Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Jonathan Lewis has a new weblog

I saw from surfing that Jonathan Lewis has finally bit the bullet and started his own weblog. This is titled "Oracle Scratchpad" and already has a number of posts on it. I am sure Jonathan will mention security from time to time but its unlikely to have security related posts regularly. This for me is not an issue and I will follow it through every post simply because to learn about Oracle security is not just to learn about Oracle security, you also need to know about Oracle and how it works. I know that Jonathans posts will be intertesting and will teach so will be worth reading as he knows more about how Oracle works than most people. I have also added his blog to my Oracle security blogs aggregator.

myspace hacked

I saw an interesting post this evening on NetCraft titled "Myspace Accounts compromised by Phishers". This is not an Oracle security issue but interesting all the same as its a good example of the latest trend in website attacks where the hacker is able to compromise the host site to trick users into clicking on a link that takes them to a remote site, in this case to steal password details. In this sort of attack its difficult to detect because the user is still on the real site. The hackers (I dont know if this is how they have done it) use Javascript and iFrames to redirect the user. I saw a great demo of this type of attack at BlackHat this year where the tchniques was used to attack a PC on the internal network on an internal IP address.

Best Practice for securing E-Business Suite updated

I saw this evening via Steve Kost's blog in a post titled "11i: Best Practices for Securing the E-Business Suite Updated" that the best practices for securing E-Business Suite metalink note ID 189367.1 has been updated. I have know about this paper for quite some time and have devoured it and learned from it over the last year or so. this paper has grown quite a lot in size since its inception and is an excellent resource for securing E-Business Suite. Steve has covered the changes in version 3.0.4 from the pervious version.

Great paper if you wish to secure Apps.

Help in handling Oracle vulnerabilities

Help in handling Oracle vulnerabilities - By Eric Ogren

"If you run parts of your business on Oracle databases, and who doesn’t, then you better be prepared for Oracle’s trend of security announcements to continue for quite a while. No band-aid fixes are going to help and it will take time for their enhanced security engineering processes to take effect."

Users look for details on Oracle's next database

Users look for details on Oracle's next database - Vendor expected to disclose info on '11g' upgrade at OpenWorld - Eric Lai

"October 20, 2006 (IDG News Service) -- At its OpenWorld conference in San Francisco next week, Oracle Corp. is expected to divulge details about the enhancements it plans to make in the next version of its flagship database, which began initial beta testing last month.

Oracle declined to comment this week about any new products it has in the works. But users and analysts said they expect the next database release to include enhancements to the software's grid computing, clustering and XML capabilities as well as increased automation to ease database administration tasks for smaller companies and new security features to protect against insider data theft."

Oracle releases 101 patches in quarterly update

Oracle releases 101 patches in quarterly update - They cover flaws in database and app server products, collaboration and e-business suites - byJaikumar Vijayan

"October 17, 2006 (Computerworld) -- Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.

Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards"


Oracle fixes 101 flaws

Oracle fixes 101 flaws - By Bill Brenner

"Oracle released its quarterly critical patch update (CPU) Tuesday, fixing 101 flaws across the company's product line. Attackers could exploit 45 of them from remote locations without a username or password."

Using procedures to access data only

I came across a paper on the OraFAQ website titled "A better view" - by Gojko Adzic

"Accessing the database from the outside world basically comes down to two options - direct querying or executing stored procedures. Procedural access is often chosen for the wrong reasons - making maintenance significantly harder."

This is quite an interesting look at development trends using views to access data rather than going to base tables rather than using procedures for the same. There are some strong comments in opposition and for the author. A good paper though highlighting the issue of data access in general and therefore the security of the data. Using views or procedures or accessing data directly is often a subject for developers of an application. Feureustein often talks about creating access layers in his books to reduce code and SQL reuse. I think its an interesting subject, always causes debate but has some strong aspects for security. I agree in not allowing access to base tables to protect the data but you also have to be careful around dual access paths to the data created by not blocking direct access properly, creating views and procedures and often allowing update and insert paths that actually create different data due to procedural impact. Be careful.

Oracle plugs 101 security flaws

Oracle plugs 101 security flaws - By Joris Evers

"The Critical Patch Update includes remedies for 63 flaws related to Oracle's widely-used database products. There are also patches for 14 vulnerabilities in Application Server, 13 related to E-Business Suite, 8 in PeopleSoft products, and one each in Oracle Pharmaceuticals and JD Edwards software."


Details of bugs fixed in CPU October 2006 released

I chatted to Alex earlier this evening and he let me know that he has added a new page to his site that analyses the October 2006 CPU. This page is titled "Details Oracle Critical Patch Update October 2006 - V1.00" and it details all of the database related bugs and APEX bugs fixed in the October CPU. In particular it details the bugs that Alex found with links to seperate advisory pages. These include:

xdb.dbms_xdbz0
sys.dbms_sqltune _internal
mdsys.sdo_lrs
SQL Injection in dbms_cdc_impdp2
Modifying data via in-line views
Oracle Reports Cross Site Scripting
Cross Site Scripting in APEX NOTIFICATION_MSG
Cross Site Scripting in APEX WWV_FLOW_ITEM_HELP
SQL Injection in APEX WWV_FLOW_UTILITIES

Enjoy!

