Just a couple of hours ago I’ve lecture a presentation about the latest Generation of Database Technology at the DOAG SIG Security in München. It is a sneak preview on a few upcoming security improvements. Unfortunately I do not yet have the permission to provide the presentation for download. But I will make the download link available once the dust settles on the latest Generation of Database Technology…
so stay tuned.
In about two weeks I will participate at the SOUG special interest group at Baden. I will present a paper entitled “New Security Features in latest generation of Oracle Database“. Where latest generation of Oracle Database does not stand for an other Oracle 11g release. But that’s an other story…
The aim of the presentation is to provide a range of information on new security features as they could be released in with latest generation of Oracle Database. It covers the following possible new features.
- Data Redaction
- Unified Datenbank Auditing
- Role and Privilege Analysis
- Improved Database Vault
- Database Application Security Architecture
- Improved Key Management
- New OS Roles
Have a look at the SOUG Webpage for a detailed Agenda of the Event and the location. Looking forward to see you there.
Due to the fact that this presentation contains preliminary information, the slides will not be available for download. It is a must to personally attend the SIG SOUG If you do not have time to participate at the SOUG event, you have a second chance later this year. I’ve planned a similar presentation for the DOAG Event in Düsseldorf. More on that later.
As announced in my post about Oracle’s pre-release announcement of last week, Oracle has now released the first Critical Patch Updates for 2013. Overall this CPU contains 86 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For products like Oracle Database Mobile it does contain quite some critical security fixes with a CVSS Rating of 10. On the other hand there’s just one security fix for regular oracle database servers. This security fix relates merely to the SPATIAL option. For a variety of Oracle database server, which do not use the spatial option, this CPU is not so critical. It’s probably worth waiting for the CPU april 2013.
CPU Release Dates
The next four Critical Patch Updates will be released at the following dates:
- 16 April 2013
- 16 July 2013
- 15 October 2013
- 14 January 2014
Links all around Critical Patch Update:
In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release.
About a year ago Oracle released the Audit Vault Server 10.3. (see New release of Oracle Audit Vault). During this update Oracle mainly moved internally to a 184.108.40.206 database. The architecture has remained more or less the same. But this has changed now. Oracle is trying to complete its security portfolio. Therefore Oracle has merged the two Oracle Audit Vault and Oracle Database Firewall into the new Oracle Audit Vault and Database Firewall. From the security officer point of view it is definitely more interesting to only have one platform. On the other hand a software appliance is one of the favorites of the DBA and Unix admins. What about, updates, HA, backup & recovery etc? I’ll try to consider these thoughts in a later post on installing and configuring the new Oracle Audit Vault and Database Firewall.
Some short notes on the new features:
- Oracle Audit Vault and Database Firewall is released as a software appliance-based platform
- Internally Oracle does use Oracle 220.127.116.11 including Advance Security and Database Vault to enforce Database security and segregation of duties
- One simple setup does install and configure the operating system, software, database, web frontend etc
- Audit Vault Agents for:
- Oracle Database 10g
- Oracle Database 11g
- Microsoft SQL Server 2000
- Microsoft SQL Server 2005
- Microsoft SQL Server 2008
- Sybase Adaptive Server Enterprise (ASE) versions 12.5.4 to 15.0.x
- IBM DB2 version 9.x (Linux, UNIX, Microsoft Windows)
- Solaris operating system
- Oracle ACFS
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Active Directory 2008
- Microsoft Active Directory 2008 R2 on 64 bit
As initially mentioned Audit Vault and Database Firewall are moving closer. Oracle Audit Vault is now also the data storage and analysis platform for the Oracle Database Firewall. Former Database Firewall Management Server is eliminated and thus is replaced with Oracle Audit Vault.
An important note here is that Oracle Audit Vault can not be installed on different platforms as before. It is rather a software appliance like the Oracle Database Firewall. The license for each Oracle Audit Vault and Oracle Database Firewall includes always a license for Oracle Enterprise Linux as well. To install only the appropriate hardware is required. This can be a virtual or a physical host. To setup my test environment, I’ve use as usual virtual servers.
Oracle AVDF Requirements
To install Oracle AVDF the following minimal Hardware Requirements must be met. See as the online installation guide for more details on the installation requirements in particular for the supported secured target products (agents).
