Tag Archives: security

Oracle Critical Patch Update for July 2015

Oracle’s Critical Patch Update is out for July 2015:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Affected are database versions 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1 and 12.1.0.2.

This is the final patch for both the 11.1.0.7 and 11.2.0.3 releases. The final patch for 12.1.0.1 will be released in January 2016.

The most prominent bug on the risk matrix is CVE-2015-2629 whereby a remote authenticated user can exploit a flaw in the Java VM component to gain elevated privileges.

For the 11.2.0.4 patches, you can apply one of the following:

11.2.0.4 SPU for UNIX: patch 20803583
11.2.0.4.7 PSU for UNIX: patch 20760982
11.2.0.4.17 Quarterly Database Patch for Exadata (July 2015): patch 21142006
July 2015 Quarterly Full-Stack Patch for Exadata: patch 21186703

Don’t forget your Grid Infrastructure patching:

11.2.0.4 PSU for UNIX: patch 20996923

And, of course, ever since those Java bugs were discovered, we should also patch the JVM:

11.2.0.4.4 Database PSU for UNIX: patch 21068539

Happy patching!

Advertisements
Tagged , , ,

UKOUG 2014 – Dan Norris – Exadata Security Best Practices

Dan Norris of the Maximum Availability Architecture team gave what sounded like a very interesting presentation at UKOUG 2014. There seemed to be a lot of really cool stuff at this year’s event, which is to be expected as I no longer reside in the UK!

I encourage you to take a look at the slides, but also at the interesting links he provided:

Naturally, he also quoted a plethora of My Oracle Support notes – some of the greatest hits and some which you might not have seen before:

  • Responses to common Exadata security scan findings (Doc ID 1405320.1)
  • Oracle Sun Database Machine X2-2/X2-8, X3-2/X3-8 and X4-2 Security Best Practices (Doc ID 1071314.1)
  • How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata Database Machine (Doc ID 1291766.1)
  • Exadata Database Machine and Exadata Storage Server Supported Versions (Doc ID 888828.1)
  • Information Center: Oracle Exadata Database Machine (Doc ID 1306791.2)

Happy reading!

Tagged , , , , ,

Major Data Exploit Patched by January 2014’s CPU

Today, an Oracle security blog revealed a “monster bug” (actually, TWO of them) which allows a user to UPDATE data in a table in another schema that they only have the SELECT privilege to.

In case you’re wondering, the author did inform Oracle a year ago – and has sat on it since, so a huge amount of kudos to them! This is gratuitously stolen from that blog.

The user has to create a “simple” view based on the table and then a non-“simple” (such as an aggregated) view based on the first view to override the table’s object privileges.

By exploiting this bug, the user may be able to cover their tracks and to obtain DBA access.

This is known to exist in all “current” versions of the database (11g and 12c, not clear if it includes 9i or 10g). The bug has been fixed with the January 2014 (and onwards) CPU for 11g and 12c, but there is no fix for earlier versions (yet, if ever).

A working example can be seen after the break – DO NOT RUN THIS IN PRODUCTION!!!

Continue reading

Tagged , ,

Exadata and the OpenSSL/”HeartBleed” Exploit

Oracle have published MOS 1645479.1 which describes the impact of the OpenSSL/”HeartBleed” exploit on their products.

It appears that the individual components of Exadata – with the exception of OEM Cloud/Grid Control – are NOT impacted by the OpenSSL/HeartBleed bug.

Obviously, this depends on your software stack, so I urge you to read 1645479.1 as soon as possible.

Exadata-related products which, while using OpenSSL, were never vulnerable:

  • Audit Vault
  • Exadata (prod 2546)
  • Exalogic
  • ILOM 3.2.2 and earlier
  • NM2 IB switches
  • NM2-36P InfiniBand switches
  • Oracle Linux 5 (watch out for EL 6 – this IS vulnerable, but has a fix!)
  • Oracle Secure Backup 10.2 and 10.3
  • Oracle ZFS Storage Appliance
  • Sun System Firmware

Exadata-related products which are likely vulnerable but have no fixes yet available:

  • EM Cloud Control
  • EM Grid Control

Exadata-related products which do NOT include OpenSSL:

  • Database
  • JavaVM
  • Linux 5
Tagged , , , ,
%d bloggers like this: