Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Great paper if you wish to secure Apps.
"BT has bought privately-held network security firm Counterpane for an undisclosed sum. Speculation put the price as high as $40 million for the company, which had turnover of £20 million in 2004 and said it had assets of £6.8 million at that time."
"If you run parts of your business on Oracle databases, and who doesn’t, then you better be prepared for Oracle’s trend of security announcements to continue for quite a while. No band-aid fixes are going to help and it will take time for their enhanced security engineering processes to take effect."
"October 20, 2006 (IDG News Service) -- At its OpenWorld conference in San Francisco next week, Oracle Corp. is expected to divulge details about the enhancements it plans to make in the next version of its flagship database, which began initial beta testing last month.
Oracle declined to comment this week about any new products it has in the works. But users and analysts said they expect the next database release to include enhancements to the software's grid computing, clustering and XML capabilities as well as increased automation to ease database administration tasks for smaller companies and new security features to protect against insider data theft."
"October 17, 2006 (Computerworld) -- Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.
Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards"
"Oracle released its quarterly critical patch update (CPU) Tuesday, fixing 101 flaws across the company's product line. Attackers could exploit 45 of them from remote locations without a username or password."
"Accessing the database from the outside world basically comes down to two options - direct querying or executing stored procedures. Procedural access is often chosen for the wrong reasons - making maintenance significantly harder."
This is quite an interesting look at development trends using views to access data rather than going to base tables rather than using procedures for the same. There are some strong comments in opposition and for the author. A good paper though highlighting the issue of data access in general and therefore the security of the data. Using views or procedures or accessing data directly is often a subject for developers of an application. Feureustein often talks about creating access layers in his books to reduce code and SQL reuse. I think its an interesting subject, always causes debate but has some strong aspects for security. I agree in not allowing access to base tables to protect the data but you also have to be careful around dual access paths to the data created by not blocking direct access properly, creating views and procedures and often allowing update and insert paths that actually create different data due to procedural impact. Be careful.
"The Critical Patch Update includes remedies for 63 flaws related to Oracle's widely-used database products. There are also patches for 14 vulnerabilities in Application Server, 13 related to E-Business Suite, 8 in PeopleSoft products, and one each in Oracle Pharmaceuticals and JD Edwards software."
"In its quarterly patch release Tuesday, Oracle issued fixes for 101 vulnerabilities in several of its products and began using an emerging threat rating system."
SQL Injection in dbms_cdc_impdp2
Modifying data via in-line views
Oracle Reports Cross Site Scripting
Cross Site Scripting in APEX NOTIFICATION_MSG
Cross Site Scripting in APEX WWV_FLOW_ITEM_HELP
SQL Injection in APEX WWV_FLOW_UTILITIES
Going onto the tables of actual bugs we can see that the tables have been made much clearer and no longer include the very confusing columns of risk and threats in the previous forms. We now have the CVSS score, whether the bug can be exploited remotely, the privilege required, the access complexity (how easy it is to call the function or feature to exploit it) and the earliest release and the last affected patch sets. The pattern is repeated for each of the database product sets and then the same structure applies for the Application server (14 fixes, 13 of which can be exploited remotely without authentication), Collaboration Suite (12 fixes, 11 remote without authentication), E-Business Suite (13 fixes, one remote without authentication) and finally 8 Peoplesoft and one JD Edwards bugs fixed.
I am impressed that there is a simple check provided to test if you have HTMLDB installed, I am not impressed that there are 35 fixes in it, although its good that they ahve been fixed.
All in all I am impressed by the new style advisory, its not perfect, it is much better than it was, at the end of the day you cannot please everyone and provide all the information possible. The main thing for me is to help the DBA decide whether to patch quickly, to identify which products / features / functions are affected and to help them make a decision based on the risk. The remote bugs that do not require authentication is a great step towards identifying the risk, they stand out, the product is identified and itseasier to decide.
There is a lotof fixes this time, thats good that Oracle have managed to process this amount of fixes, from this they seem to be getting on top of the bug fixing. Well done Mary Ann and the rest of the team. Lets hope it gets to a point where we have advisories with one r tow bugs to patch as soon as possible!
"The changes make sense but fail to address one of the main criticisms of Oracle's security practices - its perceived tardiness in developing security fixes."
"Oracle plans to make a significant change to the way product flaws are described in its security bulletins, an admission of sorts that the quarterly alerts were almost impossible to understand."
"1 - Oracle is adopting the Common Vulnerability Scoring System (CVSS)
2 - Oracle will specifically identify those critical vulnerabilities that may be remotely exploitable without requiring authentication to the targeted system.
3 - Oracle will provide an executive summary of the security vulnerabilities addressed in the CPU."
Oracle will explicitley identify any vulnerabilities fixed that can be remotely exploited without authentication. They will also include a plain English explanation of the vulnerabilities fixed in each CPU.
This is great news for Oracle customers and will hopefully enable more people to decide what is critical and also what needs to be patched.
Oracle are continuing to make great strides in the right direction, well done to Mary Ann and her team for helping customers.
"Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size -- such as the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies such as Time Warner and dozens of colleges and universities across the land -- have collectively fumbled 93,754,333 private records."
"Oracle has always made bold claims about the security of its database and applications. Now the company has said it will make security a priority as it begins rolling out its next-generation software products for building service-oriented architectures (SOAs), Oracle Fusion, in the next several years.
Speaking at an event in New York on Wednesday, Oracle President Charles Phillips outlined three areas of security that will be important to Oracle going forward -- access control, data privacy and compliance. Acquisitions and internal product development over the last 18 months have given Oracle a comprehensive portfolio in this area, allowing the company to think of security "holistically" across its product line, he said.
"We take it pretty seriously," Phillips said. "We [are putting] security where it belongs, which is consistent across the architecture.""