Security Blogs

GDPR for the Oracle DBA

Pete Finnigan - Mon, 2018-06-04 18:26
I did a talk at the recent UKOUG Norther Technology Summit in Leeds, UK on May 16th. This talk was an enhanced version of the one i did at the UKOUG tech conference in Birmingham in December 2017 to a....[Read More]

Posted by Pete On 04/06/18 At 08:40 PM

Categories: Security Blogs Limited Printed Oracle Security Training Manuals for Sale

Pete Finnigan - Mon, 2018-06-04 00:06
Over the last year or so we have offered for sale left over printed manuals from some of our training courses. Normally we only print the manuals for classes that we organise for in person training such as the classes....[Read More]

Posted by Pete On 03/06/18 At 01:47 PM

Categories: Security Blogs

Oracle Security Training In York, UK, 2018

Pete Finnigan - Sun, 2018-06-03 05:46
I have just updated our public training dates page to add two new dates for Oracle Security training classes that I will be running here in York, UK. We now have 4 dates covering three available classes. These are as....[Read More]

Posted by Pete On 02/06/18 At 06:54 PM

Categories: Security Blogs

Running Code as SYS From Another User not SYSDBA

Pete Finnigan - Wed, 2018-05-23 13:06
I have been embroiled in a twitter thread today about the post i made in this blog yesterday around granting privileges to a user and who should do the granting. Patrick today asked a further question: How do you make....[Read More]

Posted by Pete On 22/05/18 At 08:42 PM

Categories: Security Blogs

Who Should Grant Object Rights?

Pete Finnigan - Wed, 2018-05-23 13:06
Patrick Jolliffe posted a question via a tweet back in April but due to personal health pressures with a close relative of mine I have not had the time to deal with much over the last few months. I did....[Read More]

Posted by Pete On 21/05/18 At 07:08 PM

Categories: Security Blogs

Oracle 18c Security utl_file_dir and schema no authentication

Pete Finnigan - Tue, 2018-05-08 06:26
I have managed to build an 18c database this weekend to test and learn on. I have not had a massive time to look into 18c yet but I will do over the coming days and weeks. The new features....[Read More]

Posted by Pete On 07/05/18 At 09:10 PM

Categories: Security Blogs

New Oracle Security Public Training Dates Available

Pete Finnigan - Fri, 2018-04-13 19:46
Due to some very critical close family health issues in the last few months I have delayed advertising any public training dates this year for my Oracle Security classes as I have had to be available for family support during....[Read More]

Posted by Pete On 13/04/18 At 10:10 AM

Categories: Security Blogs

Training Class Manuals For Sale

Pete Finnigan - Tue, 2018-03-06 14:26
I have previously offered spare printed training manuals last year for sale here and these were snapped up. I have just found one manual for my two day class - how to perform a security audit of an Oracle database....[Read More]

Posted by Pete On 06/03/18 At 02:51 PM

Categories: Security Blogs

Pete Finnigan Presented About Oracle Database Vault and Oracle Security

Pete Finnigan - Fri, 2018-02-16 07:06
I have not added much here on my site for some time due to a serious health issue taking a lot of my time with a close family member. So please bear with me if you email or contact me....[Read More]

Posted by Pete On 15/02/18 At 08:44 PM

Categories: Security Blogs

CVE-2017-10151 Oracle Identity Manager Vulnerability

Oracle has released an out-of-cycle security advisory (CVE-2017-10151) for a vulnerability affecting Oracle Identity Manager.  This vulnerability has a CVSS 3.0 base score of 10 out of 10.  Oracle Identity Manager is the identity governance component within the Oracle Identity Management solution.  All supported versions of Identity Manager are impacted from to  Most likely through are also vulnerable.  Previous Identity Manager versions (10g and 9.x) that are not based on Oracle WebLogic are probably not vulnerable.

The vulnerability is that the Oracle Identity Manager system user account (OIMINTERNAL) can be accessed using the default password through the Oracle WebLogic server.  As this is a highly privileged user, the entire Identity Manager environment can be completely compromised via an unauthenticated network attack.

The work-around is to change the OIMINTERNAL user password to a random string in the WebLogic administration console under Domain -> Security Realms.  A patch will be available in the future to automatically change the password.  See My Oracle Support Note "Oracle Security Alert CVE-2017-10151 Patch Availability Document for Oracle Identity Manager (Doc ID 2322316.1)" for more information.

As Oracle released an out-of-cycle security advisory, either detailed information regarding the vulnerability has been released or will soon be released, or Oracle has been informed the vulnerability is being actively exploited.

Oracle Fusion Middleware, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Critical Patch Update October 2017 Oracle E-Business Suite Analysis and Impact

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the October 2017 quarterly patch is significant and high-risk. 47 of the past 52 quarterly patches are significant and high-risk as they fix one or more SQL injection vulnerabilities or other damaging security vulnerabilities in the web application of Oracle E-Business Suite. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.

For this quarter, there are 3 SQL injection vulnerabilities, 16 cross-site scripting (XSS) vulnerabilities, 3 information disclosures, and 4 other types of vulnerabilities fixed.  Most important is that 25 of the 26 vulnerabilities are remotely exploitable without authentication.

Externally facing Oracle E-Business Suite environments (DMZ) running iStore or iSupport should take immediate action to mitigate the two vulnerabilities impacting iStore and four vulnerabilities impacting iSupport (and Knowledge Management).  These web pages are allowed by the URL Firewall if the iStore or iSupport modules are enabled.  All six are cross-site scripting (XSS) vulnerabilities, which requires interaction with the end-user such as clicking a link but allows for the attacker to hijack the end-users session.

