Category Archives: Security

Oracle 18c new Security Features

Today I had the opportunity to give a presentation on Oracle 18c new Security Features at the SOUG day in Baden. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the new central managed user with MS Active Directory.

Based on first experiences and insights, the following topics have been discussed:

  • Create schema only accounts
  • Integration of Active Directory services with Oracle Database
  • Encrypt sensitive credential data in the data dictionary
  • Write Unified Audit Trail records to SYSLOG or the Windows event viewer
  • Use Oracle Data Pump to export and import the Unified Audit Trail
  • Authentication and certification parameters
  • Enterprise User Security Manager (EUSM)
  • User defined master encryption key
  • Keystore for each Pluggable Database
  • User defined master encryption key
  • Enhancements to Oracle Database Vault simulation mode
  • Grant Data Pump-Database Vault authorizations to roles
  • Oracle Database Vault support for Oracle Database Replay

The Killer feature in this release is definitely the centrally managed user with its simple MS Active Directory integration. It is an ideal solution to simplify the user management in small / midsize environments. For larger and more complex environments it makes more sense to engineer central user management using Oracle Enterprise User Security. Many other improvements are due to Oracle’s cloud strategy. Necessary and meaningful but not earth-shattering.

The presentation is available in English over the following links:

Oracle CPU / PSU April 2018

Oracle recently released the spring Critical Patch Advisory. It is the first critical patch update, which also includes fixes for Oracle 18c. Over all it includes 254 new security fixes across the product families. Overall a rather large update, although only a security vulnerability is patched for the Oracle databases. This vulnerability is not remotely exploitable without authentication and is not applicable to client-only installations. The CVSS Rating is 8.5 for Oracle Database 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.1.0.0 on any operating system. According to Oracle the following component is affected:

  • Java VM

Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 30 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

More details about the patch will follow soon on the Oracle Security Pages.

By the way, Oracle improved the table which lists the affected products and components in there advisory. Oracle Database is not a the top of the table any more.

DOAG 2017 Oracle 12c Release 2 Datenbank-Sicherheit in a Nutshell

DOAG Konferenz 2017Below you will find a list of the different demo scripts used during the DOAG training day 2017 Oracle 12c Release 2 Datenbank-Sicherheit in a Nutshell. In general the script do need a SCOTT or a HR demo schema. Some of the scripts may have more requirements eg. Kerberos configuration, Oracle Enterprise User Security etc. The scripts are available free for anyone to use. I do not accept any responsibility for any damage, errors or anything whatsoever caused by running or using these scripts. The scripts have been tested thoroughly but as there are many platforms, Oracle versions and possible configurations, it does not mean that they will work for you when they work for me. Please check the file header for further information on the scripts, references etc before running them especially on production system.

 

Script Description
 01_authentication.sql Show authentication information of the connected user and its USERENV context
 02_privileges.sql Database privileges analysis demo
 03_vpd.sql Virtual Private Database demo with default and column masking.
 04_audit.sql Unified audit demo script
 05_redaction.sql Oracle Data Redaction demo script
 06_tsdp_redact.sql Transparent Sensitive Data Protection and Data Redaction demo
 07_tsdp_audit.sql Transparent Sensitive Data Protection and Unified Audit demo
 aui.sql Script to show authentication information of the connected user and from its USERENV context.
 hip.sql List init.ora parameter including hidden parameters.
 create_password_hash.sql Calculate Oracle DES based password hash from username and password.
 verify_user_password.sql Wrapper script to check if a user has a weak DES based password. Passwords will be displayed.
 verify_user_password_no.sql Wrapper script to check if a user has a weak DES based password. Passwords will not be displayed
 verify_alluser_passwords.sql Wrapper script to check if any user in sys.user$ has a weak DES based password. Passwords will be displayed.
 verify_alluser_passwords_no.sql Wrapper script to check if any user in sys.user$ has a weak DES based password. Passwords will not be displayed.
 verify_passwords.sql Check if user in sys.user$ has a weak DES based password
 verify_password_hash.sql Check if user has a weak password

Oracle CPU / PSU Announcement October 2017

The Oracle open world 2017 is over, the dust just settled down. A perfect time for Oracle to release the October critical patch advisory. With not less than 270 new security vulnerability fixes across the Oracle products it seems to be a rather huge update. From the DB perspective it is nothing unusual. It contains 6 new security fixes for vulnerabilities on Oracle Database 11.2.0.4, 12.1.0.2 and 12.2.0.1. 2 of the vulnerabilities can be used remotely without authentication, but none of the vulnerabilities affect Oracle client installations. Overall the highest CVSS Rating is 8.8 for Oracle Database Server 11.2.0.4 on Windows respectively 7.8 for 12.1.0.2 on Windows and Linux. According to Oracle the following components are affected:

  • Core RDBMS
  • Java VM
  • XML Database
  • RDBMS Security
  • Spatial (Apache Groovy)
  • WLM (Apache Tomcat)

Not all of these components are installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update. OK, I guess Core RDBMS is part of you database setup 🙂

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 40 fixes for vulnerabilities. Up to 26 vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

More details about the patch will follow soon on the Oracle Security Pages.

