Professional Documents
Culture Documents
Introduction
* https://www.oracle.com/security-alerts/cpujan2022.html
** https://databasesecurityninja.wordpress.com/tag/oracle-database-cybersecurity-emad-al-mousa/
*** https://databasesecurityninja.wordpress.com/2022/01/14/oracle-database-uni ed-auditing-and-sys-log-
limitations/
fi
January 2022 CPU*
" https://www.oracle.com/security-alerts/cpujan2022.html
" https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
January 2022 - CVE-2021-32723
" https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg
" https://github.com/PrismJS/prism/pull/2688
https://github.com/PrismJS/prism/pull/2774
January 2022 - CVE-2022-21247
Then exit from sqlplus session , and then delete all files
under $ORACLE_BASE/audit/$ORACLE_SID that has .BIN
extension ….These files are called “auditing spillover
files”.
cd /opt/oracle/audit/ORCLCDB
rm -rf /opt/oracle/audit/ORCLCDB/*
* https://databasesecurityninja.wordpress.com/tag/oracle-database-cybersecurity-emad-al-mousa/
February 2022
* https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-
vulnerability/
Database Vault Metadata
Exposure Vulnerability
* https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-
vulnerability/
March 2022
* https://www.oracle.com/security-alerts/cpuapr2022.html
April 2022 CPU*
* https://www.oracle.com/security-alerts/cpuapr2022.html
ACCESSIBLE BY (PACKAGE
GSMADMIN_INTERNAL.DBMS_GSM_DBADMIN,
PACKAGE GSMADMIN_INTERNAL.DBMS_GSM_POOLADMIN,
PACKAGE GSMADMIN_INTERNAL.DBMS_GSM_COMMON,
PACKAGE
GSMADMIN_INTERNAL.DBMS_GSM_CLOUDADMIN,
PACKAGE GSMADMIN_INTERNAL.DBMS_GSM_UTILITY,
PACKAGE GGSYS.GGSHARDING,
PROCEDURE GSMADMIN_INTERNAL.EXECUTEDDL)
* https://www.dbarj.com.br/en/2022/05/oracle-database-dictionary-changelog/
May 2022
May 2022
May 2022
June 2022 -
https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-uni ed-audit-policy/
fi
June 2022 - CVE-2021-35576
CREATE AUDIT POLICY SELECT_P1 actions select on
HR.EMPLOYEE;
sqlplus / as sysdba
SQL> exec
SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
July 2022
" https://www.oracle.com/security-alerts/cpujul2022.html
" https://databasesecurityninja.wordpress.com/2022/07/16/privilege-elevation-in-oracle-cdb-architecture-
unauthorized-proxy-access%EF%BF%BC/
* https://www.oracle.com/security-alerts/cpujul2022.html
Session altered.
User created.
SQL> grant create session, create any procedure, execute any procedure
to faris;
Grant succeeded.
SQL> exit;
sqlplus “faris/faris_123″@ORCLPDB1
https://databasesecurityninja.wordpress.com/2022/07/16/privilege-elevation-in-oracle-cdb-architecture-
unauthorized-proxy-access%EF%BF%BC/
August 2022
September 2022
DOAG 2022*
AttachMe Vulnerability in OCI**
* https://anwenderkonferenz.doag.org/de/home/
** https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access
AttachMe
* https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access
Other interesting
Oracle Security
stuff
Good to know
Anyone who evaluates audit logs often finds that the recorded
information is not very helpful in some cases.
sqlplus / as sysdba
sqlplus / as sysdba SQL>
SQL> create user hacker
create user cracker identified
identified as hacker;
as cracker;
DBMS_APPLICATION_INFO.SET_MODULE
DBMS_APPLICATION_INFO.SET_ACTION
Usage:
exec
dbms_application_info.set_module(module_name=>'MYMOD1',
action_name=>'MYACTION1');
Scenario:
Pass values from an web session
Oracle has a default context call CLIENTCONTEXT. This is useful if you do not
want to create a custom context object.
-- Client User-ID
EXEC DBMS_SESSION.set_context('CLIENTCONTEXT','WEBUSER','frweber1966');
Important:
Do not forget to reset the session (e.g. connection pooling)
DBMS_SESSION.RESET_PACKAGE
bzw.
sys.DBMS_SESSION.clear_all_context('parameter_ctx');
Links:
https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG011
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/
managing-security-for-application-developers.html
https://riptutorial.com/oracle/example/6852/create-a-context
Whitelisting SQL
Whitelisting SQL
Whitelisting SQL
SQL commands that are not in the whitelist are blocked and (can)
trigger an error that can be caught (via error trigger ==> SIEM).
Whitelisting SQL
https://www.robotron.de/unternehmen/aktuelles/blog/sql-translation-framework
Whitelisting SQL
-- 1. Create Profile STF_SECURITY
dbms_sql_translator.create_profile(profile_name =>
'STF_SECURITY’);
dbms_sql_translator.set_attribute(
profile_name => 'STF_SECURITY‘,
attribute_name =>
dbms_sql_translator.ATTR_FOREIGN_SQL_SYNTAX,
attribute_value =>
dbms_sql_translator.ATTR_VALUE_FALSE);
dbms_sql_translator.register_sql_translation(
profile_name => 'STF_SECURITY‘,
sql_text => 'select * from tab1 where id=1‘,
translated_text => 'select * from sectest1.tab1 where
id=1' );
end;
/
Whitelisting SQL
dbms_sql_translator.set_attribute(
profile_name => 'STF_SECURITY',
attribute_name =>
dbms_sql_translator.ATTR_FOREIGN_SQL_SYNTAX,
attribute_value => dbms_sql_translator.ATTR_VALUE_FALSE
);
dbms_sql_translator.register_sql_translation(
profile_name => 'STF_SECURITY',
sql_text => 'select * from tab1 where id=3',
translated_text => 'select * from sectest1.tab1
where id=3' );
end;
/
Whitelisting SQL
3. Test
ID NAME PASSWORD
---------- ---------- --------------------------------
3 jay bik3
Summary
Are you prepared?
Use Auditing (Unified Auditing word 3rd-party)
Use Oracle Error Trigger
Collect all audit logs in a central repository (log collection,
SIEM)
Analyze the audit log via dashboards
Invalid Login Attempts
Insufficient Privileges
Unusual Activity
Interactive logins outside the business hours
TDE activities (ALTER SYSTEM SET…)
Usage of ANY commands (e.g. CREATE ANY …)
Potential SQL Injection Attempts from applications
(‚900','906','907','911','917','920','923','933','970','1031','1
476','1719','1722','1742','1756','1789','1790','13605','1379
7','19202','20000','24247','29257','29532','29540','31011','
31600')
Outlook
2023
Outlook 2023
More Auditing (Audit Analysis, …)
(Audit) log collection (SIEM)
Q&A
Thank you
Contact:
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany