Oracle Security Blog

Oracle has certified Oracle 10g (10.2.0.2) Transparent Data Encryption (TDE) with Oracle Applications 11i -- TDE is part of the Oracle Advanced Security Option (ASO), which is a database option and is an additional cost.

Oracle has released the January 2007 Critical Patch Update (CPU).  A major change for this quarter's CPU was the release of a pre-announcement on January 11th giving an overview of the products patches and a summary of the vulnerabilities.  On the surface, the pre-announcement looked pretty bad with the highest CVSS base score being 7.0 for the database, Enterprise Manager, and E-Business Suite.  However, the worst database vulnerabilities are exclusively in the Oracle HTTP Server, which is an optional component for the database.

For those of you who are OAUG members, I will be presenting an OAUG eLearning session on the Oracle Critical Patch Update January 2007 and the impact on the E-Business Suite.  This session will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy.  Depending the vulnerabilities fixed in the CPU, there may even be some demonstrations of the actual vulnerabilities.

Here is a quick analysis of the pre-release announcement for the January 2007 Critical Patch Update (CPU) -

Oracle is now going to publish a "Pre-Release Announcement" for each Critical Patch Update starting with the CPU to be released next week.  The Pre-Release Announcement contains the executive summaries, list of affected products, and the highest CVSS score for each product.  The January 2007 CPU Pre-Release Announcement is available here.

Due to the number of client inquiries regarding my recent posting on the Oracle Applications 11i password decryption issue, we have written a whitepaper on the subject to provide more details and additional recommendations.  This issue is really a "perfect storm" with the convergence of (1) an inherent architectural weakness in the application, (2) generally accepted insec

If you haven't noticed due to the holidays, Oracle has finally released the October 2006 Critical Patch Update (CPU) for 9.2.0.8 on Unix/Linux and Windows.  These patches were released 75 days after the CPU and at least 45 days after the initial projected date.

The 9.2.0.8 Database patch should be applied for all Oracle E-Business Suite databases running 9.2.0.8, even though the patch is not listed in the CPU documentation for the E-Business Suite.

We have updated our free Oracle Database Listener Security Check tool that analyzes security of the Oracle Database TNS Listener to identify potential security issues.

Two new features have been added from upcoming changes to our AppSentry security auditing tool -

Two weeks after the initial release of the October 2006 Critical Patch Update (CPU) Advisory, Oracle added information about the Oracle Database 9.2.0.8 being vulnerable and about a patch being available in the future.  The 9.2.0.8 patch release date keeps getting pushed back and is now scheduled for December 22 on Unix/Linux and December 15 for Windows (5 days ago).

We have updated our free Oracle Database Listener Security Check tool that analyzes security of the Oracle Database TNS Listener to identify potential security issues.  The tool performs four basic checks for the Database Listener in a simple and user friendly way - (1) is a listener password set, (2) is ADMIN_RESTRICTIONS set, (3) is logging enabled, and (4) is LOCAL_OS_AUTHENTICATION enabled for Oracle 10g.  It is a single executable that can be run from any Windows XP/2000 PC, requires no Oracle client install, and can

The inherent weakness of the Oracle Applications 11i user password algorithm is a topic that every so often gets some attention.  It bubbles up and then is largely forgotten by most.  However, the issue doesn't go away and is very much alive today even in 11.5.10.2.  See the references at the end of this post for a little history of the topic.  This password weakness (along with the APPLSYSPUB database account) is really a hold-over from client/server and is an inherent design flaw in the current architecture of Oracle Applications.

With the advent of legislative mandates like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), the security and auditing of Oracle Databases has become much more of a priority for most organizations. A common solution has been to implement an Oracle-aware Intrusion Detection System (IDS) or auditing product to address these legislative mandates and increased auditor scrutiny.

In a follow-up to my previous post regarding mystery patches for 9.2.0.8 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 9.2.0.8.  However, the patches for 9.2.0.8 are still not available and have an anticipated release date of December 15, 2006 (note: the initial release date was November 15, 2006).

A new attack vector for the Oracle Database has been identified related to exploiting DBMS_SQL cursors that have not properly been closed.  The name for this type of attack is "Dangling Cursor Snarfing."  David Litchfield's paper on the topic can be found here.

Exploitation of this type of vulnerability is limited and requires ALL of the following conditions -