5 hours. All I then need to do is free some space and reload Linux as my Linux box / main PC crashed some time back irrevocably! So it may take some time to be in a position to load 10g R2 and test it.

Oracle 10g Release 2 is available for Linux X86

I have just seen that Oracle 10g Release 2 is available for Linux X86 - It can be downloaded from here. The date on Oracle's site says 6th July 2005 so it looks like it has been there since yesterday. A number of bloggers including the Amis Blog, Edward Stangler, Justin Kestelyn and Wilfred van der Deijl are all talking about it.

I am finally back in my office and I have just kicked off a complete download of 637MB of zip file, its coming down at 110kb/Sec, so should run for about 1.5 hours. All I then need to do is free some space and reload Linux as my Linux box / main PC crashed some time back irrevocably! So it may take some time to be in a position to load 10g R2 and test it.

Some spiffy new security bits in 10g Release 2

When I read Niall's post "a cure for idiocy" I also saw that it referenced the second part of Arup Nanda's paper on the new features for Oracle 10g Release 2. The paper is called "Oracle Database 10g: Top Features for DBAs - Release 2 Features Addendum - Release 2 Addendum, Part 2: Manageability Features" - What a title!

This paper makes great reading. I will list and make some comments on the security related items as these are the most interesting for me.

ASM Command line tool : ASM is currently administered through SQL commands or OEM in 10g R1 where this new file system management feature was added. A new tool has been added in 10g Release 2, written in perl and called asmcmd. This tool allows a lot of things to be done to the datafiles stored in ASM diskgroups. This tool allows the DBA to give access to the sys admins who are not familiar with SQL and where the DBA does not want to give access to OEM for this purpose. This is a good security idea to limit access to specialised functionality so that an inexperienced person cannot do damage elsewhere. On the flip-side though a more accessible interface (for non Oracle specialists) does provide another avenue for those not familiar with SQL or OEM to mess with the datafiles. Quite clearly the access to these perl commands needs to also be guarded. Any shell scripts created to wrapper access to asmcmd should also be protected.

Direct SGA Access: This is a great (official) addition. It is well known that it is possible to query Oracle's share memory and consequently the X$ tables for a long time in home grown C programs. I have a few links to papers and code to do just this on my Undocumented Oracle page. Oracle Enterprise Manager Grid Control has had direct memory access methods added to it to allow it to automatically access memory on your behalf when the database is hung or too slow. You can also select this access mode in the user interface. I have not seen this myself but from Arup's description I would guess the scope is no where as near to what you can do yourself in C.

Online limit changes: Arup writes that it is now possible to change the values of parameters such as maxdatafiles without having to create a new control file in 10g R1. This means that RMAN will not lose stored information.

Manage multiple objects in OEM : You can now manage multiple objects without the need to create scripts with scripts from OEM Grid Control, this includes compiles, creating DDL and more. This could be a useful feature for effectively managing schemas and objects from a security point of view.

Audit trails in XML: This is a great new feature for 10g R2. Previoulsy if you chose to write audit to the OS for the additional security aspect of doing this (i.e. it is harder for a hacker to alter the audit trail if its on the OS than if it is in the database) then the files were written as verbose Oracle trace files. Now you can set the parameter audit_trail = xml and the parameter audit_file_dest to a suitable directory to get trace files written as standard XML with a .xml file extension. These files can then of course be easily parsed with an XML parser and as Arup points out could be loaded to the database as an XMLType. This would defeat the benefit of storing the audit trail on the OS of course, so whilst it can be useful for managing the audit data to place it into a database, the database used should be an independent one.

Event-base scheduling: The scheduler added in 10g R1 was a useful addition to the databases core functionality apart from early security issues. With 10g R2 it is now possible to trigger the scheduler based on events sent via the AQ mechanism. This could be useful in a security context for generating checks and reports based on actions performed in the database such as adding a user or changing a users privileges.

This is a good paper by Arup and summarises some great new features in 10g R2.

