Category Archives: Security

Oracle Interactive Quick Reference

Remember those enormous posters of Oracle’s data dictionary views you used to see in DBA shops?

Here’s the Oracle 12c Interactive Quick Reference – more interactive and less need for pulp.

The Oracle 11g Interactive Quick Reference can be downloaded from here.

 

 

Advertisements
Tagged , , ,

GHOST glibc exploit

Exadata’s comp nodes and storage cells may be vulnerable to the glibc “GHOST” exploit that’s currently in the tech news (full control of remote systems can be obtained through gethostbyname()).

Remedial steps for Exadata can be found here:

glibc vulnerability (CVE-2015-0235) patch availability for Oracle Exadata Database Machine (Doc ID 1965525.1)

As it’s a vulnerability with glibc, other RHEL / OEL systems might also be affected.  “Unpatched” versions of glibc from 2.2 to 2.17 contain the exploit.

To check whether a system is vulnerable:

        rpm -q glibc
             glibc-2.12-1.132.el6_5.4.x86_64

If the version of glibc matches or is more recent than the versions below, the system is NOT vulnerable to the exploit.

• RHEL 5: 2.5-123
• RHEL 6: 2.12-1.149
• RHEL 7: 2.17-55

If the installed version is older than these versions, “yum update glibc” will install the latest version.  A server reboot is necessary.

 

Tagged , , , ,

Oracle’s Critical Patch Update for January 2015

Oracle announced their Critical Patch Update for January 2015 today.

The CPU includes a fix for this troubling exploit in E-Business Suite found by David Litchfield where EBS grants index privileges on the (SYS-owned) DUAL table to the public role by default.

The database exploit with the highest Homeland Security threat level is CVE-2014-6567 which could allow for pre-12c databases on Windows to be “entirely compromised”.  If you’re not running pre-12c databases on Windows, the threat score is noticeably reduced, but still a 6.5.

In other news, 12.1.0.2.3 is out, should you live your life on the bleeding edge of technology.  Quarterly Full Stack Download Patches for Exadata are referenced in the availability note but don’t yet link to public documents; no doubt they will soon.

SSL 3.0 is disabled by default in Java SE – thanks to POODLE (really), it’s now considered obsolete and SSL as a whole should be disabled as organizations “can no longer rely on SSL to ensure secure communications between systems”.

Quite a scary world out there, huh?

MOS reference notes: 1935468.1, 1942215.1

Tagged

Using THE CLOUD(TM) For Off-Site Backup Media Storage

Recently, a client of mine asked me an excellent question about whether they could use AWS as an off-site storage location for their backup media files.

As I may have previously suggested, I have quite a long list of reasons why I think that running important databases from the cloud is a terrible idea, though if a client does really want to pursue this route, I will naturally oblige and make it work as best as I can.

This particular client’s suggestion, however – which, surprisingly, isn’t something that I’d heard made before – was to move at-rest backup media files to Amazon’s S3 storage instead of putting them on tape and shipping them off-site.

I asked around and did some digging but I couldn’t find anyone who was using THE CLOUD(TM) in this manner. Others are migrating their live database to THE CLOUD(TM) – or, at least, attempting to and becoming very frustrated with it – while others have stood up standby databases in AWS as a “DR-of-last-resort”.

Continue reading

Tagged , , ,

UKOUG 2014 – Dan Norris – Exadata Security Best Practices

Dan Norris of the Maximum Availability Architecture team gave what sounded like a very interesting presentation at UKOUG 2014. There seemed to be a lot of really cool stuff at this year’s event, which is to be expected as I no longer reside in the UK!

I encourage you to take a look at the slides, but also at the interesting links he provided:

Naturally, he also quoted a plethora of My Oracle Support notes – some of the greatest hits and some which you might not have seen before:

  • Responses to common Exadata security scan findings (Doc ID 1405320.1)
  • Oracle Sun Database Machine X2-2/X2-8, X3-2/X3-8 and X4-2 Security Best Practices (Doc ID 1071314.1)
  • How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata Database Machine (Doc ID 1291766.1)
  • Exadata Database Machine and Exadata Storage Server Supported Versions (Doc ID 888828.1)
  • Information Center: Oracle Exadata Database Machine (Doc ID 1306791.2)

Happy reading!

Tagged , , , , ,

Oracle Big Data SQL Primer

What is Big Data SQL?
Oracle Big Data SQL runs on the Big Data Appliance and allows an Oracle database to run one SQL query to pull data from disparate sources such as Hadoop, NoSQL and relational databases.

Continue reading

Tagged , , , , ,

Major Data Exploit Patched by January 2014’s CPU

Today, an Oracle security blog revealed a “monster bug” (actually, TWO of them) which allows a user to UPDATE data in a table in another schema that they only have the SELECT privilege to.

In case you’re wondering, the author did inform Oracle a year ago – and has sat on it since, so a huge amount of kudos to them! This is gratuitously stolen from that blog.

The user has to create a “simple” view based on the table and then a non-“simple” (such as an aggregated) view based on the first view to override the table’s object privileges.

By exploiting this bug, the user may be able to cover their tracks and to obtain DBA access.

This is known to exist in all “current” versions of the database (11g and 12c, not clear if it includes 9i or 10g). The bug has been fixed with the January 2014 (and onwards) CPU for 11g and 12c, but there is no fix for earlier versions (yet, if ever).

A working example can be seen after the break – DO NOT RUN THIS IN PRODUCTION!!!

Continue reading

Tagged , ,

Exadata and the OpenSSL/”HeartBleed” Exploit

Oracle have published MOS 1645479.1 which describes the impact of the OpenSSL/”HeartBleed” exploit on their products.

It appears that the individual components of Exadata – with the exception of OEM Cloud/Grid Control – are NOT impacted by the OpenSSL/HeartBleed bug.

Obviously, this depends on your software stack, so I urge you to read 1645479.1 as soon as possible.

Exadata-related products which, while using OpenSSL, were never vulnerable:

  • Audit Vault
  • Exadata (prod 2546)
  • Exalogic
  • ILOM 3.2.2 and earlier
  • NM2 IB switches
  • NM2-36P InfiniBand switches
  • Oracle Linux 5 (watch out for EL 6 – this IS vulnerable, but has a fix!)
  • Oracle Secure Backup 10.2 and 10.3
  • Oracle ZFS Storage Appliance
  • Sun System Firmware

Exadata-related products which are likely vulnerable but have no fixes yet available:

  • EM Cloud Control
  • EM Grid Control

Exadata-related products which do NOT include OpenSSL:

  • Database
  • JavaVM
  • Linux 5
Tagged , , , ,
%d bloggers like this: