The Oracle Global Product Security Blog

Hi, this is Eric Maurice!  This very short blog to let you know about recently recorded podcasts and webcasts on Oracle Software Security Assurance topics.

We recently recorded a podcast interview with Oracle CSO, Mary Ann Davidson.  In this podcast, Mary Ann discusses the importance of Oracle Software Security Assurance, the role of Oracle�s Global Product Security Group, and some of the changes that were introduced with the Critical Patch Update. 

Oracle and the Enterprise Best Practices Special Interest Group (SIG) of the Independent Oracle User Group recently delivered a one hour webcast introducing Oracle�s secure configuration initiative and discussing the security enhancements in Oracle Database 11g.  In this webcast, Daniel Wong, Director of Engineering for Database Security at Oracle, discusses in technical detail the security changes introduced in the default configuration of Oracle Database Server with 11g.  Such changes affect the default audit settings, authentication and password management, and access control changes to certain UTL packages, etc.  Daniel then provides security recommendations for customers who are looking at upgrading (or have upgraded to) Oracle Database 11g.  A previously recorded webcast providing technical recommendations for securely configuring Oracle databases is also available on the IOUG website under the archived SIG webcasts section. 

Note that a registration to IOUG�s web site may be required to access some of this content (FREE membership to the Enterprise Best Practices SIG is also available here).

For more information:

Mary Ann Davidson�s interview is available here.

IOUG�s webcast on Oracle Database 11g security is available here.

IOUG�s webcast on securely configuring Oracle databases is available here.

Oracle Software Security Assurance Resource Library is available here.

The download page for IOUG�s Enterprise Best Practices SIG is available here.

Hello, this is Eric Maurice! 

Oracle today released the April 2008 Critical Patch Update (CPUApr2008).  This Critical Patch Update (CPU) addresses a total of 41 vulnerabilities affecting Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.  Fifteen of these vulnerabilities are specific to Oracle Database Server (an additional two affects Application Express).  Note however that a number of these Database Server vulnerabilities affect optional Database Server components, and only one of these Database Server vulnerabilities can be remotely exploitable without authentication.

While none of the Oracle Database Server fixes requires patching the database client-only installations, this CPU includes one fix for Oracle Application Server client-only installations.  As with the previously released January 2008 CPU, this CPU includes an Application Server client fix to address a vulnerability affecting JInitiator, a web browser extension that enables end users to run Oracle Forms Services applications within their browser.  This vulnerability only affects version 1.3.1.14 and earlier versions of JInitiator.  Just like the previously fixed JInitiator vulnerabilities, this vulnerability has a CVSS score of 9.3 because it could allow an attacker to gain full control of the targeted client (e.g. workstation) at the Operating System level, but it cannot result in a compromise of the server component. 

This fourteenth CPU also marks another milestone!  For the first time, the CPU includes fixes for Oracle�s Siebel CRM Applications.  As a matter of policy, Oracle tries to synchronize the release of the security patches of acquired product lines with the CPUs, and ultimately ensure that new product lines join the CPU process (in the way that PeopleSoft, JD Edwards, and now Siebel have). 

The CPU fixes for Siebel CRM Applications will be cumulative for the product line in which they apply (There are currently four supported product lines).  This will allow customers who have previously skipped security patches to quickly catch up by applying the most current CPU. 

The inclusion of Siebel Enterprise products in the CPU process provides former Siebel customers with a number of benefits.  Under the Siebel model, security fixes were typically included, along with non-security fixes, in the �Fix Packs�.  The most significant vulnerabilities could also be fixed with dedicated ad hoc (unscheduled and non-cumulative) fixes.  The inclusion of Siebel Enterprise products in the CPU process therefore provides customers enhanced visibility to security fixes.  In addition, customers benefit from the predictability of the CPU schedule, thus potentially reducing the cost of security management in their environment.

The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts.  Oracle Technology Network also hosts additional information about Oracle�s implementation of the CVSS 2.0 standard and a glossary of the terms used in the Risk Matrices in the CPU Advisory.  The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources.

Hi, this is Eric Maurice again.

A number of publications recently reported about a new way to hack Oracle databases.  These articles were in fact referring to a recently published paper by David Litchfield, titled Lateral SQL Injection: A New Class of Vulnerability in Oracle. 

SQL Injections are a very well known class of attacks, which can affect virtually any relational databases when no or insufficient input validation has been implemented.

In simple terms, SQL Injection attacks are designed to leverage improper coding of database-powered applications that, in the absence of proper input validation, allow a malicious attacker to insert string input to an application. In such scenario, an attacker can "inject" or pass on harmful SQL commands, which will then be executed by the back-end database. The consequences of successful SQL Injections can be severe: an attacker could gain access to sensitive data, manipulate database information, and in some instances, change the structure of the database, deny legitimate access to it, or grant unauthorized privileges to himself or to others. Web applications are particularly at risk because -- exposed to the Internet -- they often allow an attacker to perpetrate SQL injection attacks without being authenticated to the targeted database or application.

An important aspect of Oracle Software Security Assurance is sharing security information and recommended practices with customers so that they can optimize their security posture. We recently posted a SQL Injection tutorial online that demonstrates how to properly implement input validation controls and prevent this kind of attacks.

In his paper, David explains that in certain circumstances, SQL Injections can also take place in procedures that are not intended to take user input. Note however, that in such a scenario, setting up the attack requires that the attacker had been previously granted a database account with necessary privileges. David concludes that it is doubtful that this kind of attacks becomes:exploitable in the normal sense.

While some may consider the topic of Lateral SQL Injections as mostly academic, and relevant only for the security researchers community, I think this paper has the merit of further raising the awareness of database administrators and programmers to SQL Injections. SANS and others have flagged this class of attacks as a primary threat for database-driven sites and applications. In my opinion, proper input validation constitutes a required security practice that needs to be extended to all functions and procedures, whether they are expected or not to take user input. Furthermore, as expressed in the SQL Injection training and in the Oracle documentation, bind variables should be used as much as possible.

As discussed above, SQL injection happens when a dynamic SQL statement is constructed from user input. In the case of the attack discussed in David's paper, the dynamic SQL statement is being constructed from data stored in the database. The values are then being converted into character strings based on a template provided by the system. It is this template, as opposed to the stored value, that controls what will be injected.

When bind variables are properly used, the bind variable name is physically part of the SQL statement, but this bind variable is used as a reference to the rendered value. As a result, the rendered value is never interpreted directly as part of the SQL statement; therefore no SQL Injection can take place.

In some instances, like DDL operations where a database object needs to be constructed, Oracle administrators do not have the option of using a bind variable. In this instance, the DBMS_ASSERT package should be used to correctly handle the rendered value, either ENQUOTE_LITERAL when it is going to be used as a literal or ENQUOTE_NAME when it is going to be used as the name of a SQL object.

For more information, see the online tutorial Defending Against SQL Injection Attacks.  Information on Oracle Software Security Assurance is available on Oracle.com.