Re: Oracle Data Redaction is Broken

From: Tim Gorman <tim_at_evdbt.com>
Date: Wed, 16 Jul 2014 08:47:43 -0600
Message-ID: <53C6908F.5090008_at_evdbt.com>



David,

Your paper from last November listed three bypass methods (i.e. RETURNING INTO, XMLQuery, and iterative inference) along with the escalation vulnerability, which makes a total of four problems. Is the iterative inference method the one which is still remaining?

I looked at the README
<https://updates.oracle.com/Orion/Services/download?type=readme&aru=17639413> for patch 18522516 (DB PSU 12.1.0.1.4) and couldn't find direct references to security bugs or anything involving "redaction" or "xmlquery", but I did find some generically named fixed bugs (highlighted in red typeface below) whose description I can't seem to reference within MOS...

    _Oracle Security_

        14595800 - CONTEXT INDEX ON FGA POLICY ENABLE TABLE WITH XMLTYPE COLUMN FAILS
        15953721 - TT12.1SQLFUZZ2: FAILED LOGIN ATTEMPT FOR PROXY USER INCREASED WHEN ORA-1948 RAIS
        16969016 - LNX_MAIN: ORA-600 [KZDUSERPRIVILEGEUPDATE-1]
        16703112 - Fix for bug 16703112
        17006570 - Fix for bug 17006570
        17786278 - Fix for bug 17786278
        18061914 - Fix for bug 18061914
        18096714 - Fix for bug 18096714
        18554871 - Fix for bug 18554871
        19049453 - Fix for bug 19049453

    _XML Utilities_

        17158214 - ORA-4031 FATAL OUT-OF-MEMORY CRASH ON NT EXECUTING LPXXSLINITIALIZECTX API
         15905421 - Fix for bug 15905421


Just curious how you were informed that three of the four bugs had been addressed, and which of the four is still remaining?

Thanks so much!

-Tim

On 7/16/14, 6:45, david_at_databasesecurity.com wrote:
> Hey all,
> As part of yesterday’s Critical Patch Update, Oracle fixed 3 security
> flaws in data redaction services – one a privilege escalation
> vulnerability and two redaction bypass methods. I reported these
> issues to Oracle in November last year and have documented them here:
> http://www.davidlitchfield.com/Oracle_Data_Redaction_is_Broken.pdf
> Cheers,
> David

--
http://www.freelists.org/webpage/oracle-l
Received on Wed Jul 16 2014 - 16:47:43 CEST

Original text of this message