With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016. Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October). These patches include important fixes for security vulnerabilities in the Oracle Database. The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions (more...)
With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016. Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October). These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack. The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, (more...)
Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.
One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting 18.104.22.168, 22.214.171.124, 126.96.36.199, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper (more...)
Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:
- If possible ask for the following:
- System diagram
- All URLs – WebLogic, Enterprise Manager and OBIEE
- Ask about load balancer and reverse proxy
- WebLogic accounts and passwords for both /EM and /Console
- TNSNAMES info and DB accounts and passwords for WebLogic repository database
- Ideally O/S accounts and passwords for server supporting WebLogic – will need for (more...)
A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.
Come see Integrigy's session at Collaborate 2015 in Las Vegas (http://collaborate.ioug.org/). Integrigy is presenting the following paper:
Detecting and Stopping Cyber Attacks against Oracle Databases
Monday, April 13th, 9:15 - 11:30 am
North Convention, South Pacific J
If you are going to Collaborate 2015, we would also be more than happy to talk with you about your Oracle security or questions. If you would like to talk with us (more...)
With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.
The following Fine-Grained-Auditing (FGA) policy started the discussion. The policy below will conditionally log direct connections to the Oracle E-Business Suite database when the PII data of corporate executives is accessed. For example, it will ignore E-Business Suite end-user connections to the database, (more...)
Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).
After a short research on the web (google and twitter, less than 5 minutes) I found an (more...)
I just uploaded my DOAG 2013 presentation “Best of Oracle Security 2013“.
This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…
SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);
At Derbycon 3.0, László Tóth and Ferenc Spala gave a a new presentation “What’s common in Oracle and Samsung? They tried to think differently… ” (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small (more...)
2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.
Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)