10g Release 2 allows deletion of datafiles

I saw a post on Niall's blog last night about the new ability to drop datafiles in the new Oracle 10g Release 2. This is a great new addition. How many times do you see seemingly extra database, indeed how many times have you done it yourself! - created one that is. Niall's post is titled "a cure for idiocy". This feature should mean that file system layouts are not spoiled from a designed layout. An extra datafile added by accident could be a very slim security hazard because they could end up not being secured properly and be readable or even writable by world. This may not seem to be an issue but any datafile that is writable could be used to exploit a database by crashing it. This feature is an interesting addition.

orablogs is back

I just noticed that Orablogs is back working correctly via its domain name. It looks like Brian finally got his DNS issues sorted out. Great news for those interested in Oracle news and articles.

Reverse engineering patches!

Thanks to Alex for emailing me a link to this great news story. The story is on SecurityFocus and is titled "Reverse engineering patches making disclosure a moot choice?" and is by Robert Lemos. The article talks about the latest trends in doing a binary comparison of a pre-patched binary and its post patched cousin. The latest tools such as BinDiff from SABRE Security have been used by Halvar Flake to demonstrate how easy it was to reverse engineer the patch for pinpointed the portable networked graphics (PNG) vulnerability fixed in a recent Microsoft patch. This article also highlights the fact that the time to find an exploit after a patch is released has been dropping.

The article also quotes Mary Ann Davidson the Chief Security Officer for Oracle who says she will not be altering Oracles patching mechanisms just yet but she is aware of the techniques and issues being discussed here. This article is worth reading if you are interested in just how quickly you need to patch up a database after the patches are released.

Off Topic: I have started a second blog on web development

I have started a new weblog on web development on a new subdomain of my website. I have been planning to do this for a very long time to be able to talk about some of the things I have researched and used in developing this site. I don't know how often I will post to it, not as often as this blog for sure. I plan to talk about blogging software itself, Greymatter for starters as that is what i am using for this blog. I want to get some better features for blogging and plan to talk about those as well as talk about CMS systems, RSS and syndication and I might finally get around to sprucing up the style of my site and modernise it with CSS layout techniques. I also plan to talk about some of the sites I have found that are useful in analysing the performance of a site in SEO terms and also about some of the useful papers and sites I have found. I very occasionally talked about web development and the like here but I felt it not right to do so as this is an Oracle security blog. Therefore i decided to start the new web development blog. Have a look from time to time if its interesting to any of you!

Frank talked about form-based authentication with struts

I have just been catching up on some bookmarks and I found that Frank Nimphius had talked recently in his J2EE Security blog about "form-based authentication with Struts" - I have used the IP Address based URL as orablogs still seems to be unreachable via its domain name. In this interesting post Frank talks about a question he saw on a mailing list about how to configure form-based authentication with struts so that single struts action can be used as the logon page and the error page for form-based J2EE authentication. The poster had presented an example that worked directly in a browser URL field but not at run time. Frank then goes on to present his proposed solution. This is an interesting post from Frank.

A new sample installation session for Oracle Password Repository (OPR) version 1.1.8

Mike Thomas has emailed me a new sample installation session including some great commentary and notes. If anyone is considering using Oracle Password Repository (OPR) they would find these notes useful. Here they are in full:


----------

----------
----------
Updated 2005-Jul-01

The improvements in opr-1.1.8.tar.gz required
us to revise and simplify our walk through notes.
The issues with SETUID and dynamic library loading
were fixed. The program works on RHEL3 LINUX as written.
--

We chose to implement one repository per system
(host or cluster) because we wanted one repository
to reside on each filesystem with our scripts.
We installed one OPR repository on hosts
serving multiple databases. We installed another
OPR repository on an nfs mounted file system being
shared by each node on a RAC cluster.

Our opr.sh script is used to set the OPRREPOS
environment variable. If we deploy opr.sh
to an existing path we eliminate any client
environment settings for the tool.
--

Mike Thomas
qnxodba@gmail.com
--


---
-- Setup OPR on host
---
login oracle @minke

---
-- Create opr LINUX account
---
su - root
groupadd oprinstall # group owner of OPR files
useradd -c "Oracle Password Recovery" -g oprinstall opr
passwd opr
--
Note:
useradd -m (create home directory) -g (initial group) -G (supplementary groups)
--

---
-- Test accounts
---
su - root
groups opr
id opr
id oracle
--
[root@minke root]# groups opr
opr : oprinstall
--
[root@minke opr]# id opr
uid=605(opr) gid=605(oprinstall) groups=605(oprinstall)
--
[root@minke opr]# id oracle
uid=600(oracle) gid=600(oinstall) groups=600(oinstall),601(dba)
--

-- shell
vi .bash_profile
set | grep -i ora
--
Note: see below
--

---
-- Install OPR
---
login opr @minke

-- (1) directory
cd /home/opr
rm -rf /home/opr/data
rm -rf /home/opr/prog
mkdir /home/opr/data
mkdir /home/opr/prog
chmod 700 /home/opr/data
chmod 700 /home/opr/prog
ls -al
--

-- (2) program
cd /home/opr/prog
ftp opr-1.1.8.tar.gz to /home/opr/prog
tar zxvf opr-1.1.8.tar.gz
--
cd /home/opr/prog/opr-1.1.8
./configure
make
strip src/opr
cp /home/opr/prog/opr-1.1.8/src/opr /home/opr
--
cd /home/opr
opr -c
ls -l $OPRREPOS
chmod 755 /home/opr
chmod 511 /home/opr/opr
chmod u+s /home/opr/opr
ls -al /home/opr/opr
chmod 555 /home/opr/opr.sh
chmod u+s /home/opr/opr.sh
ls -al /home/opr/opr.sh
--

-- (3) script
vi /home/opr/opr.sh
#!/bin/bash
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
opr ${1} ${2} ${3} ${4}

--
[opr@minke src]$ ls -l $OPRREPOS
-rw------- 1 opr oprinstall 352 Jul 1 11:04 /home/opr/data/repos.opr
[opr@minke src]$ ls -al /home/opr/opr
-r-s--x--x 1 opr oprinstall 20308 Jul 1 11:01 /home/opr/opr
[opr@minke src]$ ls -al /home/opr/opr.sh
-r-sr-xr-x 1 opr oprinstall 87 Jul 1 11:05 /home/opr/opr.sh
--


-- (4) Client oracle .bash_profile modification
ORACLE_BASE=/u01/app/oracle;export ORACLE_BASE
OPR_BASE=/home/opr;export OPR_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
PATH=/usr/sbin:/sbin:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$OPR_BASE:$PATH
--
Note: If opr.sh used in existing path then no client environment
settings required to path, e.g. OPR_BASE.
--

---
-- Configure commands OPR repository
---
--
login opr @minke

--
cat /etc/oratab | egrep ":N|:Y"
--
[opr@minke opr]$ cat /etc/oratab | egrep ":N|:Y"
*:/u01/app/oracle/product/10.1.0/db_1:N
CALPREC:/u01/app/oracle/product/10.1.0/db_1:N
--

--
-- Add password requires the default '*:/u01...' entry in /etc/oratab as shown above.
--

-- minke
opr -a calprec calgb oracle
--
-- orca (cluster)
opr -a calp calgb oracle
--
-- narwhal (cluster)
opr -a calp calgb oracle {should fail as duplicate entry}
--
-- pilot
opr -a cald calgb oracle
--
Note: opr -a
Adding -f option forces entry without database verification.
--

---
-- Test OPR examples
---
login oracle @minke
sqlplus "calgb/`opr.sh -r calprec calgb`@cald"
--
login oracle @orca
sqlplus "calgb/`opr.sh -r calp calgb`@calp"
--
login oracle @narwhal
sqlplus "calgb/`opr.sh -r calp calgb`@calp"
--
login oracle @pilot
sqlplus "calgb/`opr.sh -r calp calgb`@cald"
--
Note: The and parameters are case insensitive.
--


----------
-- OPR UNIX ACCOUNT
----------
login opr @minke

vi .bash_profile
--
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

##########
# Login Sequence - Check if behaviour unclear
# /etc/passwd
# /etc/shadow
# /etc/group
# /etc/profile
# /etc/profile.d/*.sh
# ~/.bash_profile
# ~/.bashrc
# /etc/bashrc
##########
# User specific environment and startup programs
##########
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
DB_HOME=$ORACLE_BASE/product/10.1.0/db_1; export DB_HOME
OPR_BASE=/home/opr;export OPR_BASE
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
#
##########
#PATH=$PATH:$HOME/bin
#PATH=/usr/sbin:/sbin:$PATH
PATH=/usr/sbin:/sbin:$DB_HOME/bin:$ORACLE_HOME/OPatch:$OPR_BASE:$PATH
#
export PATH
##########

unset USERNAME
--

----------
----------

----------
----------


Again many thanks to Mike and Brian for compiling these notes and for testing and documenting the installation and configuration of OPR. Great work!

