Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
I have not tested but i suspect that flushing the SGA may allow its use as well as the reason that it doesnt work is likely to be because the old hash is likely to be buffered. Also SYS.USER$ is not likely to be accessible to create a view like this anyway.
"The napply CPU is an enhanced CPU format for Oracle Database Server for Unix and Linux platforms version 10.2.0.3 and onward (including 10.2.0.4 and 11g). In a napply CPU, the security fixes are now grouped in what are called molecules. Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU. Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files."
and goes on to discuss
"By using the OPatch parameter ?-skip_duplicate?, customers will have the ability to skip the application of those molecules that have been previously installed (for example by a previous CPU) thus reducing the changes introduced to the patched system. In other words, while the CPU remains cumulative, the CPU will install incrementally those new groups of fixes."
I can see that this will help some sites install patches with less anxiety but I doubt that this will implore many sites to patch earlier and faster. The same fixes, cumulatively are still installed and still need to be installed. The biggest issue i discuss with people is the testing, the fact that often a full regression test is required and the worry that something in a fix breaks the way their applications work.
The best advice I offer is to ensure that you only install the software that is needed and remove as many features (schemas) and functionallity (Java?) that you dont need, in other words reduce the attack surface as much as possible to the functionallity actually needed to support an application. Also dont install Enterprise edition if you can run with Standard or Standard one. I often sites completely over specified in terms of database version/type and features installed.
There are 19 fixes for the database, interestingly one fix for Audit Vault (which is an Apex bug), 4 fixes for the application server, 2 fixes in JDeveloper, 1 collaboration Suite fix, 14 E-Business Suite fixes and 7 PeopleSoft fixes.
So, the observations last CPU that things were getting better could be wrong. This time we went to 45 fixes from 36 and 19 in the database as opposed to 14. Lets leave judgement till next time, this could be a blip in a downward trend or maybe its on its way up again, or maybe we have reached a plateau of around 35 to 45 fixes a patch?
"Compromised computers at Oracle UK are listed among the 10 worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software.
Oracle said it is investigating the reported problem, which it is yet to either confirm or refute.
A box (or group of boxes behind a proxy) at Oracle UK is among the worst offenders for launching attacks, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks."
"Thanks for a very interesting post. I think there are issues with this model and recent CPUs with lots of remote exploits/bugs in Apex that dont need authentication clearly confirms this. I agree with you its crazy to enable Apex by default in 11g, lets see if they do. This would feed into the ever increasing array of features enabled by default.."
Interesting post by Tim that looks at data privacy and data protection.
Alex then commented on Toms blog and an interesting conversation started. Tom does know what SQL Injection is, he has made a recent acreer talking about bind variables and SQL Injection and I am hoping he will cover security and of course SQL Injection and more with gusto when we get to see the second volume of his book. I remember he even canvassed for subjects and security was in there amongst them. Alex has amde a very good point, that people do learn from peers, mentors, BOOKS and training; I think the unfortunate apsect of all of this is that writers of these media have not taken security into account until very recently even though issues like SQL Injection have been known for many years now. Lets hope that everyone writes with security in mind and that old and new generations of coders understand the risks and dont provide these loopholes.