Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).
After a short research on the web (google and twitter, less than 5 minutes) I found an (more...)
I just uploaded my DOAG 2013 presentation “Best of Oracle Security 2013“.
This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…
SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);
At Derbycon 3.0, László Tóth and Ferenc Spala gave a a new presentation “What’s common in Oracle and Samsung? They tried to think differently… ” (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small (more...)
2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.
Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)
Yesterday I gave a presentation ”Best of Oracle Security 2012” at the DOAG 2012 conference in Nürnberg.