Oracle CPU July 2014 + Oracle Exploit CVE-2013-3751

Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).

After a short research on the web (google and twitter, less than 5 minutes) I found an (more...)

Best of Oracle Security 2013

I just uploaded my DOAG 2013 presentation “Best of Oracle Security 2013“.


This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…


SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);


Decrypt Oracle and database link passwords

At Derbycon 3.0, László Tóth and Ferenc Spala  gave a a new presentation “What’s common in Oracle and Samsung? They tried to think differently… ” (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small (more...)

Fix for oradebug disable auditing available (

2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)

DOAG 2012: Best of Oracle Security 2012

Yesterday I gave a presentation ”Best of Oracle Security 2012” at the DOAG 2012 conference in Nürnberg.

Best of Oracle Security