October 2017 Recommendations

As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk.  Corrective action should be taken immediately for all Oracle E-Business Suite environments. The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication.   These implementations should (1) apply the CPU as soon as possible or use a virtual patching solution such as AppDefend and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

Most Oracle E-Business Suite environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

Oracle E-Business Suite 11i

As of April 2016, the 11i CPU patches are only available for Oracle customers with Tier 1 Support. Integrigy’s analysis of the October 2017 CPU shows at least 18 of the 26 vulnerabilities are also exploitable in 11i.  11i environments without Tier 1 Support should implement a web application firewall and virtual patching for Oracle E-Business in order to remediate large number of unpatched security vulnerabilities.  As of October 2017, an unsupported Oracle E-Business Suite 11i environment will have approximately 170 unpatched vulnerabilities – a number of which are high-risk SQL injection security bugs.

11i Tier 1 Support has been extended through December 2018, thus October 2018 will be the final CPU for Oracle E-Business Suite 11i.

Oracle E-Business Suite 12.0

CPU support for Oracle E-Business Suite 12.0 ended January 2015 and there are no security fixes for this release.  Integrigy’s analysis of the CPU shows at least 22 of the 26 vulnerabilities are exploitable in 12.0. In order to protect your application environment, the Integrigy AppDefend application firewall for Oracle E-Business Suite provides virtual patching for all these exploitable web security vulnerabilities.

Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Grant DBA to yourself - exploit or not?

Pete Finnigan - Wed, 2017-10-11 10:26
Yesterday Peter from the Master of Disaster Blog sent me an email to ask if I had seen the issue in his post before and whether it was a new exploit. I looked at the post and immediately recognised that....[Read More]

Posted by Pete On 11/10/17 At 12:06 PM

Categories: Security Blogs

New Oracle Security book - Oracle Incident Response and Forensics

Pete Finnigan - Tue, 2017-10-03 19:06
I have been quiet on here for a while due to a large workload and also in the last weeks writing a new book - Oracle Incident Response and Forensics" to be published by Apress. The book is complete as....[Read More]

Posted by Pete On 03/10/17 At 08:52 AM

Categories: Security Blogs

Integrigy at Oracle Open World 2017

Integrigy will be presenting again this year on database security at Oracle Open World 2017 (San Francisco, October 1-5).  If you will be attending Open World, please join us for this informative session on database security.

The Thrifty DBA Does Database Security

Sunday, Oct 01, 10:45 a.m. - 11:30 a.m. | Moscone South - Room 159

Stephen Kost, Founder and CTO, Integrigy Corporation

Properly securing an Oracle Database requires significant effort and often expensive security add-on products. The Thrifty DBA likes having secure databases, but doesn’t like to spend money on expensive security products when equivalent zero or low-cost solutions are available. In this session discover thrifty yet effective security solutions to solve auditing, encryption, virtual private database, and authentication challenges.

Integrated Cloud Platform:  Database, Identity and Security

Code:  SUN5690

Please let us know if you would like to meet while at Open World to discuss Oracle Database or Oracle E-Business Suite security.

Oracle Database, Conference
Categories: APPS Blogs, Security Blogs

Oracle Security Training In York - October 30 - 31st 2017

Pete Finnigan - Wed, 2017-09-06 07:06
I will be running my two day Oracle security training course - How to Perform a Security Audit of an Oracle Database - Here in my home city of York, UK on the 30th to 31st October 2017 this year....[Read More]

Posted by Pete On 06/09/17 At 09:33 AM

Categories: Security Blogs

get_tab2.sql - Free Tool to show Privileges on an Object Updated

Pete Finnigan - Wed, 2017-08-30 10:06
I have a core set of PL/SQL scripts that I use when conducting Oracle security work on customer sites. Most of these are available on this website for many years. One of these is my script get_tab2.sql which shows grants....[Read More]

Posted by Pete On 30/08/17 At 12:11 PM

Categories: Security Blogs

What Are NULL pname entries in v$process?

Pete Finnigan - Tue, 2017-08-29 15:46
I got a message on Linked In today from Jijo who asked why when he queries v$process are some of the PNAME column values NULL. I have a simple script vproc.sql that I use when analysing databases for many years....[Read More]

Posted by Pete On 29/08/17 At 02:35 PM

Categories: Security Blogs

Pete Finnigan is now an Oracle ACE

Pete Finnigan - Fri, 2017-08-25 20:06
I just got an email from the Oracle ACE program to tell me that I had been accepted onto the ACE program and was awarded the Oracle ACE status by Oracle. I have been active on the internet around Oracle....[Read More]

Posted by Pete On 25/08/17 At 07:28 PM

Categories: Security Blogs

Oracle Security at UKOUG December 2017

Pete Finnigan - Fri, 2017-08-25 20:06
I have just had an email from the UKOUG to say that three of my presentations have been accepted for the upcoming conference on December 4th to 6th at the ICC in Birmingham. I will have one talk on the....[Read More]

Posted by Pete On 25/08/17 At 04:16 PM

Categories: Security Blogs

New Video of Oracle Security Vulnerability Scanning

Pete Finnigan - Thu, 2017-08-17 10:46
I have just made a new video of a sample session using PFCLScan our vulnerability / security scanner for the Oracle database. In the video I show how easy it is to get started with PFCLScan and scan an Oracle....[Read More]

Posted by Pete On 17/08/17 At 01:50 PM

Categories: Security Blogs


Subscribe to Oracle FAQ aggregator - Security Blogs