- x86 64-bit Server
- 2 GB Ram
- single hard drive 125 GB
- 1 NIC for Audit Vault Server
- 1 NIC for Database Firewall Proxy Mode
- 2 NICs for Database Firewall DAM Mode (monitoring)
- 3 NICs for Database Firewall DPE Mode (blocking)
In addition to the hardware the following software is required to begin the installation:
- Oracle Linux Release 5 Update 8 for x86_64 (64 Bit) V31120-01 (3.7GB)
- Oracle Audit Vault and Database Firewall (18.104.22.168.0) – Server V35715-01 (3.4GB)
- Oracle Audit Vault and Database Firewall (22.214.171.124.0) – Database Firewall V35716-01 (3.1GB)
The server can not be used for other activities, setup of either Oracle Audit Vault or Oracle Database Firewall will completely reimage the server. But I’ll post more details on the installation later this month.
Links all around the new Oracle Audit Vault and Database Firewall…
Today Oracle has published the Pre-Release Announcement for the first CPU Patch in 2013. This Critical Patch Update contains 86 new security vulnerability fixes for several Oracle products. From the Oracle database point of view it is quite a small update. There is only one security fix for the Oracle Database Server and no for client-only installations.
Although the CVSS rating of this vulnerability is 9.0, it looks that there is no hurry to install this security fix on most of the database environments. This is because only the spatial is affected. If this is true, we’ll see next Tuesday when Oracle is officially releasing CPU / PSU January 2013. Next week I’ll have a closer look.
More details about the patch will follow soon on the Oracle Security Pages.
Today Oracle has published the Pre-Release Announcement for the october CPU Patch. This Critical Patch Update contains 109 new security vulnerability fixes for several Oracle products. 5 of these fixes are just for the Oracle Database Server including 2 fixes for client-only installations. What frighten me a bit, is the CVSS Base Score of 10 for the core RDBMS. Oracle apparently has to close another big security issue. The core RDBMS is by the way the only component which has to be patched by this CPU. In combination with this severity everybody will have to patch. SCN flaw, TNS poisoning, Oracle Password Hashing Algorithm Weaknesses, etc obviously it’s the oracle-year of critical issues. Any way we will see it next week in detailed. As mentioned just the following Database Server Products are affected.
So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (126.96.36.199,188.8.131.52), Oracle Database 11g Release 1 (184.108.40.206) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5).
The official release for the CPU / PSU is planned for next week 16 October 2012. More details about the patch will follow soon on the Oracle Security Pages.
Today Oracle announced the general availability of Enterprise Manager Cloud Control 12c Release 2. (see press release Oracle Enterprise Manager 12c Release 2 Now Available ) The release introduces a bunch of new and improve capabilities for deploying and managing business applications in an enterprise private cloud, such as Java Platform-as-a-Service (PaaS), enhanced business application management, and integrated hardware-software management for Oracle Exalogic Elastic Cloud.
General availability means in this case, that the new binaries can be downloaded on OTN for Linux x86-64 (64-bit), Linux x86 (32-bit), Solaris Operating System (SPARC), Solaris Operating System (x86-64), IBM AIX on POWER Systems (64-bit) and Windows x86-64 (64-bit)
What’s New in 220.127.116.11
According the online documentation this release includes the following new features:
- Framework and Infrastructure
Enterprise Monitoring and Incident Management Features
- EM CLI Verbs Available in the Software Library
- Stage Operation
- Enhanced Repository Page
- New Oracle Management Service Page
- Consolidated Agent Management Page
- Dynamic Groups
- Support for BI Publisher 18.104.22.168
- Better Support for Changing WebLogic Server Demonstration Certificates
- EM CLI Tracking and Setup
- Support for Properties for Enterprise Manager Administrators
Fusion Middleware Plug-in 22.214.171.124 Features
Application Management Features
- Search in Administration Group Hierarchy
- Monitoring Templates and Template Collections Enhancements
- Grant Edit or Full Privileges on Metric Extensions
- Monitoring Templates and Template Collections Enhancements
- Incident Manager Updates
Cloud Management Features
- Oracle Fusion Applications Plug-in 126.96.36.199 Features
Heterogeneous (Non-Oracle) Management
- Cloud Management Plug-in 188.8.131.52 Features
- Virtualization Management Plug-in 184.108.40.206 Features
Links all around the Enterprise Manager, software, presentations and documentation:
The requirements are still the same as for 12c release 1. The following excerpt has been taken from Oracle® Enterprise Manager Cloud Control Basic Installation Guide.
- OS Requirments: Oracle Linux 6, Oracle Linux 5.x, Red Hat Enterprise Linux 5.x, SUSE Linux Enterprise 10, SUSE Linux Enterprise 11, Asianux Server 3
- Hardware Requirments OMS (small) : 2 Cores, 4 GB RAM 6 GB RAM with ADPFoot 1 , JVMDFoot 2, 10 GB Hard Disk Space or 14GB Hard Disk Space with ADP, JVMD
As soon as I find time I’ll install this new release….