Posts related to Oracle 11g Release 2
Recently, just in the middle of the summer holidays, Oracle has released the third Critical Patch Advisory for its products. It seems there’s a lot of work going on in Redwood Shore. Oracle has fixed about 319 security vulnerabilities across their products. The Oracle database is relatively prominently represented with 9 security vulnerabilities and a […]
Today Oracle has published the Pre-Release Announcement for the July 2018 Critical Patch Update. It’s quite a heavy update with not less than 334 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. Of the vulnerabilities is remotely exploitable […]
Oracle recently released the spring Critical Patch Advisory. It is the first critical patch update, which also includes fixes for Oracle 18c. Over all it includes 254 new security fixes across the product families. Overall a rather large update, although only a security vulnerability is patched for the Oracle databases. This vulnerability is not remotely […]
The Oracle open world 2017 is over, the dust just settled down. A perfect time for Oracle to release the October critical patch advisory. With not less than 270 new security vulnerability fixes across the Oracle products it seems to be a rather huge update. From the DB perspective it is nothing unusual. It contains […]
Last night Oracle released there new Critical Patch Update. From the DB perspective it is a rather small patch update. It just includes 2 fixes for security vulnerabilities on Oracle database 11.2.0.4 and 12.1.0.2. None of the vulnerabilities are remote exploitable without authentication but one fix is also for client only installations. The highest CVSS […]
Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup […]
Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data. Losing an EUS wallet is […]
Oracle has published the Pre-Release Announcement for the July 2016 Critical Patch Update. It’s quite a huge update with not less than 276 security vulnerability fixes across the Oracle products. For the Oracle Database itself are 9 security fixes available. Dies ist wiederum eines der größeren Critical Patch Update for databases. It does contain bug […]
Since the release of Oracle 12cR1 mid 2013 the network encryption and strong authentication services has been removed from the Oracle Advanced Security Option. Both feature are now available for any licensed editions. Corresponding section in the Oracle Licensing Guide for 11g R2 and 12c R1 has been updated. Network encryption (native network encryption and […]
Oracle has published the Pre-Release Announcement for the first Critical Patch Update in 2015. This Critical Patch Update contains 167 new security vulnerability fixes across all Oracle products. It looks like that this CPU does contain a bunch of critical security fixes for Oracle databases. Actually there are 7 fixes for security vulnerabilities, but none […]
The draft version of this blog post is lying around for some time in my inbox. I’ve never found time to finish it. But due to a task in a project it’s about time to finish my notes on Oracle’s Secure External Password Store. Ludovico, a work colleague has already written a blog post about Removing passwords from Oracle scripts earlier this year. I would like to complement the topic and discuss a few points specifically in connection with RMAN Backup’s and a central RMAN catalog. The goal remains the same, getting rid of passwords with a minimal operational effort.
Oracle has published the Pre-Release Announcement for the July 2014 Critical Patch Update. It looks like that the next Critical Patch Update is somewhat more extensive from the database point of view. It does contain six bug fix for some major security issues. Some of the vulnerabilities may be remotely exploitable without authentication. The security […]
As commonly known passwords should have a certain complexity. Thereby it is common to use special characters, numbers, lower and uppercase characters. Depending on the type of special characters Oracle require that the password is enclosed in double quotation marks. Oracle does provide a guideline for Securing Passwords in the Oracle® Database Security Guide. So […]
A couple of days ago Trivadis released the Trivadis PL/SQL & SQL CodeChecker (tvdcc) as SQL Developer Extension. TVDCC does check the editor content for compliance violations of the Trivadis PL/SQL & SQL Coding Guidelines Version 2.0. Quote from the blog post of my work colleague: Furthermore McCabe’s cyclomatic complexity, Halstead’s volume, the maintainability index […]
While writing a post about the new Critical Patch Advisory I’ve discovered, that Oracle made the Information about the OpenSSL Vulnerability publicly available. The information in MOS Note 1645479.1 has been moved to OpenSSL Security Bug – Heartbleed CVE-2014-0160. Until now it looks like that Oracle Databases are not affected since they do not use […]