October 2006 Critical Patch Update (CPU) is out

I have just seen that the October 2006 Critical Patch Update (CPU) advisory is out. This is the first of the new style advisories and on first inspection the information seems to be better structured than previous advisories. The advisories have been getting better and this is a good stride forward. The fact that the advosory now lists the numbers of bugs that have been fixed and particularly they are borken down into product groups / sets and those that can be exploited remotely without authentication are identified. For the database products there are 63 fixes, 22 in the database all requiring authenticated user access, 6 for the HTTP server, 5 that can be exploited remotely without authentication. Oracle Application Express that comes on the companion CD and is not installed by default comes off worst. It has 35 fixes, 25 of which can be exploited remotely without authentication.

Going onto the tables of actual bugs we can see that the tables have been made much clearer and no longer include the very confusing columns of risk and threats in the previous forms. We now have the CVSS score, whether the bug can be exploited remotely, the privilege required, the access complexity (how easy it is to call the function or feature to exploit it) and the earliest release and the last affected patch sets. The pattern is repeated for each of the database product sets and then the same structure applies for the Application server (14 fixes, 13 of which can be exploited remotely without authentication), Collaboration Suite (12 fixes, 11 remote without authentication), E-Business Suite (13 fixes, one remote without authentication) and finally 8 Peoplesoft and one JD Edwards bugs fixed.

I am impressed that there is a simple check provided to test if you have HTMLDB installed, I am not impressed that there are 35 fixes in it, although its good that they ahve been fixed.

All in all I am impressed by the new style advisory, its not perfect, it is much better than it was, at the end of the day you cannot please everyone and provide all the information possible. The main thing for me is to help the DBA decide whether to patch quickly, to identify which products / features / functions are affected and to help them make a decision based on the risk. The remote bugs that do not require authentication is a great step towards identifying the risk, they stand out, the product is identified and itseasier to decide.

There is a lotof fixes this time, thats good that Oracle have managed to process this amount of fixes, from this they seem to be getting on top of the bug fixing. Well done Mary Ann and the rest of the team. Lets hope it gets to a point where we have advisories with one r tow bugs to patch as soon as possible!


Tmorrow is patch Tuesday - the Oct 2006 CPU is due!

Tomorrow is the due date for the next Oracle CPU. We should then get our first look at the new advisory format and promised better data and information for the DBA to decide whether to apply the patches or not. Lets wait and see with baited breath..:-)

SANS Oracle S.C.O.R.E. document has been updated

I saw on the day it was released for review that the SANS Oracle S.C.O.R.E. document that I originally wrote has been updated. The original version 2.0 document - "Oracle database checklist" has been converted to an Excel spreadsheet and issued for review as "Oracle security hardening checklist version 3.1". The original version was the appendix from the Oracle security step-by-step guide and was created as a checklist of most of the issues covered in the book. The new updated version is still heavily based on this list but has been enhanced to include threats, vulnerabilities and checks in most cases.

Security bug in 10.2.0.2 not fixed yet

I saw a post on the pythian blog today titled http://www.pythian.com/blogs/254/oracle-patch-10203-bugs-weve-seen - (broken link) Oracle Patch 10.2.0.3 - Bugs We’ve Seen and went for a look. The interesting part for me was the link to a post on metalink describing a security but that in the right circumstances allows SQL statements to be executed under the wrong schema. This is not fixed yet and the metalink notes states that 10.2 is more vulnerable than 10.1. Read it and take precautions if you are on 10g.

Oracle will improve the CPU documentation with the Oct 17th 2006 CPU

Eric Maurice has today announced that Oracle will make some significant changes to the CPU documentation that will be released with the Oct 17th CPU. His post is titled "Changes Introduced With October 17th Critical Patch Update". The key changes quoted from Eric's post are:

"1 - Oracle is adopting the Common Vulnerability Scoring System (CVSS)
2 - Oracle will specifically identify those critical vulnerabilities that may be remotely exploitable without requiring authentication to the targeted system.
3 - Oracle will provide an executive summary of the security vulnerabilities addressed in the CPU."


Oracle will explicitley identify any vulnerabilities fixed that can be remotely exploited without authentication. They will also include a plain English explanation of the vulnerabilities fixed in each CPU.

This is great news for Oracle customers and will hopefully enable more people to decide what is critical and also what needs to be patched.

Oracle are continuing to make great strides in the right direction, well done to Mary Ann and her team for helping customers.

