Category Archives: 12cR2

Oracle CPU / PSU Announcement January 2017

Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • OJVM
  • RDBMS Security / Local Logon

Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.

It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.

Patch Number Patch Platform Availability
24968615 Database Proactive Bundle Patch 12.1.0.2.170117 HP-UX Itanium (64-Bit) & AIX (64-Bit) Expected: Wednesday 18-Jan-2017
25395111 Oracle Application Testing Suite BP 12.5.0.1 All Platforms Expected: Wednesday 18-Jan-2017
25115951 Microsoft Windows BP 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
25112498 Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
24918318 Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 Linux x86-64 and Solaris x86-64 Expected: Thursday 26-Jan-2017
24918333 Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 Solaris SPARC 64-Bit Expected: Thursday 26-Jan-2017

More details about the patch will follow soon on the Oracle Security Pages.

Oracle 12 Release 2 Documentation available

Oracle just released the documentation for Oracle 12c Release 2. It seems that most of the new security features are available as discussed in my presentation at DOAG SIG Security in Düsseldorf on the 18th of october. See docs.oracle.com for the documentation bookshelf.

Yet a short summary of new security features

Encryption

  • TDE Tablespace Live Conversion
  • Fully Encrypted Database
  • Support for ARIA, SEED, and GOST Encryption Algorithms in TDE
  • TDE Tablespace Offline Conversion

Enforcing Application Security in the Database

  • RAS Session Privilege Scoping
  • RAS Column Privilege Enhancements
  • RAS Schema Level Policy Administration
  • RAS Integration with OLS

Improving Security Manageability, Administration, and Integration

  • Oracle Virtual Private Database Predicate Audit
  • Oracle Database Vault Policy
  • Oracle Database Vault Simulation Mode Protection
  • Oracle Database Vault Common Realms and Command Rules for Oracle Multitenant
  • Privilege Analysis Enhancements
  • Privilege Analysis Results Comparison
  • Redaction: Different Data Redaction Policy Expressions
  • Redaction: New Functions Allowed in Data Redaction Policy Expressions
  • Redaction: Additional Data Redaction Transformations
  • Automatic KDC Discovery When Configuring OCI Clients
  • Automatic Provisioning of Kerberos Keytab for Oracle Databases
  • Role-Based Conditional Auditing
  • Inherit Remote Privileges

Improving Security Posture of the Database

  • SYSRAC – Separation of Duty for Administering Real Application Clusters
  • Transparent Sensitive Data Protection Feature Integration
  • Requiring Strong Password Verifiers by Default

Improving User Authentication and Management

  • Automatic Locking of Inactive User Accounts

Modernizing Network Authentication and Encryption

  • Kerberos-Based Authentication for Direct NFS

There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 2 (12.2). In particular the new features for TDE are worth, having a closer look. So let’s discuss the good, the bad and the mad….

If you plan to take a training have a look at the Trivadis Training. We will announce a Trivadis Oracle Database 12c Release 2 Techno Circle as soon as the software for 12c Release 2 is officially released.