RE: DB link Secureness

From: Reen, Elizabeth <"Reen,>
Date: Tue, 22 Dec 2020 16:20:04 +0000
Message-ID: <829bd50b93e44a35b92283553454d969_at_imcnam.ssmb.com>



               Solarwinds has been involved in a large scale Russian point of sale hacking. The password to their distribution server was solarwinds12. The Russians were able to replace their software with a version with a back door. Not exactly a company I would recommend.

Liz

From: [External] oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of [External] Mladen Gogala Sent: Saturday, December 19, 2020 1:47 AM To: Stefan Knecht
Cc: loknath.73_at_gmail.com; mark.powell2_at_dxc.com; Oracle L Subject: Re: DB link Secureness

You can also buy a monitoring software like SolarWinds to secure your configuration. It is an extremely popular software as of the last few days.

On Sat, Dec 19, 2020, 01:26 Stefan Knecht <knecht.stefan_at_gmail.com<mailto:knecht.stefan_at_gmail.com>> wrote: Well, there's two sides to this.

In any proper secured network, a DEV machine should not be able to connect to a PROD machine. Be it via DB link or any other means. That's not a database problem, that's a network zoning problem.

But also, most places use post-import or post-restore steps which are automatically or manually performed, to deal with anything left over that shouldn't be the way the import creates them (e.g. you'd replace real world user's emails with dummy emails when refreshing dev or qa with prod, and you'd likely also want to change any passwords or database links accordingly).

On Sat, Dec 19, 2020 at 1:34 AM Lok P <loknath.73_at_gmail.com<mailto:loknath.73_at_gmail.com>> wrote: I checked two ways i.e first by taking the export dump and doing impdp with parameter SQLFILE and as I see in version 11.2.0.4<https://urldefense.com/v3/__http:/11.2.0.4__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiCGMMqwnQ$> the dblink DDL is having a bind variable in place of password.

Then I did try to see the .DMP file content and it's all junk. I didn't see any hashed value or bind value. So that looks perfect with respect to security stand point.

Now one thing wanted to see, if somebody takes the export dump of dblink from PRODDB and import it in some Dev database say DEVDB , will that dblink will be created without any error? And in that case will the user silently able to connect to the REMOTEPROD using that dblink without anyone's notice? If it's true then even the password is not exposed to outside but still it's a security risk. Correct me if wrong?

On Thu, 17 Dec 2020, 9:59 am Lok P, <loknath.73_at_gmail.com<mailto:loknath.73_at_gmail.com>> wrote: I am not very sure how to create DB links using TCPs and if it's the safest with no security loophole. Can you explain a bit and we are on 11.2.0.4<https://urldefense.com/v3/__http:/11.2.0.4__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiCGMMqwnQ$> so if there is any version dependency?

But the below doc does state that the password was stored as cleartxt in sys.link$ in prior 10GR2. But nothing mentioned if export/import password is exposing that in clear text in current versions or not?

MOS Doc ID 202987.1

On Thu, Dec 17, 2020 at 8:14 AM Mladen Gogala <gogala.mladen_at_gmail.com<mailto:gogala.mladen_at_gmail.com>> wrote: Or create link using TCPS.

On 12/16/20 2:03 PM, Powell, Mark wrote:
> Ask the security team to present you proof the password can be exposed
> when some exports/imports the link

--
Mladen Gogala
Database Consultant
http://mgogala.byethost5.com<https://urldefense.com/v3/__http:/mgogala.byethost5.com__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiDf6y_pjw$>

--
http://www.freelists.org/webpage/oracle-l<https://urldefense.com/v3/__http:/www.freelists.org/webpage/oracle-l__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiD7hh5Trw$>

--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework! Visit us at zztat.net<https://urldefense.com/v3/__http:/zztat.net/__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiCc_yD__g$> | _at_zztat_oracle | fb.me/zztat<https://urldefense.com/v3/__http:/fb.me/zztat__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiD23JM3zg$> | zztat.net/blog/<https://urldefense.com/v3/__http:/zztat.net/blog/__;!!Jkho33Y!zc0NCKjHldbGoc5QPo0lm3WaRFamufCz--_EaBOBVGNtqJS6yFxnnQ6GdiBk88dRqQ$>

--
http://www.freelists.org/webpage/oracle-l
Received on Tue Dec 22 2020 - 17:20:04 CET

Original text of this message