Security Blogs

Oracle EBS CVE-2025-61884 Patches Made Available After Initial Release webmaster Tue, 10/14/2025 - 19:09

The 21st anniversary of this blog is coming up on the 20th September 2025. I started this blog on the 20th of September 2004 and it has been doing well ever since. I write almost exclusively on the subject of....[Read More]

Posted by Pete On 10/09/25 At 11:55 AM

I did a five part series on the security of AUDSYS.AUD$UNIFIED and showed how it works at a functional level and how it might be secured by Oracle and how we might design a similar system using standard database license....[Read More]

Posted by Pete On 09/09/25 At 08:56 AM

This is the next part of the series looking at the AUDSYS schema and AUD$UNIFIED table that Oracle has created and protected. In the first part we explored what AUDSYS and AUD$UNIFIED looks like in terms of security; in part....[Read More]

Posted by Pete On 03/09/25 At 11:38 AM

This is the next part (4th part) of the series exploring the AUDSYS schema and AUD$UNIFIED table that is READONLY with a lot of INSERTING and sometimes deleting. In the first part we explored the AUDSYS schema and the AUD$UNIFIED....[Read More]

Posted by Pete On 26/08/25 At 08:54 AM

In the two parts of this series on the security of AUDSYS.AUD$UNIFIED we looked at the main security features of the AUDSYS user and the AUD$UNIFIED table so that we could imagine using these same features ourselves. I have taught....[Read More]

Posted by Pete On 19/08/25 At 12:03 PM

In Oracle a user is the same as a schema - well not 100% true - so lets explain a bit. Firstly at a logical high level in Oracle a user is an account used by a real person to....[Read More]

Posted by Pete On 14/08/25 At 08:38 AM

In the recent blog first part of this series on the security of AUDSYS.AUD$UNIFIED we looked at the main features of the AUDSYS user and its ability or design to stop anyone from randomly deleting or updating or doing DDL....[Read More]

Posted by Pete On 12/08/25 At 12:52 PM

I was emailed by Cameron overnight to tell me that he has written a new unwrapper for PL/SQL. There have been no public unwrappers for 9ir2 and lower available on the internet for a long time. There were a number....[Read More]

Posted by Pete On 07/08/25 At 10:00 AM

This is a short history of our PFCLScan product and therefore also a history of the other apps now built on top of PFCLScan such as PFCLObfuscate , PFCLCode , PFCLForensics and more. Obviously after such a long time and....[Read More]

Posted by Pete On 15/05/25 At 10:15 AM

It has been a long time coming but I have finally got this website running on HTTPS / SSL. Google have been pushing webmasters and site owners to move to HTTPS for more than 10 years. Google in fact stated....[Read More]

Posted by Pete On 13/05/25 At 02:07 PM

One of the goals of creating an interpreter written in PL/SQL to execute a custom language was for our use in our tools. We wanted to be able to ship PL/SQL and customise it after its deployed without re-compiling the....[Read More]

Posted by Pete On 14/04/25 At 12:11 PM

In the first blog in this series we discussed the main issue with using DBMS_CRYPTO to encrypt data within the database. This is the lack of key management provided by Oracle natively for use with this package. I had intended....[Read More]

Posted by Pete On 07/04/25 At 01:25 PM

I often get asked how to use DBMS_CRYPTO to encrypt data in the Oracle database. Or I used to be asked how to use DBMS_OBFUSCATION_TOOLKIT when it was the go-to encryption in an Oracle database. Before we go far; this....[Read More]

Posted by Pete On 02/04/25 At 02:22 PM

Just an update as I have not posted too many blogs recently. I have a bag log of blog ideas to write on technical subjects directly relating to Oracle security so please watch out for those by subscribing / following....[Read More]

Posted by Pete On 19/03/25 At 03:00 PM

Can we use AI in Oracle security? - yes as an answer? we can but how effective it would be means the answer is maybe? It depends on what we want to use AI for and how much data is....[Read More]

Posted by Pete On 27/02/25 At 03:35 PM

We are holding a 3 day live, in person training event here in York, UK on March 11th to March 13th 2025 (Tuesday to Thursday). The class is taught by Pete Finnigan. The class is a unique event and will....[Read More]

Posted by Pete On 19/02/25 At 10:32 AM

Our recent 3 day Oracle Security training class in York scheduled in January was popular and a lot of people who enquired for the January class asked if we could do the class again in March. I decided to do....[Read More]

Posted by Pete On 06/02/25 At 10:22 AM

One of the goals of creating an interpreter written in PL/SQL to execute a custom language was for our use in our tools. We wanted to be able to ship PL/SQL and customise it after its deployed without re-compiling the....[Read More]

Posted by Pete On 14/04/25 At 12:11 PM

In the first blog in this series we discussed the main issue with using DBMS_CRYPTO to encrypt data within the database. This is the lack of key management provided by Oracle natively for use with this package. I had intended....[Read More]

Posted by Pete On 07/04/25 At 01:25 PM