Oracle Password Repository (OPR) is updated to version 1.1.8

I got an email a couple of days ago from Jan-Marten Spit and Jasper Spit to let me know the details of why they pulled version 1.1.7 of OPR from sourceforge and worked to fix a security hole. The new version 1.1.8 fixes the problem that was highlighted in the post I made about installing 1.1.7 made by Mike Thomas. I won't go into great detail but basically with 1.1.7 it was possible for a user in certain circumstances to create a malicious version of the Oracle client library and using that take control of the account that owned and was running OPR. Version 1.1.8 now checks the location of the ORACLE_HOME and loads the library based from this. It gets the location from the oratab file so OPR is now a little less environment tolerant (but safer). Also OPR now only loads up the Oracle libs if the user running it is the repository owner. Version 1.1.8 also solves the issue with LD_ environment variables for dynamic library loading.

If you use OPR then please get over to the OPR home page sourceforge and download it. If you do not use OPR then you could also get over there and consider its use for managing your Oracle passwords to help prevent password leakage on the command line.

whilst on the subject of orablogs - version 2 is in the wings

I made a note of a link to a post made by Brian Duff about two weeks ago on his blog titled "Coming Soon: Orablogs 2" (I have altered the link to go direct via the IP Address for now!)

The post starts with a discussion of complete feeds or truncated ones - i.e. like mine and Tom's amongst others that now give a taster of the post and the reader needs to then visit the relevant site to read the whole post. Brian then goes on to list some of the great new features he plans to (? or already has) add(ed) to orablogs. Some of these new features include the use of ATOM for input and output (this is the future of feeds!), page and feed caching for reduced bandwidth consumption - this may speed up the site as well. Reduction (or removal?) of the need for horizontal scrolling - This I will be glad to see. Also Brian plans to add click through stats, this will be a very interesting addition. Have a look at Brian's post for a complete list - feel free to add to it - as Brian requests!

I hope that Brian gets this live soon; it sounds like a great collection of new features for a great site, and let’s hope his DNS woes are fixed soon.

Orablogs still seems to have DNS issues

I saw Ed Stanglers post to his blog last night titled "OraBlogs Cached" and went to have a look. Basically Ed is confirming the worst, that Orablogs is still unreachable via its domain name. I talked about the problem of Orablogs not being reachable and the problem being DNS related. My post was titled "Orablogs seems to be down - or maybe not!". Brian confirmed the issue was DNS by email and also in a post titled "Hopefully all is well again" where he says he has fixed the DNS and that it should be working. This was five days ago, but it is still not working.

This is a shame as Orablogs is a great resource for anyone interested in news about Oracle, new papers long and short and links to lots of new and old info. I wanted to raise a short post to let people know that Brian's site is still not available via the domain name but can be reached via the IP address as follows:

http://83.170.75.145/orablogs

Marcus Ranum interview on Security Focus

Thanks to Joel for emailing me earlier in the week to let me know that Marcus Ranum had been interviewed on SecurityFocus recently. The interview is very interesting and is titled "Interview with Marcus Ranum" by Federico Biancuzzi and dated 21 June 2005. The interview is very interesting and is a question and answer session. I had heard of Marcus before, quite a few times on various lists in the past but didn't realise his part in the security heritage we all enjoy now. For instance he was the designer and implementer of the first commercial firewall, DEC SEAL. I liked the comment Marcus makes in page 2 that he believes that zero progress is being made in computer security and this has been the case for some time, he also says the same ideas are cropping up again and again since the 1980's. This is a good interview and worth reading.