There was very little press coverage regarding Oracle security from last week's Black Hat security conference in Las Vegas. I am a little surprised about the lack of attention in the media regarding Pete Finnigan's presentation on unwrapping PL/SQL code.
You may want to warn your CIO and IT Security Manager that some bad press about Oracle security will be coming later this week and next week. The annual Black Hat conference in Las Vegas is Wednesday and Thursday of this week. Every year this conference gets significant media exposure -- last year was the controversy regarding Cisco and Michael Lynn. There doesn't seem to be any major headlines this year, so the press may be digging for stories.
There are currently three major un-patched and published Oracle Database security bugs and all three bugs impact the Oracle E-Business Suite. All Oracle Applications 11i implementations should review the possible impact on their installations to determine the necessary corrective action. I don't foresee any of these bugs being fixed before the October 2005 Critical Patch Update.
Here is a quick rundown of the bugs --
We have released our E-Business Technology Stack Support Matrix for the Oracle Critical Patch Update (CPU) July 2006. The supported technology stack versions required by Oracle’s
Critical Patch Updates (CPU) may be different from the certified technology
stack versions. A prime example is that 188.8.131.52 is certified for Oracle Applications, but is not supported by the July 2006 CPU. The Technology Stack support matrix highlights the differences between certified versions and CPU July
2006 required versions.
Google is such a powerful tool and people are finding new ways to exploit its capabilities. The newest use is to find security bugs in open source code, since much of this code is published in code repositories indexed by Google. Google searches can look for specific file extensions (like c, pls, sql, or ora).
Oracle has decided not to release any security fixes in the July 2006 Critical Patch Update for Oracle E-Business Suite releases 11.5.1 - 11.5.6. This may come as a shock to more than a few customers since the official Desupport date for 11.5.1 to 11.5.6 is July 31, 2006 (not July 18, 2006).
A frequent topic of discussion after any security assessment or review by auditors is the setting of O7_DICTIONARY_ACCESSIBILITY in Oracle Applications. 07_DICTIONARY_ACCESSIBILITY is a database initialization parameter that controls access to objects in the SYS schema. It was originally intended to help with migrations from Oracle7 to newer versions where access to data dictionary objects is limited by default. From a pure security perspective, 07_DICTIONARY_ACCESSIBILITY should always be set to FALSE and is a very common security recommendations for Oracle Databases in general.
The APPLSYSPUB account is used by Oracle Applications to initially connect to the database and establish a session. This account normally should have limited privileges. However, during our audits the permissions assigned to APPLSYSPUB and PUBLIC are often a security risk and need to be corrected.
The Oracle Applications Security Blog will be an unique analysis and commentary on Oracle related security topics, especially related to Oracle Applications (the official product name is "Oracle E-Business Suite"). Since the Oracle Applications technology stack also includes most of the other Oracle products, I will also cover the Oracle Database, Oracle Application Server, and Oracle development products.
My goal is to use this as a forum for some experimentation into presenting security topics in a different way.