Tag Archives: Trivadis Content

Blog posts also posted on the Trivadis Blog (TriBlog)

New Oracle Audit Vault and Database Firewall

In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release.

What’s New

About a year ago Oracle released the Audit Vault Server 10.3. (see New release of Oracle Audit Vault). During this update Oracle mainly moved internally to a 11.2.0.3 database. The architecture has remained more or less the same. But this has changed now. Oracle is trying to complete its security portfolio. Therefore Oracle has merged the two Oracle Audit Vault and Oracle Database Firewall into the new Oracle Audit Vault and Database Firewall. From the security officer point of view it is definitely more interesting to only have one platform. On the other hand a software appliance is one of the favorites of the DBA and Unix admins. What about, updates, HA, backup & recovery etc? I’ll try to consider these thoughts in a later post on installing and configuring the new Oracle Audit Vault and Database Firewall.

Some short notes on the new features:

  • Oracle Audit Vault and Database Firewall is released as a software appliance-based platform
  • Internally Oracle does use Oracle 11.2.0.3 including Advance Security and Database Vault to enforce Database security and segregation of duties
  • One simple setup does install and configure the operating system, software, database, web frontend etc
  • Audit Vault Agents for:
  • Oracle Database 10g
  • Oracle Database 11g
  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008
  • Sybase Adaptive Server Enterprise (ASE) versions 12.5.4 to 15.0.x
  • IBM DB2 version 9.x (Linux, UNIX, Microsoft Windows)
  • Solaris operating system
  • Oracle ACFS
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Active Directory 2008
  • Microsoft Active Directory 2008 R2 on 64 bit

New Architecture

As initially mentioned Audit Vault and Database Firewall are moving closer. Oracle Audit Vault is now also the data storage and analysis platform for the Oracle Database Firewall. Former Database Firewall Management Server is eliminated and thus is replaced with Oracle Audit Vault.

OverviewAVDF

An important note here is that Oracle Audit Vault can not be installed on different platforms as before. It is rather a software appliance like the Oracle Database Firewall. The license for each Oracle Audit Vault and Oracle Database Firewall includes always a license for Oracle Enterprise Linux as well. To install only the appropriate hardware is required. This can be a virtual or a physical host. To setup my test environment, I’ve use as usual virtual servers.

Oracle AVDF Requirements

To install Oracle AVDF the following minimal Hardware Requirements must be met. See as the online installation guide for more details on the installation requirements in particular for the supported secured target products (agents).

  • x86 64-bit Server
  • 2 GB Ram
  • single hard drive 125 GB
  • 1 NIC for Audit Vault Server
  • 1 NIC for Database Firewall Proxy Mode
  • 2 NICs for Database Firewall DAM Mode (monitoring)
  • 3 NICs for Database Firewall DPE Mode (blocking)

In addition to the hardware the following software is required to begin the installation:

  • Oracle Linux Release 5 Update 8 for x86_64 (64 Bit) V31120-01 (3.7GB)
  • Oracle Audit Vault and Database Firewall (12.1.0.0.0) – Server V35715-01 (3.4GB)
  • Oracle Audit Vault and Database Firewall (12.1.0.0.0) – Database Firewall V35716-01 (3.1GB)

The server can not be used for other activities, setup of either Oracle Audit Vault or Oracle Database Firewall will completely reimage the server. But I’ll post more details on the installation later this month.

Resources

Links all around the new Oracle Audit Vault and Database Firewall…

Oracle CPU / PSU Pre-Release Announcement January 2013

Today Oracle has published the Pre-Release Announcement for the first CPU Patch in 2013. This Critical Patch Update contains 86 new security vulnerability fixes for several Oracle products. From the Oracle database point of view it is quite a small update. There is only one security fix for the Oracle Database Server and no for client-only installations.

