Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

A grammatically correct random pass phrase generator

Curtis Copley emailed me to let me know about his new paper on a grammatically correct random passphrase generator and also the free tools he has created to implement this in Java and also in PL/SQL. The paper is available on his website and the tools are also available as links at the end of the paper. This is an excellent piece of work that shows how he has worked through the problem and created code to generate random pass phrases that can be remembered by people but also that have the required strength (@47 bits) using a dictionary of chosen words of around 10,000 options. The password randomness rules are based on NIST requirements. The paper ois best introduced with a sample from the first section:

A grammar-based random pass-phrase generator can help make life easier for users and system administrators by generating memorable passwords that should meet the needs of most sites. With this algorithm, users should be able to choose a password more easily. The passwords produced by the algorithm should be easy enough to type, reducing the likelihood of being accidentally locked out of the system by logon failures. System administrators may finally be able to spend less time resetting passwords and unlocking accounts, without sacrificing security.



Passwords provide much of computer and data security, but they suffer from conflicting requirements: Ideally, they would be easy to memorize and quick to type, yet they should also be able to withstand attack by an automated password cracking program. The United States Department of Defense (DOD), and the National Institute of Standards and Technology (NIST) established requirements that are intended to strengthen passwords. Unfortunately, many users (and system administrators) find it tough to come up with passwords that meet DOD and NIST requirements, and even tougher to memorize their passwords. Users forget their passwords, or mistype them and cause an account lockout. System administrators then need to come up with secure new passwords for these users.



A grammatically-correct random pass phrase generator can make passwords that are easy enough for users to memorize, yet still be secure. The program can generate over 200 trillion different equally-likely pass phrases (in security terms, a strength measured at about 47 bits of entropy). The passwords will be between 14 and 22 characters long. Since most of the password length comes from familiar English words, the length is more tolerable. The random selection of words often results in absurd phrases. Absurdity is good. Advertisers use absurdity to make their messages more memorable.



Here is a random sampling of passwords from the program, along with the words separated by spaces for easy reading:



PASSWORD
WORDS

`55ScabbyGateAromas`
55 Scabby Gate Aromas

||BroodsPaving25Ghouls
Broods Paving 25 Ghouls

``ThreatPlops45Pumas
Threat Plops 45 Pumas


To read the complete article and get the sample implementation in Java and also in PL/SQL got to Curtis Copley's website.

Excellent piece of work.

SQL Injection - accessing additional tables via the where clause

Jaromir emailed me a link to a paper he has written on SQL injection where he manipulates the where clause of an existing statement that can be exploited via SQl injection. Normal wisdom says that if you can only manipulate the where clause you cannot access the data in tables not included in the existing FROM clause. He is using the technique of inference to guess the result. This is similar to the newton-raphson technique used in interest calculations for loans and lease agreements. His first example says is the number of credit cards in the table less than 6 if it is, test if its less than three and home in on the result. This is same technique as Newton-Raphson.

Jaromir then extends the technique to guess the length of a column of a table that he is interested in (Say the credit card number column) and then he extends further to guess the character at each position in each field (column) for each row (the count above).

Jaromir includes examples for reading numbers and strings written in the groovy language and includes a source code download as well as fully worked examples as an appendix.

The paper is titled "Reading Data with the Where Clause", very nice piece of work.

Default Users

I saw an article on default accounts on the database journal website titled "Oracle 11g Security - Those Pesky Predefined Accounts" and as its a subject (default users and default passwords) I have personally written about many times in the past both in articles (the first ones were 8 years ago when i worked at Pentest), blogs, default password lists and more recently even a password cracker written in PL/SQL.

Oracle has entered the fray also since 11g with a dictionary table and view that includes a list of default accounts/passwords.

