Re: Oracle Data Redaction is Broken
Date: Wed, 16 Jul 2014 08:47:43 -0600
Message-ID: <53C6908F.5090008_at_evdbt.com>
David,
Your paper from last November listed three bypass methods (i.e. RETURNING INTO, XMLQuery, and iterative inference) along with the escalation vulnerability, which makes a total of four problems. Is the iterative inference method the one which is still remaining?
I looked at the README
<https://updates.oracle.com/Orion/Services/download?type=readme&aru=17639413>
for patch 18522516 (DB PSU 12.1.0.1.4) and couldn't find direct
references to security bugs or anything involving "redaction" or
"xmlquery", but I did find some generically named fixed bugs
(highlighted in red typeface below) whose description I can't seem to
reference within MOS...
_Oracle Security_
14595800 - CONTEXT INDEX ON FGA POLICY ENABLE TABLE WITH XMLTYPE COLUMN FAILS 15953721 - TT12.1SQLFUZZ2: FAILED LOGIN ATTEMPT FOR PROXY USER INCREASED WHEN ORA-1948 RAIS 16969016 - LNX_MAIN: ORA-600 [KZDUSERPRIVILEGEUPDATE-1] 16703112 - Fix for bug 16703112 17006570 - Fix for bug 17006570 17786278 - Fix for bug 17786278 18061914 - Fix for bug 18061914 18096714 - Fix for bug 18096714 18554871 - Fix for bug 18554871 19049453 - Fix for bug 19049453
_XML Utilities_
17158214 - ORA-4031 FATAL OUT-OF-MEMORY CRASH ON NT EXECUTING LPXXSLINITIALIZECTX API 15905421 - Fix for bug 15905421
Just curious how you were informed that three of the four bugs had been addressed, and which of the four is still remaining?
Thanks so much!
-Tim
On 7/16/14, 6:45, david_at_databasesecurity.com wrote:
> Hey all,
> As part of yesterday’s Critical Patch Update, Oracle fixed 3 security
> flaws in data redaction services – one a privilege escalation
> vulnerability and two redaction bypass methods. I reported these
> issues to Oracle in November last year and have documented them here:
> http://www.davidlitchfield.com/Oracle_Data_Redaction_is_Broken.pdf
> Cheers,
> David
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Jul 16 2014 - 16:47:43 CEST