By the way, Oracle improved the table which lists the affected products and components in there advisory. Oracle Database is not a the top of the table any more.

Articles in DOAG Red Stack Magazin

A while ago I wrote two articles for the DOAG Red Stack Magazin. In the meantime both articles have been published. For this reason I use the opportunity to make the PDF versions of the articles available on oradba.ch. The articles are written in German and available as Trivadis version as well Red Stack version. Although the articles versions differ only in the number of typos and layout.

None of the articles are currently available in english. On request I will write also articles about Oracle Unified Directory in English in the future. However, currently I still have a lot of ideas for blog posts about database security, enterprise user security and unified directory on my to-do list. And blog posts I usually write in english… 🙂

Oracle Unified Directory 12 Released

Finally end of working day. But while reading some newsletter and mails on my way home, I realised that there will be some work at home. After a long wait, Oracle has finally released Oracle Unified Directory 12c 🙂

A overview of the new features:

  • Improved performance and scalability
  • Support for TNS aliases for Oracle Unified Directory deployments with Oracle Enterprise User Security (EUS) configured
  • Support for TLS 1.2 Protocols and Cipher Suites
  • Password-Based Key Derivation Function 2 Password Storage Schemes
  • ODSM Rebranding
  • Support for new log publishers that are configurable via OUDSM
  • Support for the Upgrade OUD Instance script
  • Support for WebLogic Scripting Tool provisioning commands
  • Support for new log publishers that are configurable via OUDSM
  • Support for Oracle Fusion Middleware configuration tools
  • Support for Oracle WebLogic Server 12.2.1.3
  • Support for Oracle JDK 1.8

See Fusion Middleware Release Notes What’s New in Oracle Identity Management 12c (12.2.1.3.0) for a full list of new features.

Links related to Oracle Unified Directory 12c:

Stay tuned, I’ll definitely write more blog posts on Oracle Unified Directory 12 soon.

DOAG Webinar Oracle 12.2 New Security Features

A couple of days ago I’ve successfully finished the DOAG Webinar on Oracle 12c Release 2 new Security Feature. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the online encryption of tablespaces with TDE.

Based on initial experiences and insights, the following topics have been discussed:

  • Authentication
  • Authorization
  • Database Auditing with Unified Audit
  • Encryption with Transparent Data Encryption
  • As well as an overview of further innovations in database security

The slides and the recording of the webinar is available in German over the following links:

EU GDPR, MS SQL Server 2016 and Oracle Security

I’ve just updated the list of my public appearances and planned events. For once, no just Oracle Events 🙂 I’ll speak about the new EU GDPR and its impact on databases in a Trivadis regional customer event together with my colleague Stephan Hurni. Beside this two events I’ll hold a webinar on Oracle 12c Release 2 new security features. This webinar is organised by DOAG.

Unfortunately all these events are in german. No matter, I’m about to register the one or other topic at upcoming Call For Papers. If the speeches get approved I’ll update my list of public appearance.

Oracle CPU / PSU Announcement April 2017

Last night Oracle released there new Critical Patch Update. From the DB perspective it is a rather small patch update. It just includes 2 fixes for security vulnerabilities on Oracle database 11.2.0.4 and 12.1.0.2. None of the vulnerabilities are remote exploitable without authentication but one fix is also for client only installations. The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server 11.2.0.4 on Windows is 7.2 The following components are affected:

  • OJVM
  • SQL*Plus / Local Logon

According to MOS Note 2228898.1 Patch Set Update and Critical Patch Update April 2017 Availability Document, there should also be a OJVM PSU for Oracle 12.2.0.1. But the Patch 25811364 is not yet available.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 31 fixes for vulnerabilities. Some of the vulnerabilities where some are remote exploitable without authentication and are rated with the highest CVSS rating of 10.0.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle CPU / PSU Announcement January 2017

Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • OJVM
  • RDBMS Security / Local Logon

Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.

It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.

Patch Number Patch Platform Availability
24968615 Database Proactive Bundle Patch 12.1.0.2.170117 HP-UX Itanium (64-Bit) & AIX (64-Bit) Expected: Wednesday 18-Jan-2017
25395111 Oracle Application Testing Suite BP 12.5.0.1 All Platforms Expected: Wednesday 18-Jan-2017
25115951 Microsoft Windows BP 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
25112498 Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
24918318 Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 Linux x86-64 and Solaris x86-64 Expected: Thursday 26-Jan-2017
24918333 Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 Solaris SPARC 64-Bit Expected: Thursday 26-Jan-2017

More details about the patch will follow soon on the Oracle Security Pages.