James article is good but there are some questions and inconsistencies. James suggests:
expiration on an account after initial database creation , means that there is no password assigned on the account so connection is impossible


He suggests that default accounts that are created as part of the install do not have passwords assigned (the logical conclusion to this statement is that they would have "blank" passwords. This is absolutely not true, Oracle never creates accounts with blank passwords, no matter what the status of the account is; although to be honest I suspect he made a bad choice of words and maybe didnt actually mean this, but...?

A default installation of Oracle sets various accounts passwords and status's; the account james chose hasd an impossible password set:



SQL> col name for a10
SQL> col astatus for 99
SQL> col password for a16
SQL> col spare4 for a30
SQL> l
1 select name,astatus,password,spare4
2 from sys.user$
3* where astatus=9
SQL> /

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
OUTLN 9 4A3BA55E08595C81 Sbig grin12EC0F0242EBFB81FCCD97CF192
68528DA474910F773814CB7D4FFFC5
BD

DIP 9 CE4A36B8E06CA59C Sbig grinC95000980EF1669CAB6332D21FC
D9AD14B7CB2422FC970B9A50DBB5F0
B4

TSMSYS 9 3DF26A8B17D0F29F S:BF0B9459FC2D835A337E69D052E1
CD2BEC8533D36C0B9B6CD2F47EC2A5
95

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------

ORACLE_OCM 9 6D17CF1EB1611F94 S:5EB749D124D2B652658BF3CC867A
760165FF653E42067AD749A4BD3B5E
C0

XDB 9 88D8364765FCE6AF S:BCECCB19D5DC426F38A01971BFC1
BE73E45506E939C18B1DBC083B67EF
15

WMSYS 9 7C9BA362F8314299 S:5EECF47B56B2CFC563941433F9B7
4CAE9F220D7872A3C66CE26A9A9487

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
C1

EXFSYS 9 66F4EF5650C20355 S:4CE5DE7874C9F28E9B7B8429600E
681E376F86129B9784B157682F7656
CA

CTXSYS 9 71E687F036AD56E5 S:5BBACFFD7987BA61F767FCE44C5B
AF45BE4CAF2C6CD01DA447AED98815
1C

XS$NULL 9 DC4FCC8CB69A6733 S:19FC9249A4EC856AE1D6034F3877

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
93B8C9642F1A5C60C194093C8E7DD9
09

ANONYMOUS 9 anonymous
ORDSYS 9 7EFA02EC7EA6B86F S:FD3758C6CCA191255E18DE064334
D242CE29D94C72351D03E97829DC91
6F

ORDPLUGINS 9 88A2B2C183431F00 S:4A436BD7BB1F49C6F2C860E1E917
A1BA223EB24002A860C97B0B7AF94F
01

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------

SI_INFORMT 9 84B8CBCA4D477FA3 Sbig grin3804242E9F82C40B8C471A5E7CE
N_SCHEMA 9B3A3612EA2707EEA03A19C44BA9E9
46

MDSYS 9 72979A94BAD2AF80 S:4D9ED94AD60E64B7D44677E20EEC
F41E5D8B71EB0FF8ADF1FEE2F2D62F
87

OLAPSYS 9 4AC23CC3B15E2208 S:8B84EDE1B66D9FF6F400633F199C
A7BF5B4532DA2B2F1E4B535D8F312A

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
51

MDDATA 9 DF02A496267DEE66 S:324D1A84F48D3BEA3F5F3DC7D8EF
06C39A352B97AB0844105379A56276
71

HR 9 6399F3B38EDF3288 S:25E7EA60CF1ADF0AFC4A38061439
F0B9599477606230DE709962ADD5FB
0F

SPATIAL_WF 9 7117215D6BEE6E82 S:6119D4B8BCAFC9C99DB72E0D2DFA

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
S_ADMIN_US CF522D40F5AA33597307C54F870B7F
R 81

SPATIAL_CS 9 1B290858DD14107E S:E2961CD3E5459036BD8CE4A5676B
W_ADMIN_US B09E935214FC8D76F72754EFA76455
R 73

WKSYS 9 69ED49EE1851900D S:8BC14DCA57EBF01001CA1906A1B1
A9049FF12B2E47431CEA13B7438C3C
F0


NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
WKPROXY 9 B97545C4DD2ABE54 S:1C6314C3E19A10B0ABF0CB8D8285
3444A101513782B9E07C3ED37BC12C
10