Although the CVSS rating of this vulnerability is 9.0, it looks that there is no hurry to install this security fix on most of the database environments. This is because only the spatial is affected. If this is true, we’ll see next Tuesday when Oracle is officially releasing CPU / PSU January 2013. Next week I’ll have a closer look.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle CPU / PSU Pre-Release Announcement October 2012

Today Oracle has published the Pre-Release Announcement for the october CPU Patch. This Critical Patch Update contains 109 new security vulnerability fixes for several Oracle products. 5 of these fixes are just for the Oracle Database Server including 2 fixes for client-only installations. What frighten me a bit, is the CVSS Base Score of 10 for the core RDBMS. Oracle apparently has to close another big security issue. The core RDBMS is by the way the only component which has to be patched by this CPU. In combination with this severity everybody will have to patch. SCN flaw, TNS poisoning, Oracle Password Hashing Algorithm Weaknesses, etc obviously it’s the oracle-year of critical issues. Any way we will see it next week in detailed. As mentioned just the following Database Server Products are affected.

  • Core RDBMS

So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release 1 (11.2.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5).

The official release for the CPU / PSU is planned for next week 16 October 2012. More details about the patch will follow soon on the Oracle Security Pages.

Enterprise Manager Cloud Control 12c Release 2

Today Oracle announced the general availability of Enterprise Manager Cloud Control 12c Release 2. (see press release Oracle Enterprise Manager 12c Release 2 Now Available ) The release introduces a bunch of new and improve capabilities for deploying and managing business applications in an enterprise private cloud, such as Java Platform-as-a-Service (PaaS), enhanced business application management, and integrated hardware-software management for Oracle Exalogic Elastic Cloud.

General availability means in this case, that the new binaries can be downloaded on OTN for Linux x86-64 (64-bit), Linux x86 (32-bit), Solaris Operating System (SPARC), Solaris Operating System (x86-64), IBM AIX on POWER Systems (64-bit) and Windows x86-64 (64-bit)

What’s New in 12.1.0.2

According the online documentation this release includes the following new features:

  • Framework and Infrastructure
  • EM CLI Verbs Available in the Software Library
  • Stage Operation
  • Enhanced Repository Page
  • New Oracle Management Service Page
  • Consolidated Agent Management Page
  • Dynamic Groups
  • Support for BI Publisher 11.1.6.0
  • Better Support for Changing WebLogic Server Demonstration Certificates
  • EM CLI Tracking and Setup
  • Support for Properties for Enterprise Manager Administrators

  • Enterprise Monitoring and Incident Management Features
    • Search in Administration Group Hierarchy
    • Monitoring Templates and Template Collections Enhancements
    • Grant Edit or Full Privileges on Metric Extensions
    • Monitoring Templates and Template Collections Enhancements
    • Incident Manager Updates

  • Fusion Middleware Plug-in 12.1.0.3 Features

  • Application Management Features
    • Oracle Fusion Applications Plug-in 12.1.0.3 Features

  • Cloud Management Features
    • Cloud Management Plug-in 12.1.0.4 Features
    • Virtualization Management Plug-in 12.1.0.3 Features

  • Heterogeneous (Non-Oracle) Management
    • Metadata Plug-In Support

    Resources

    Links all around the Enterprise Manager, software, presentations and documentation:

    Requirements

    The requirements are still the same as for 12c release 1. The following excerpt has been taken from Oracle® Enterprise Manager Cloud Control Basic Installation Guide.

    • OS Requirments: Oracle Linux 6, Oracle Linux 5.x, Red Hat Enterprise Linux 5.x, SUSE Linux Enterprise 10, SUSE Linux Enterprise 11, Asianux Server 3
    • Hardware Requirments OMS (small) : 2 Cores, 4 GB RAM 6 GB RAM with ADPFoot 1 , JVMDFoot 2, 10 GB Hard Disk Space or 14GB Hard Disk Space with ADP, JVMD

    As soon as I find time I’ll install this new release….