Applying CPU's

With the next CPU due next Tuesday, October the 17th i read with interest Atul's post titled "Apply Oracle July CPU patch" all about how to apply the July 2006 CPU on his own systems. The post is a good overview of the process but for me its important for two reasons. First people are talking now about applying the last CPU when the next CPU is now due, Atul is not the only one who has mentioned applying the July CPU to me recently. It's clear that from my experience a lot of people do not apply the CPU's promptly. There are many reasons why this is the case, I guess the most common reason is the lack of time, the complexity of installations, the problems of re-testing but all I think coming back to time in some way. Second Atul's post really highlights the fact that there are a huge amount of different configurations of Oracle products and product sets and all need to have the patches applied to one or more tiers and often on different OS platforms. Just reading Atul's post made me think again about how complex fixing and patching Oracle often is.

Tom has discovered a PL/SQL oddity

I saw Tom's post http://tkyte.blogspot.com/2006/10/something-new-i-learned-this-week.html - (broken link) Something new I learned this week... and read with interest. I was aware of this issue quite a long time ago when i programmed more regularly with PL/SQL. I have to admit I wasn't thinking about it. I seem to remember that i first read about this when I first learned PL/SQL years ago because I came from a C programming background, pointers and pass by value come more naturally. This is an interesting issue for me for a number of reasons. First cos its PL/SQL and I like PL/SQL and like to play and investigate the language and internals and second because oddities and internals always open security doors. I dont see an obvious hack but I can see how it would be possible to abuse a system that makes use of procedures or functions that update globals or pass globals into functions. As Tom said avoid globals.

Data breaches near 94 million

Data breaches near 94 million - N.C. driver data among stolen - by Tom Zeller Jr., The New York Times

"Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size -- such as the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies such as Time Warner and dozens of colleges and universities across the land -- have collectively fumbled 93,754,333 private records."

Some good SQL Injection links

I saw a post on Eddie's blog yesterday that has links to 4 SQL Injection papers. The SQL Injection papers post can be found here. SQL Injection is a fact of life nowadays and the security spectrum now seems to focus on one type of interpreter injection method or another. The security of data has moved center stage and the old firewall based security whilst still valid has moved to the wings. Hackers, whatever type, criminal or not seem to focus on data and seem to use sequenced or merged attacks that use techniques like SQL Injection. This means that even if your database is held inside your organisation and is behind multiple firewalls, maybe even not directly accessible externally it could still be attacked. I like to think of techniques like SQL Injection when used "very" creatively is like trying to paint your living room whilst stood in the street and using the front door keyhole as the only access BUT the paint is applied as though you are using a 3 foot wide paint roller. I was at Blackhat in Las Vegas a couple of months ago and was quite excited to hear a presentation that demonstrated how a PC on an internal IP address could be controlled externally using Javascript and iFrames or AJAX. This was so cool. If you are a DBA, developer or anyone implementing Oracle think about SQL Injection, cross site scripting, scripting in general and dont think you are secure just because an application doesnt use the web!

Oracle 11i and SSO

I saw tonight on Steve Kost's blog a post titled "11i: Oracle 11i and SSO Whitepaper Updated" and went to read it with interest. The post talks about a paper written by Oracle that describes integrating Oracle E-Business Suite 11i with Oracle Single Sign-on. The paper has been updated and it describes multiple scenarios for implementation plus limitations. This is an interesting paper that unfortunatley is only available from metalink.

A portal exploit or security advice

I saw a very nice post on the IT-Eye blog tonight titled "How to prevent Oracle Portal edit mode" which describes how its possible in most Portal implementations if they have not been secured to access the edit mode. This is a security problem for Portal. The post goes on to show to mod_rewrite rules to block any URL with &_mode=16 added to it and even how to redirect to an error page. Nice post and info.

Oracle's Security Plans

http://blogs.ittoolbox.com/oracle/guide/archives/oracles-security-plans-12053 - (broken link) Oracle's Security Plans is an interesting post on Lewis's blog today. It talks about the new Oracle stance on security products and features generally and about "micro-entitlements", FGAC outside the database. There are a few links to some news articles as well. Worth a read.

SQLGotcha version 3.0 is available

I saw a post on my Oracle security forum today titled "SQLGotcha 3.0 on Sourceforge" about Marcel-Jan's excellent tool SQL Gotcha. Whilst its not a security tool per-se its still a very useful tool to have in anyones toolbox especially if you are involved in auditing and investigating Oracle. It is useful for finding sessions that you want to trace and version 3.0 supports Oracle RAC and also allows 10053 events to be traced. Marcel-Jan is already looking at adding flexible search items to allow more flexible tracing. Nice tool.

Oracle promises tighter security for SOAs

Oracle promises tighter security for SOAs - Elizabeth Montalbano

"Oracle has always made bold claims about the security of its database and applications. Now the company has said it will make security a priority as it begins rolling out its next-generation software products for building service-oriented architectures (SOAs), Oracle Fusion, in the next several years.

Speaking at an event in New York on Wednesday, Oracle President Charles Phillips outlined three areas of security that will be important to Oracle going forward -- access control, data privacy and compliance. Acquisitions and internal product development over the last 18 months have given Oracle a comprehensive portfolio in this area, allowing the company to think of security "holistically" across its product line, he said.

"We take it pretty seriously," Phillips said. "We [are putting] security where it belongs, which is consistent across the architecture.""