WK_TEST 9 29802572EB547DBF S:E24DCDB42CA9753525D9A3118203
E277FB26E0FF0651EE1BF03B56E1AD
8A

FLOWS_FILE 9 0B054C835B0A826B S:B9602AAF42718436DFA5EEBBB715
S 8437A3B05B7F6BF13DD01403D2290E
7F

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------

APEX_PUBLI 9 978468D2F78777DF S:B3A96760BAF7AF7AE4E8A5C73CA5
C_USER 7808C049E22C9275144DF36471ED7B
0F

FLOWS_0300 9 1B85764DE15A3916 S:1E688E6F8D574B1BE80DE2A801D0
00 93FE6657E2931B8DF646BD39CB19D2
D8

OWBSYS 9 610A3C38F301776F S:F6B79D2E4FB3E3DE36AAB8C277DF
CC858C74FFAC59CD997F1F03A79538

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
37

SCOTT 9 F894844C34402B67 S:2228935D3E627C9EADE19D8297C8
3714A54E6E60B00C581691674BF43F
4A

OE 9 9C30855E7E0CB02D S:27FDBAF13F3B1BA9BF35AEC0D7B2
CE8E12659E9373E73B95C062C40E12
CD

IX 9 2BE6F80744E08FEB S:AC2705774CCF66F5D6193667E172

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
F8C7D3643E8192E7C1BC6F1ECD5BE8
99

SH 9 9793B3777CD3BD1A S:837CE859F5B956516327F5932272
BC61300F6758574DE12869B3620966
AA

PM 9 72E382A52E89575A S:FE9774804908800DCB81F7160760
91C327302E77A00AA549569DC90BDE
03


NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
BI 9 FA1D2B85B70213F3 S:52412524ED76F07270CD66E88251
721711F6F0751CA57958CF71E24663
CC


32 rows selected.

SQL>




This shows that "ANONYMOUS" has a password of ANONYMOUS, i.e. an imposisble password not a blank password. This is actually more secure than James suggests as no guess of a password will ever succeed. You will also note that all accounts by default have a 10g password hash also set. This as I have discussed here before weakens the passwords as its simply necessary to crack the 10g password first and then move up to the case sensitive version for 11g.

If we run the password cracker we will see the expired&locked accounts all have passwords set:



SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Mon Sep 28 15:34:20 2009
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
U "DIP" [DIP ] DE CR EL
U "TSMSYS" [TSMSYS ] PU CR EL
U "ORACLE_OCM" [ORACLE_OCM ] PU CR EL
U "XDB" [CHANGE_ON_INSTALL ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U "DBSNMP" [ORACLE1 ] DI CR OP
U "WMSYS" [WMSYS ] DE CR EL
U "EXFSYS" [EXFSYS ] DE CR EL
U "CTXSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "XS$NULL" [ ] -- -- EL
U "ANONYMOUS" [IMP {anonymous} ] IM CR EL
R "SPATIAL_WFS_ADMIN" [SPATIAL_WFS_ADMIN ] PU CR OP
U "ORDSYS" [ORDSYS ] DE CR EL
U "ORDPLUGINS" [ORDPLUGINS ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA ] DE CR EL
U "MDSYS" [MDSYS ] DE CR EL
U "OLAPSYS" [ ] -- -- EL
U "MDDATA" [MDDATA ] DE CR EL
U "HR" [CHANGE_ON_INSTALL ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE" [WFS_USR_ROLE ] PU CR OP
R "SPATIAL_CSW_ADMIN" [SPATIAL_CSW_ADMIN ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE" [CSW_USR_ROLE ] PU CR OP
U "WKSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "WKPROXY" [CHANGE_ON_INSTALL ] DE CR EL
U "WK_TEST" [WK_TEST ] DE CR EL
U "SYSMAN" [ORACLE1 ] DI CR OP
U "MGMT_VIEW" [ ] -- -- OP
U "FLOWS_FILES" [ ] -- -- EL
U "APEX_PUBLIC_USER" [ ] -- -- EL
U "FLOWS_030000" [ ] -- -- EL
U "OWBSYS" [OWBSYS ] PU CR EL
R "OWB$CLIENT" [S ] BF CR OP
R "OWB_DESIGNCENTER_VI [S ] BF CR OP
U "SCOTT" [TIGER ] DE CR EL
U "OE" [CHANGE_ON_INSTALL ] DE CR EL
U "IX" [CHANGE_ON_INSTALL ] DE CR EL
U "SH" [CHANGE_ON_INSTALL ] DE CR EL
U "PM" [CHANGE_ON_INSTALL ] DE CR EL
U "BI" [CHANGE_ON_INSTALL ] DE CR EL