    Oracle TNS Poison vulnerability

    A few days after the last critical patch update Oracle had to post security alert for CVE-2012-1675. The issue also known as “TNS Listener Poison Attack” is affecting any Oracle Database Server. As a personal reference I have summarized the most important information about this topic.

    Vulnerability Description

    This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied. The post The history of a -probably- 13 years old Oracle bug: TNS Poison from Joxean Koret is explaining how this vulnerability can be exploited.

    Impact

    The attack point of this vulnerability is once again the Oracle listener. The impact of this vulnerability differs from the network configuration of the database server and listener. Public accessible listener will suffer a lot from this issue while internal listener a bit less.

    • Public accessible Listener e.g. listener is accessible from the internet => extremely critical
    • Listener is accessible by the company network e.g. any client can access the listener => very critical
    • Network zoning or network segmentation is used. E.g only a limited number of system accessing (application server) can access listener => critical

    Bug fix

    According to Oracle (see web sources below) there is no security fix for this issue. It probably will not be fixed before Oracle 12c. Until now there are several workarounds to eliminate or minimize the potential security risk.

    Workaround

    In order to prevent the exploitation of the vulnerability the dynamic registration must be switched of or it must be limited (e.g only local registrations, allow certain IP’s or identified by certificate )

    1. Switch off dynamic registration

      2. Switch off dynamic registration by setting dynamic_registration_LISTENER_NAME=off in listener.ora according to DYNAMIC_REGISTRATION_listener_name To switch off the dynamic registration is not an option if you’re using Oracle DataGuard, RAC or the PL/SQL Gateway in connection with APEX.

    2. Using Class of Secure Transport on single inctance databases

      3. Oracle recommend to set class of secure transportation to restrict instance registration to the local system. This parameter is available since Oracle 10.2.0.3 and can be implemented according to MOS Note 1453883.1

    3. Using Class of Secure Transport in Oracle RAC

      4. For RAC the use of COST is a bit more complex and require to configure SSL/TCPS. This is as well only possible for Oracle 10.2.0.3 and newer. It can be implemented according to MOS Note 1340831.1

    4. Limit Network Access

      5. Start using valid node checking to limit access to listener to certain IP addresses.

      TCP.VALIDNODE_CHECKING = YES
TCP.INVITED_NODE = (Comma separated list of ALL valid, clients)
    5. Limit Network Access on the network

      6. As an alternative limit network access to certain listener on the network layer e.g. network segmentation, firewalls etc.

    Strategy

    I recommend to install the latest CPU / PSU as well as one of the workaround mentioned above. In it is a good advice to switch of remote registration in general if it is not used e.g for RAC.

    What to do when the workaround is not available for the database release e.g 9i databases? From the security point of view I recommend to upgrade the database to the latest supported major release with in a useful time.

    Web Sources

    Web sources around this topic.

    Oracle Database Security Seminar – New dates

    After the two Database Security Seminars in february, Oracle plans two more events in june. I’ll participate with the presentation “Oracle Security – How much should it be?” as already posted in the older blog post Oracle Database Security Seminar – Wieviel darf es denn sein?. The event and presentation is again in german, but there will be a set of slides available in english.

    Event Informations

    Event announcement and description on the Oracle website.

    Abstract

    • Datendiebstahl – auch bei Ihnen ein Risiko?
    • Aber wie hoch ist das Risiko? Und welche (sinnvollen!)
    • Massnahmen gibt es, um das Risiko zu reduzieren?

    Dieser Vortrag präsentiert eine fragebogengestützte Herangehensweise an eine Risikoanalyse, anhand deren Ergebnisse die Datenbanken in Security-Klassen eingeteilt (public, intern, vertraulich) werden. In einem zweiten Schritt werden die Risiken pro Klasse definiert – und dazu die Massnahmen, um dies zu reduzierenden. Ziel des Vortrages ist, dass Sie Datenbanken klassifizieren lernen (Sie kennen deren Schutzbedarf und das vertretbare Restrisiko). Ausserdem sehen Sie an einem Praxisbeispiel die Umsetzungen der nötigen Massnahmen.