As announced last week in my post Oracle CPU / PSU Pre-Release Announcement April 2014, Oracle has now released the Critical Patch Updates for April 2014. Overall this CPU contains 104 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only […]
The company I work for, Trivadis, organized again an exceptional event with top speakers in Zurich. This year’s focus will be on the Oracle Database query optimizer, also known as cost-based optimizer (CBO). The query optimizer is not only one of the most complex pieces of software that constitutes the Oracle kernel; it is also […]
Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as “Heartbleed”. Therefore I assume, that this patch update does not yet address […]
Today Oracle has published the Pre-Release Announcement for the first CPU Patch in 2014. This Critical Patch Update contains 147 new security vulnerability fixes for several Oracle products. From the Oracle database point of view it is a small update. There are only five security fix for the Oracle Database Server and no for client-only […]
As announced yesterday in my post Oracle CPU / PSU Pre-Release Announcement October 2013, Oracle has now released the last Critical Patch Updates for 2013. Overall this CPU contains 126 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 […]
Oracle has published the Pre-Release Announcement for the October CPU/SPU Patch. This Critical Patch Update contains 126 new security vulnerability fixes for several Oracle products. Despite the large amount of security fixes, it is a rather small update from the database point of view. There are only two security fix for the Oracle Database Server […]
Oracle has released the patchset 11.2.0.4.0 for Oracle 11g Release 2. The current patchset is as well as the other 11g R2 patchsets a full installation. This means you will have to download quite a bit from Metalink, altogether 7 files. On My Oracle Support search for patchset 13390677 or follow the link to reach […]
It is sometimes a bit of a hassle, to have the latest patch name or number on hand, when you need them. Ok, you may search on My Oracle Support and save it as custom search. But it may happen that the search is inaccurate and the required patch is not found. A much easier […]
Perl and Oracle has not always an easy past. Depending on the OS type and Oracle Version it can be quite nerve racking to compile DBI and DBD::Oracle. In addition to DBD::Oracle there are also other binary Perl modules that are not so easy to compile. On operating systems such as Microsoft Windows it is necessary to […]
It is not really a novum that you can directly query the alertlog from SQLPlus. Tanel Poder and others already have discussed this a while ago. Somehow I can never remember the name of the X$ view when I need it. So it is time to sum up the information a little bit. SQL> desc […]
About a week ago Oracle has released the July Critical Patch Updates. Overall this CPU contains 89 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database Server it does contain 6 fixes, but none of them is for client-only installation. 1 of these […]
I’ve just tried to get a few information from the Automatic Workload Repository (AWR). I actually wanted to put together an overview of various system metrics from DBA_HIST_SYSMETRIC_SUMMARY to create a chart. Unfortunately the data is stored as name/value pairs and not in columns. So it’s time again to convert rows to columns. There are […]
There are several way’s to find information on internal oracle errors like ORA-00600 and ORA-07445. Looking up google is one of them, but not in any case the best one. If you are using Oracle Metalink you may just search for the ORA-00600 and the error code of first argument or use the ORA-600/ORA-7445/ORA-700 Error […]
Following a question to the blog post Database Audit and Audit trail purging, I noticed something interesting about the DEFAULT_CLEANUP_INTERVAL parameter. On one hand, it is mandatory to initialize the audit trail and to define a DEFAULT_CLEANUP_INTERVAL, on the other hand, the parameter is not used at all. Oracle explains this in the MOS note Parameter […]
Once again, Oracle has published the Pre-Release Announcement for the first CPU Patch in 2013. This Critical Patch Update is reasonably small and contains 86 new security vulnerability fixes for several Oracle products. Only one of these fixes is just for the Oracle Database Server.
Today Oracle has published the Pre-Release Announcement for the october CPU Patch. This Critical Patch Update contains 109 new security vulnerability fixes for several Oracle products. 5 of these fixes are just for the Oracle Database Server.
The DOAG regional group is organizing together with SOUG a Security Lounge on the 24th of April. I’ll attend this event with two short presentations on Database Security and Oracle Auditing.
This post focuses on init.ora parameters. It is not really new topic, but rather a personal reference to some practical queries and scripts. If you are the customer, it’s always handy when you can easily access your own queries.
Oracle has officially released the CPU / PSU Patches for january 2012. The Critical Patch Updates contains 78 security fixes across all products. But only two out of this 78 fixes are for Oracle databases.
Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 78 new security vulnerability fixes for several Oracle products. 2 of these fixes are just for the Oracle Database Server.
I was on leave for the past few weeks. After digging through tons of e-mails I finally found time to look into EM 12 Cloud Control. Unfortunately, I’ve forgotten my SYSMAN password and the EM 12c test installation is no longer running. As you say: “Holidays where one forgets everything, must be good holidays.”
Oracle has just officially released the CPU / PSU Patches for october 2011. In contrast to the previously announced 56 bug fixes, there are now 57 bugfix. It looks like another bug fix for databases has been added to the CPU / PSU bundle.
Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 56 new security vulnerability fixes for several Oracle products. 4 of these fixes are just for the Oracle Database Server.
Just realized, that the Patchset 11.2.0.3.0 has been released for Solaris SPARC 64 and Solaris x86-64
Almost a week ago Oracle has released the latest patch set 11.2.0.3.0 for Oracle 11g Release 2. So far the patch set has only be released for Linux 32bit and 64bit.
It looks that not only diamonds are forever but also tablespace quotas. Due to the fact that Oracle has a history of tablespaces, it’s kind of obvious that it also keeps information quotas. Is this an expected behavior? What could be the impact ?
Tablespace point in time recovery (TSPITR) in particular, the fully automatic TSPITR is not a 11g new feature. It is likely that this can be used without any problem. But it looks like that a bug has been introduced with the latest patchset (11.2.0.2). What is the problem and how can it be workaround?
Setting up database audit is fairly easy. Since the availability of DBMS_AUDIT_MGMT the housekeeping of the audit trail is just a trifle. After the introduction of DBMS_AUDIT_MGMT in an post early this February, I would like to take a closer look at the housekeeping of the Audit Trail and provide a simple example how this could be implemented.
When performing a database security audit various informations about users, roles and privileges have to be collected, including “who has unlimited tablespace on SYSTEM”. It is quite easy to find user with UNLIMITED TABLESPACE or a UNLIMITED quota on SYSTEM. But what when the system privilege is assigned to a role or over several roles? It is still easy if you use hierarchical queries to drill down the cascaded roles, but there is plenty to write…
On the 24 of March I’ll have a presentation on Database Audit and DBMS_AUDIT_MGMT at the SOUG SIG Event. The presentation is about 30 minutes and will cover a rough overview of DBMS_AUDIT_MGMT, latest Issues and Bugs as well some Ideas on how audit could be simplified. Have a look at the SOUG Webpage for […]
With 11g R1 Oracle introduced case sensitive passwords for database accounts based on the SHA1 hash algorithm. This feature can easily be enabled with the init.ora parameter SEC_CASE_SENSITIVE_LOGON. As soon as this parameter is set to true, all new passwords will be case sensitive. Existing passwords will remain case insensitive until they are changed.
The downside of this new feature is, that the passwords are also stored with the pre-11g database password hash. This is a potential security leak. The pre-11g password hash string from USER$ can be used to crack the case insensitive version of the password. All kind of tools, utilities, password lists etc are available to do this. As soon as the case insensitive version of the password is known, the case sensitive password can be guessed.
To get rid of this security leak, the pre-11g database password hashes have to be cleared. This blog post shows how this can be done.
I’ve recently wrote an DOAG article about Managing Audit Trails with dbms_audit_mgmt, which has been officially introduced in Oracle 11g R2. This blog post is just to link the article and provides a few more information.
I’ve screwed up somehow this post and created a new one Case Sensitive Passwords and Strong User Authentication. This is mini post is just to make sure that an already published permalink does not points to /dev/null…
I’ve screwed up somehow this post and created a new one Manage Audit Trails with DBMS_AUDIT_MGMT. This is mini post is just to make sure that an already published permalink does not points to /dev/null…