INFO: Number of crack attempts = [46373]
INFO: Elapsed time = [2.85 Seconds]
INFO: Cracks per second = [16270]

PL/SQL procedure successfully completed.

SQL>




This shows that the accounts have known default passwords. Also interestingly James says that an account that is created EXPIRED&LOCKED is different to one that is unlocked and then expired and locked. But he then doesnt show why?; there is no difference as its not possible to create an account without specifying a password unless the record is inserted into SYS.USER$ directly but a hash is still required so its the same as an account where the password is changed; again this could be a bad choice of words as he talks about changing passwords before locking and expiring to prevent someone resetting.

The article also states its best practice to lock accounts and not remove them; I disagree; if it can be shown that an account is not required, especially an account that is a built-in one; James implies from this that its better to lock HR rather than remove it?; then the accounts are better removed. Locking or stopping access to an account does not prevent use of its features, PL/SQL packages for instance. If this was the case there would be work-arounds for CPU fixed bugs in PL/SQL. A connection to an account is not always needed to attack its features.

Backups are valuable

I have spent a lot of time this week dealing with backups; not databases but of my own main machine that runs my email, development and business needs - used by myself when in the office and by my PA when I am away. I always backup the box and can do "almost" point in time recovery; I am not going to go into details of exactly how. On Saturday I wiggled the mouse (the machine runs almost continuously, for almost 3 years) and the screen never crinkled and crackled, hmmm, left it and worked on my laptop instead and then had some time Sunday morning and tried again. No joy; I worked on Client work on Monday and Tuesday to get a piece of work delivered on time and then took the broken box to a local computer shop on Wednesday morning; he announced a load of nonesense which I didnt beleive and asked me to leave it with him; no chance.

I then took it to another place and they were much better, talked sense and actually proved the problem to me; the mother board was fried and the graphics chip was also shot; it seems that the problem could have been the fan not working properly that fried the graphics chip which then did damage to the motherboard; so no machine, new one needed.

I removed the RAM, the BIOS chip (with a hammer and chisel - fast de-soldering!, I am a qualified electrician) and also the disk, now the rest can be disposed of. I then bought a new machine and spent most of yesterday and today so far whilst also trying to work installing software and copying data, boy is that distracting to work and load software on another box at the same time.

I have backups (not one jot of data is lost) but in a PC world the problem is much bigger, the machine runs programs (some cause issues when moving them to a new machine because the vendors think you are cheating them) so they all have to be re-installed, setup, updates found, drivers updated, data moved to the right places.... its a big job i made a list of two sides of A4 of tasks to complete. A backup is great no lost data but its not possible (well not easy so I am not doing it) to backup all setup, programs, drivers, etc and then restore to a different machine in the future - same hardware maybe.

