Category Archives: Security

Articles in DOAG Red Stack Magazin

A while ago I wrote two articles for the DOAG Red Stack Magazin. In the meantime both articles have been published. For this reason I use the opportunity to make the PDF versions of the articles available on oradba.ch. The articles are written in German and available as Trivadis version as well Red Stack version. Although the articles versions differ only in the number of typos and layout.

None of the articles are currently available in english. On request I will write also articles about Oracle Unified Directory in English in the future. However, currently I still have a lot of ideas for blog posts about database security, enterprise user security and unified directory on my to-do list. And blog posts I usually write in english… 🙂

Oracle Unified Directory 12 Released

Finally end of working day. But while reading some newsletter and mails on my way home, I realised that there will be some work at home. After a long wait, Oracle has finally released Oracle Unified Directory 12c 🙂

A overview of the new features:

  • Improved performance and scalability
  • Support for TNS aliases for Oracle Unified Directory deployments with Oracle Enterprise User Security (EUS) configured
  • Support for TLS 1.2 Protocols and Cipher Suites
  • Password-Based Key Derivation Function 2 Password Storage Schemes
  • ODSM Rebranding
  • Support for new log publishers that are configurable via OUDSM
  • Support for the Upgrade OUD Instance script
  • Support for WebLogic Scripting Tool provisioning commands
  • Support for new log publishers that are configurable via OUDSM
  • Support for Oracle Fusion Middleware configuration tools
  • Support for Oracle WebLogic Server 12.2.1.3
  • Support for Oracle JDK 1.8

See Fusion Middleware Release Notes What’s New in Oracle Identity Management 12c (12.2.1.3.0) for a full list of new features.

Links related to Oracle Unified Directory 12c:

Stay tuned, I’ll definitely write more blog posts on Oracle Unified Directory 12 soon.

DOAG Webinar Oracle 12.2 New Security Features

A couple of days ago I’ve successfully finished the DOAG Webinar on Oracle 12c Release 2 new Security Feature. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the online encryption of tablespaces with TDE.

Based on initial experiences and insights, the following topics have been discussed:

  • Authentication
  • Authorization
  • Database Auditing with Unified Audit
  • Encryption with Transparent Data Encryption
  • As well as an overview of further innovations in database security

The slides and the recording of the webinar is available in German over the following links:

EU GDPR, MS SQL Server 2016 and Oracle Security

I’ve just updated the list of my public appearances and planned events. For once, no just Oracle Events 🙂 I’ll speak about the new EU GDPR and its impact on databases in a Trivadis regional customer event together with my colleague Stephan Hurni. Beside this two events I’ll hold a webinar on Oracle 12c Release 2 new security features. This webinar is organised by DOAG.

Unfortunately all these events are in german. No matter, I’m about to register the one or other topic at upcoming Call For Papers. If the speeches get approved I’ll update my list of public appearance.

Oracle CPU / PSU Announcement April 2017

Last night Oracle released there new Critical Patch Update. From the DB perspective it is a rather small patch update. It just includes 2 fixes for security vulnerabilities on Oracle database 11.2.0.4 and 12.1.0.2. None of the vulnerabilities are remote exploitable without authentication but one fix is also for client only installations. The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server 11.2.0.4 on Windows is 7.2 The following components are affected:

  • OJVM
  • SQL*Plus / Local Logon

According to MOS Note 2228898.1 Patch Set Update and Critical Patch Update April 2017 Availability Document, there should also be a OJVM PSU for Oracle 12.2.0.1. But the Patch 25811364 is not yet available.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 31 fixes for vulnerabilities. Some of the vulnerabilities where some are remote exploitable without authentication and are rated with the highest CVSS rating of 10.0.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle CPU / PSU Announcement January 2017

Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • OJVM
  • RDBMS Security / Local Logon

Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.

It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.

Patch Number Patch Platform Availability
24968615 Database Proactive Bundle Patch 12.1.0.2.170117 HP-UX Itanium (64-Bit) & AIX (64-Bit) Expected: Wednesday 18-Jan-2017
25395111 Oracle Application Testing Suite BP 12.5.0.1 All Platforms Expected: Wednesday 18-Jan-2017
25115951 Microsoft Windows BP 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
25112498 Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
24918318 Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 Linux x86-64 and Solaris x86-64 Expected: Thursday 26-Jan-2017
24918333 Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 Solaris SPARC 64-Bit Expected: Thursday 26-Jan-2017

More details about the patch will follow soon on the Oracle Security Pages.

Using TouchID for sudo on macOS Sierra

A couple of days ago, I’ve received my new 15″ Mac Book Pro. So far I’m quite happy. Ok the the circumstance, that I have to carry around a bunch of adapters. I’m waiting for the first projector at customers with USB-C connection. But thats an other story. Initially I thought, that I will not use the new Touch Bar that much. But I must admit that it’s quite handy from time to time. In particular the Touch ID to unlock the Mac Book Pro.

During my day to day work, I’m using the terminal quite a lot. This also includes the use of sudo. Why not using the Touch ID, to run a privileged command with sudo rather than typing the password. Good idea, unfortunately this is not possible out of the box in macOS Sierra. A Google search has revealed two possible solutions respectively projects on GitHub.

  • Replace the sudo with a customised version of sudo, which does support Touch ID (see sudo-touchid
  • Add a customised PAM module, which does support the Touch ID (see pam_touchid

I have decided to test the custom PAM module, because it seems, that this alternative has less impact on the operating system. The configuration is straight forward and includes the following steps:

  • Build the project using Xcode
  • Copy the PAM module to a custom location
  • Update the sudo configuration

As mentioned in a comments on GitHub, sudo over ssh does not work with this PAM module (see pam_touchid appears to break sudo over SSH) pam_touchid.m requires a small modification. In particular the following if statement has to be added at the top of the method pam_sm_authenticate.

if (getenv("SSH_TTY"))
return PAM_IGNORE;

In case of a sudo authentication request over SSH the module will do nothing. Sudo will fall back to the regular PAM modules. So lets start Xcode to adjust pam_touchid.m and build pam_touchid.so.2.
Build PAM Module
Create a custom directory for the PAM module, copy pam_touchid.so.2 and adjust the owner and privileges.

sudo mkdir -p /usr/local/lib/pam/
sudo cp pam_touchid.so.2 /usr/local/lib/pam/
sudo chown root:wheel /usr/local/lib/pam/pam_touchid.so.2
sudo chmod 444 /usr/local/lib/pam/pam_touchid.so.2

Update the sudo configuration and add auth sufficient pam_touchid.so reason="execute a command as another user" to the top of the file.

sudo vi /etc/pam.d/sudo

cat /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_touchid.so reason="execute a command as another user"
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

As soon as you start a new terminal session, you can use your Touch ID to authenticate sudo. Below you see an example of sudo hostname to get the current hostname.
TouchID
As mentioned in the realm of the PAM Touch ID project, you have to be sure what your doing. If it is the first time you use Xcode and Terminal, it is probably better to not change your sudo authentication.

Thanks to Hamza Sood for this PAM module.