    Slides

    The updated slides can be downloaded after the event on this website. Slides from the last events in Düsseldorf, Berlin and Basel are already available.

    Important links around the Oracle CPU / PSU April 2012

    I’ve been out of office when the April CPU / PSU has been officially released by Oracle and missed to write a blog post. Nevertheless I’ll now take the chance to put a few information and links around the latest CPU together.
    The current CPU / PSU patches are available for 10g and 11g, whereby the download of 10g patches is only possible with a corresponding Extended Support contract.
    Overall Oracle addressed 88 vulnerabilities for several Oracle products in this security advisory. 6 of these fixes are just for the Oracle Database Server and one for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 9.0, which is quite high. But the big bang are not security fixes with a CVSS of 9.0 but old vulnerabilities which are not fixed. oracle addressed them with a dedicated alert Oracle Security Alert for CVE-2012-1675. The alert is related to an issue identified by Joxean Koret somewhen in 2008 and known as TNS Poison I’ll post a few comments on this later this week.

    Affected database component according to the Database Server Risk Matrix:

    • Core RDBMS (mainly Oracle Net)
    • OCI
    • Application Express
    • Enterprise Manager Base Platform

    The Database Server Patch’s are available for Oracle Database 11g Release 2 (11.2.0.2, 11.2.0.3), Oracle Database 11g Release (11.1.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5). There is no patch available for Oracle Database 10g Release 1 (10.1.0.5).

    A bunch of useful links around the current CPU / PSU:

    As well as a few generic links about CPU / PSU:

    Update: DOAG / SOUG Security-Lounge at Basel

    As I announced in my last post DOAG / SOUG Security-Lounge at Basel I’ve been at the Security-Lounge at Basel. The slides can know be downloaded below or from the download section on this website.

     Oracle_Audit_in_a_Nutshell.pdf  Oracle_Database_Security.pdf

    I’m happy for any comment on the presentation or the slides. Feel free to add a comment or drop me a line by mail.

    DOAG / SOUG Security-Lounge at Basel

    I haven’t found time to provide any blog post in the past weeks. Never the less I would like to inform about the upcoming security lounge in Basel at which I’ll give two lectures about Oracle Security. It’s a small even with just one speaker 😉 Ok it was planned to have a second one but it did not work. The event is organized by the DOAG regional group Freiburg and SOUG. It will start at 17:30 on the 24th of April.

    Have a look at the DOAG Webpage for a detailed Agenda of the Event and the location. Looking forward to see you there.

    I’ll post the slides for both presentations shortly after the event on this page.

    Oracle Database Security Seminar – Wieviel darf es denn sein?

    Just finished my presentation about Database Security classification and possible risk minimization at the Oracle Database Security Seminar in Düsseldorf and Baden. Due to the fact that the hole Event is in german I’ve also wrote the presentation in german.

    Abstract

    • Datendiebstahl – auch bei Ihnen ein Risiko?
    • Aber wie hoch ist das Risiko? Und welche (sinnvollen!)
    • Massnahmen gibt es, um das Risiko zu reduzieren?

    Dieser Vortrag präsentiert eine fragebogengestützte Herangehensweise an eine Risikoanalyse, anhand deren Ergebnisse die Datenbanken in Security-Klassen eingeteilt (public, intern, vertraulich) werden. In einem zweiten Schritt werden die Risiken pro Klasse definiert – und dazu die Massnahmen, um dies zu reduzierenden. Ziel des Vortrages ist, dass Sie Datenbanken klassifizieren lernen (Sie kennen deren Schutzbedarf und das vertretbare Restrisiko). Ausserdem sehen Sie an einem Praxisbeispiel die Umsetzungen der nötigen Massnahmen.

    Slides

    The slides can be downloaded below or from the download section on this website.

     Security_Wieviel_darf_es_sein

    I’m happy for any comment on the presentation or the slides. Feel free to add a comment or drop me a line by mail.