A lost system is more than just the data; when we applying this to Oracle I am always amazed when i do Oracle database security audits how many sites do not have adequate backups, don't test the media, dont test the backups them selves or have a DR strategy that involves a plan to buy the hardware if needed and to set it up and install Oracle at the time of the disaster. Liken it to my machine, its not bad for me, I can work on another machine, indeed I am doing so now and no client suffers (just response to email is suffering at the moment, should be backup tomorrow, I hope, so if you emailed me dont worry i will respond) but i suffer as I am using a lot of time to rebuild my environment on the new machine. my Oracle database security audits encompass the whole environment and things like backups, data flow and DR are all included. I cringe when sites say they will get the hardware if they need it and build from scratch; I cringe more now as I know how long it takes to set up machines. Even yesterday I started to install software and found that the CD/DVD drive of the new box didnt work; this took over an hour to resolve. Imagine your business held up waiting for hardware, waiting to build it and waiting to recover the data.

I also was forced to buy a machine with Vista installed, arrrhhhhh, what a horible interface. I have also wasted time last night trying to remove all the stupid dropdowns and toobars that vista brings, change menus, look etc so I can find things; now the machine looks like XP and earlier again, simpler to use.

Backups are important but time to resolve and resume is as well; remember it.

Blog birthday, speaking, training and Oracle Java security

Well it seems like quite a while since I last blogged here (I do keep saying that don't I!); I have been very busy with client work and also working on the new Oak Table Apress Oracle book. I completed my two chapters a few weeks ago and now the review has come back so its time to do the edits and send it off again (more evening work), we have also been progressing our Database Security audit tool, PFCLScan which is looking really nice now. We have had a lot of interest from customers and investors so far which is really promissing.

I have also agreed to speak at the new Leeds chapter of OWASP on October 14th. Thats Leeds in the north of England of course, if your around please come along, its a fairly new chapter and the first event for them. I don't have the link/agenda details yet but when I have them I will post them here. I also have two slots at the up-coming UKOUG 2009 conference in Birmingham. I will be giving a presentation, "The right way to secure Oracle" on the 30th November at the ICC in Birmingham and I am also hosting an Oracle security round table on the 1st December again at the ICC of course. I always like the UKOUG conference, its a great place, great people and always good to catch up with a lot of people. I will update the speaking dates on my site shortly with links - lack of time to do it. sad at the moment.

I am also going to be teaching my two day seminar, "How to perform a security audit of an Oracle database" in conjunction with Oracle University in November, on the 3rd and 4th in Prague. I am really looking forward to that as I have not been back to Prague since the late 90s when I was last working there. I am also going to be teaching the same class in Helsinki, Finland on the 23rd and 24th of November. We are also planning to host the same class ourselves on the 20th and 21st October in York, England after the successful event we ran earlier in the year. The price will be £895 + VAT, contact me on my email address (its on the home page and also on the training page - link above) to register, places are still available at the moment.

I will update my training page with all the links and dates shortly for these events.

It is also this blogs fifth birthday, wow, in the UK that means it needs to start school! This is the longest running blog decicated to Oracle security and in general i do still keep almost completely on topic.

Time has flow by so fast, I cannot believe it. I will admit the posts have slowed down somewhat since i started this blog but I am still going strong and intend to carry on blogging. In the last year I have managed around 60 posts whereas in the first year I did 560 posts. Its slowed down from the year before where I reported that i posted around 110 posts. Its simply a fact of life that i have become more successful in my business and extra activities such as writing books and articles and software products that blogging has taken a back seat. This I hope will change as I plan to actually start a second blog (actually fifth blog as I have others not connected to Oracle security) that is going to be just about PFCLScan our new Oracle security audit tool.

Finally I also wanted to also point out Paul Wrights post titled "JAVA_ADMIN to OSDBA" which follows in his quest to find ways to escalate to SYSDBA from a lower position. I like the article and the idea but there are a couple of issues. The first comment is that the JAVA_ADMIN role is very powerful; the output below shows this.




