Global vision of security in Oracle (2002 – 2018)

Last week I attended a meeting on the GDPR (General Data Protection Regulation, applies only to EURO), being its mandatory use from May 25, 2018. It is interesting to note that one of the measures sought by this law is partly to try to force to take measures against cyber attacks and from which many organizations and people are not aware of the implications that may come to have. We close the door of the house with a key but we leave the idefensos systems many times.

18 years ago made a presentation in the CUORE, circle of users of Oracle of Spain, on the security of the Oracle database at that time, quite disastrous, although everything must be said, has been improving over time. I’m going to update some of the parts that were seen in this presentation in the next posts.

I leave here the ppt of that presentation and a small pdf, the templates are in Spanish, that gathered the most basic concepts, some of which still continue to be valid.

Presentation (PPT)

BASE_DE_DATOSMISCELANEAREDSISTEMA_OPERATIVOVISION_SEGURIDAD_ORACLE

Network Layer (PPT)

RED

Operating System Layer (PPT)

SISTEMA_OPERATIVO

Database Layer (PPT)

BASE_DE_DATOS

Miscellany (PPT)

MISCELANEA

Documentation (PDF)

VISION_SEGURIDAD_ORACLE

HTH – Antonio NAVARRO

Advertisements

18 Released For Windows And Solaris

Version 18c has finally been released for Microsoft Windows (remember that Oracle no longer develops for 32-bit architectures) and Solaris (for Sparc and x86-64-bit architecture).

PHOTO_DB_18_MULTIPLATFORM

You can download it in the next link

Database 18c

HTH – Antonio NAVARRO

ORA-16047 When Starting Active DG

This past night I have been activating an active dg. The issue is that it did not finish to start and at the beginning it gave the following error;

ORA-16047: DGID mismatch between destination setting and target database

Looking more in detail at the specific trace file, the following message appears (this is an excerpt of the file);

2018-07-31 07:17:27.263: [ GPNP]clsgpnpkwf_initwfloc: [at clsgpnpkwf.c:471] Result: (7) CLSGPNP_IO. (:GPNP01002:)Failed to open wallet file. dir ‘peer’ in ‘/xxxx/xxxx/xxxx/xxxx/xxxx/xxxx/wallets/’, cannot check wallet home.
2018-07-31 07:17:27.263: [ GPNP]clsgpnpkwf_initwfloc: [at clsgpnpkwf.c:469] (:GPNP01002:)SlfFopen2
Internal Error Information:
Category: SLF_SYSTEM(-8)
Operation: lstat failed
Location: slsfopen3
Other:
Dep: 13
Dep Message: Permission denied

In this case the error is caused by the fact that the log_archive_config parameter is not configured. You can query the value of this parameter in the next way;

show parameter log_archive_config

And you can set it by use the next alter command;

alter system set LOG_ARCHIVE_CONFIG=’DG_CONFIG=(db,stbdb)’;

HTH – Antonio NAVARRO

 

 

 

 

Release 18C released

Oracle has just released version 18c “on-premise”, now all the politics is the cloud and they are putting names for the versions that are not for the cloud.

Indicate that the version has only been released for Linux, also an Oracle policy change that has traditionally made the first versions for Solaris. Which seems to confirm the rumors that Solaris ends in 2030 šŸ˜¦

 
I attached the link for download;

Oracle Database 18.3

And a couple of screenshots

photo_db_18c_v1

photo_db_18c_v2

HTH – Antonio NAVARRO

Killing Session With post_transaction Clause

Today I would like to talk about the option to kill a connection with the post_transaction clause, it looks like the shutdown transactionl that the database has. In this case you wait for the process to finish its work.

  • The POST_TRANSACTION setting allows ongoing transactions to complete before the session is disconnected.
  • If the session has no ongoing transactions, then this clause has the same effect described for the KILL SESSION.

An example would be the following;

ALTER SYSTEM DISCONNECT SESSION ‘sid, serial #’ POST_TRANSACTION

HTH – Antonio NAVARRO

New Versions But Old Vices

In today’s post I want to talk about passwords in Oracle, from very old versions, it is very easy to “catch” password changesĀ using a sniffer. The recommendation of Oracle and that is given in many forums is to use the password command from sqlplus instead of executing an alter user. Currently the client should be smarter or at least give the option to encrypt this type of statements sql (alter)

Let’s go see an example. We connect using client 18 to a RDBMS 12.1 with user scott

foto_sniffer_4

Now we change he pass with alter user command like show below;

SQL> alter user scott identified by scott1234;

Using a sniffer (in this test Microsoft Message Analyzer) we can see the payload for tcp trame between my lagtop and the server in clear text;

foto_sniffer_2

Now using the password command from sqlplus. Show the tcp trame captured by the sniffer. Here you can not seeĀ  the text in clear;

foto_sniffer_3

How to minimize the risk

– First of all do not use “alter user”
– Use encrypted communications between the client and the database server (the Oracle native or a VPN), now from what I see, in this version (18) Oracle still does not protect the memory areas, the encryption in the The communications channel is partially distorted if there is access to the memory of the client computer. Windows DPAPI already implements in a fairly acceptable way memory encryption via CryptProtectMemory / ProtectedMemory

 

HTH – Antonio NAVARRO

Oracle Java Serialization/Deserialization

Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle.

Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form.

The products affected by this type of attack are multiple, since JAVA is the basis of many solutions. Within the database there are several areas vulnerable to this type of attacks, the most significant services being REST type. They are defined as (from the Oracle documentation);

Oracle REST Data Services (ORDS) makes it easy to develop modern REST interfaces for relational data in the Oracle Database, Oracle Database 12c JSON Document Store, and Oracle NoSQL Database. A mid-tier Java application, ORDS maps HTTP (S) verbs (GET, POST, PUT, DELETE, etc.) to database transactions and returns any results formatted using JSON.

HTH – Antonio NAVARRO