SQL> @java_admin

G_R PERM GRANTEE PERMNAME ACTION
--- ------------------------- ---------- ---------------------------------------- ----------
G PolicyTablePermission JAVA_ADMIN 0:java.awt.AWTPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.io.FilePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.io.SerializablePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.lang.RuntimePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.lang.management.ManagementPermiss null
G PolicyTablePermission JAVA_ADMIN 0:java.lang.reflect.ReflectPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.net.NetPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.net.SocketPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.security.AllPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.security.SecurityPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.sql.SQLPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.util.PropertyPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.util.logging.LoggingPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.MBeanPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.MBeanServerPermission null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.MBeanTrustPermission# null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.ManagementPermission# null
G PolicyTablePermission JAVA_ADMIN 0:javax.net.ssl.SSLPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:javax.security.auth.AuthPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:oracle.aurora.rdbms.HandlePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:oracle.aurora.rdbms.security.PolicyTab null
G PolicyTablePermission JAVA_ADMIN 0:oracle.aurora.security.JServerPermissi null

22 rows selected.

SQL>




This is a very powerful role BUT in the Java VM not in the database? - Paul says the same but I wanted to illustrate why. The list of Java privileges above shows that the JAVA_ADMIN role is the DBA of the Oracle Java world and this role should not be granted to anyone. These are privileges to grant privileges. This is an issue with Oracle that makes security harder to do; heirarchy. We have privileges on objects, privileges on objects that access the first objects, roles that encapsulate privileges and we also have database privileges that allow granting of other privileges. The GRANT ANY ROLE system privilege is a good example as it allows escalation to any role in the database for a user or role who has this privilege. This is what makes Oracle complex; because we must consider not just direct privileges but also privileges that grant privileges. Luckily no user except builtin users or roles have this JAVA_ADMIN role by default. Nice paper Paul!

Oracle delays the October CPU and 11g Release 2 is out

I got an email from Oracle support last night to tell me that the next Oracle Critical Patch Update, the CPU for October: Here is the email (There are no privacy statements so I am guessing its OK to reproduce the whole email):

September 3, 2009
Oracle Critical Patch Update October 2009

Dear Oracle Customer,

There is a change in the previously announced release date of the October 2009 Critical patch Update.

Since many Oracle customers with responsibility for deploying the Critical Patch Update within their respective organizations will be attending Oracle OpenWorld October 11-15, 2009, the October 2009 Critical Patch Update originally scheduled to be published on Tuesday, October 13th 2009, will be released on October 20th 2009.

Please note: this date change only impacts the October 2009 Critical Patch Update. As usual, Oracle will issue a pre-release announcement on the Thursday before the publication of the Critical Patch Update (Thursday, October 15th). All other aspects of the Critical Patch Update (where to find the documentation, how to download the patches, etc.) remain the same.

The next four Critical Patch Update release dates are:

October 20, 2009
January 12, 2010
April 13, 2010
July 13, 2010

You will be notified via email once the Critical Patch Update for October 2009 has been released.

Thank you,
Oracle Security Alerts


Eric Maurice also blogged about it yesterday but there is no additional information in his blog above whats in the email. Oracle are citing the Open World conference as the reason for the delay; they say that a lot of admins will be at the conference and dont want them to miss it to apply patches.

There are a number of questions we could ask about this:

1) should Oracle delay release of patches to ensure people come to its conference? - Oracle has released Oracle database 11g release 2 a couple of days ago; i was only able to get the download links to work yesterday, i am guessing a lot of people are downloading and the servers are overloaded. So does Oracle want to make sure people come to the conference and get the new product message?
2) If patches are delayed are customers further put at threat because the patches are not available as promptly as they could be?
3) Does this leave an opening for those who release exploits?
4) Does Oracle value marketing over security?
5) surveys in the past have shown that not everyone applies the patches promptly anyway so is there bad news in the patch that Oracle don't want to overshadow Open World news with?
6) Fill in your own question?

Personally I don't see a major conflict with leaving the patch date as it was. Most people will not apply the patch during open world if it was available anyway. Maybe it is just to prevent any possible distractions caused by managers who would feel their staff cannot leave work during a CPU release and attend a conference?

Interesting though!

A book, a database scanner and a magazine column and a few bugs

The last few weeks have been very busy with full time client work and also a number of personal projects so emails and blogging have taken a back step. Coupled to that I have used my writing time with a different focus than the website and blogging which is in one sense a pity but on the other hand its nice to actually produce some content that will be printed.

So for the last few weeks i have used up spare time first writing the first article for the Oracle Scene Magazine on Oracle security which hopefully will become a regular column. Mark Rittman is now the editor for Oracle Scene magazine and he asked me some time ago if I could write something, so I was happy to do so. My first article is on powerful privileges.

Next I spent a lot of spare time over the last month or so writing two chapters for the new Oak Table Book: tentitively titled "Expert Practices: Oracle database administration from the Oak table". This is hard when working all day and quite often travelling to spend evenings also writing. The two chapters I have written "Securing Users" and "Securing Data" are now draft.

I have also been working to get our new product PFCLSCan progressed. The development of the back end engine is complete and the development of the console GUI is coming on well and i though a couple of pictures would be in order to show you what it looks like. Here is a look at the front end:



PFCLScan Database Target choice screen



Note: Click on the link to increase the picture size

This picture shows the main GUI console structure. The main screen in the middle is the screen to manage database connections. The tree view to the left is the project workspace that allows you to manage as many projects as you wish to have open at the same time. The right hand properties window allows you to manage the settings for the current project (This is indicated in the title bar). The settings are used by the back end engine and also the GUI. The windows at the bottom of the screen allow viewing/clearing/filtering and saving of logs/ trace / errors generated by the engine and also the console. The engine also has a built in script engine with our own scripting language called PFCLScript. The logs from the script compiler/interpreter can also be viewed as well as logs from the uiltin XML parser. Thats a brief look at what the console looks like. Another view is of the tools Window:



PFCLScan SSH command shell screen



Note: Click on the link to increase the picture size

The tools window allows access to the builtin shell command window (shown in the picture). Whilst the whole tool is project based and within projects the tests are based on checks that are XML based (we allow a lot of different types of checks, SQL, PL/SQL, Shell script, external tools, builtin tools (e.g. password cracker), PFCLScript, questionaire, architecture and more... we also support complex type checks that can be modified at compile time, at run time and we also support loop checks. All of these complex checks can be applied to any of the previous types of checks. This makes complex audit easy to do and configure. Whilst we do all of this and a lot lot more that I will talk about and show you next time we also have access to a number of built in and external tools. At the simplest level there is a complete built in shell for accessing Unix servers either using ssh or telnet and also ssh1 and ssh2. The picture above shows the shell command Window in use.

We also have a built in SQL tool that allows the running of SQL or PL/SQL scripts. We also have a completely builtin DOS (NT cmd) box that allows any command to be run on the server hosting the GUI. These are all tied to the current project so that ad hoc checks and investigations can be completed and also attached to the project in the same format as all other output (XML). Each of these tool windows support saving to file (raw text or XML) and also clearing. We also have access to external tools such as SQL*Plus and also a GUI SQL explorer type Window.

I hope thats a nice taste of whats to come. Watch out, I will talk in a lot more detail over the coming weeks about more of PFCLScans features.

Finally, Dirk Nachbar emailed me to let mw know of a bug in Oracle reports that I talked about here in a post titled "A nice fix for the "Overwrite any file via desname in Oracle Reports" bug". Dirk has let me know that Oracle has finally fixed this/ worked around it in Oracle reports 11g. Dirk has mentioned some details in his own blog in a post titled "Oracle reports desname bug fixed with Fusion Middleware 11g". Dirk also let me know of another security bug he has found in the Fusion middleware WebLogic server. The administrator user and password are displayed in clear text in a ps listing. Again Dirk has talked about this in his blog, this time in a post titled "Security hole in Fusion middleware 11g weblogic admin server".