New Information about Spectre and Meltdown vulnerabilities in Oracle products

Oracle made new announcements about Spectre and Meltdown vulnerabilities. Simply Oracle offered new solutions for the below products.

Affected Products Patch Availability
Oracle Audit Vault and Database Firewall [Product ID 9749] MOS note 2359424.1
Oracle Big Data Appliance [Product ID 9734] MOS note 2357485.1
Oracle Exadata Database Machine [Product ID 2546] MOS note 2356385.1
Oracle Exalogic Elastic Cloud [Product ID 9415] MOS note 2348852.

This chart is taken from; Addendum to the January 2018 CPU Advisory for Spectre and Meltdown (Doc ID 2347948.1)

Put in a simple:

For Oracle Exadata machine:   the minimum versions of Exadata Storage Software required to resolve the vulnerabilities are 18.1.4.0.0 and  12.2.1.1.6  for  Spectre CVE-2017-5753   and CVE-2017-5754.

For  Meltdown CVE-2017-5715, Oracle is waiting for microcode update from Intel for X86 processors.

For Big Data appliance: There is a remediation plan in the document: How To Upgrade a Kernel on BDA V4.2 and Higher/V4.1 (Doc ID 2033797.1) – a Metalink note.

For Exalogic Linux: There is a remediation plan in the Metalink note: Patch Availability for Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities on Oracle Exalogic Linux Physical and Virtual Racks (Doc ID 2348852.1)

For Oracle Audit Vault and Database Firewall: There is a remediation plan in the Metalink note:   Patch Availability for Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities on Oracle Exalogic Linux Physical and Virtual Racks (Doc ID 2348852.1)

For the first Oracle announcement; you can read this document.

https://yusufanilakduygu.wordpress.com/2018/01/17/oracle-announcement-about-spectre-and-meltdown/

Thanks for reading this note.

Anıl Akduygu

Advertisements

Privilege Analysis in Oracle 12c A Quick Overview

Privilege Analysis is a new feature of Oracle 12c . This feature comes with Oracle DB Vault. Simple you have to buy Oracle DB Vault license to use Privilege Analysis. But, you do not need to enable Oracle DB Vault to use Privilege Analysis, Because  It comes with Oracle 12c Enterprise edition.

Privilege Analysis is used for identifying unused privileges and roles in the database. Discovering the set of unused roles and privileges is important to make the database more secure. By using Privilege Analysis, we can define the least number of privileges for users and roles.

The procedure for Privilege Analysis is simple;

The First  Step;

You have to create a privilege analysis with DBMS_PRIVILEGE_CAPTURE package .

In order to use privilege analysis; CAPTURE_ADMIN  must be granted to the user.

There are four types of privilege analyses which are defined by type parameter in the DBMS_PRIVILEGE_CAPTURE package.

type        =>  DBMS_PRIVILEGE_CAPTURE.g_database is used for creating a privilege analysis for the whole database

type       =>  DBMS_PRIVILEGE_CAPTURE.g_role  is used for creating a privilege analysis for a list of roles.

type  => DBMS_PRIVILEGE_CAPTURE.g_context  is defined by a logical expression with the  SYS_CONTEXT function.

Type=> DBMS_PRIVILEGE_CAPTURE.g_role_and_context; is defined by a list of rules and logical expression.

For Example; to create a privilege analysis for the whole database we use below command

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Full Database',
type => DBMS_PRIVILEGE_CAPTURE.g_database
);
/
PL/SQL procedure successfully completed.

In order to create a privilege analysis for a set of defined roles, we use the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Listed Roles',
type => DBMS_PRIVILEGE_CAPTURE.g_role,
roles => role_name_list('RoleName1', 'RoleName2') );
END;
/

PL/SQL procedure successfully completed.

In order to create a privilege analysis for USER01 user , we use the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Conditional',
type => DBMS_PRIVILEGE_CAPTURE.g_context,
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''USER01'''
);
END;
/

In order to create a privilege analysis for USER01 when it uses DBA role we use the below command. By this way ; we can find for what reason USER01 uses DBA role. For example ; USER01 uses DBA role to only create  tables. In that case; we can only give create table privilege to USER01 instead of DBA role.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Role and Condition',
type => DBMS_PRIVILEGE_CAPTURE.g_role_and_context,
roles => role_name_list('DBA'),
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''USER01'''
);                                                                                                                                                                      END;
/

PL/SQL procedure successfully completed.

We use the below command  to list the list of created privilege analyses.

COLUMN name FORMAT A15
COLUMN roles FORMAT A20
COLUMN context FORMAT A30

SQL> select name,type,roles,context FROM dba_priv_captures;

The Second  Step;

We start the privilege analysis with the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.enable_capture('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

 

The Third Step;

After waiting for a while; I can be one  week or  one moth.  We have  stop the privilege analysis with the below command. During that time Oracle keeps records for the privilege analysis.

BEGIN
DBMS_PRIVILEGE_CAPTURE.disable_capture('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

The Fourth Step;

We should generate result for the capture with the below command;

BEGIN
DBMS_PRIVILEGE_CAPTURE.generate_result('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

 

The Fifth Step;

Now we use the below views to work on our captured data.

DBA_PRIV_CAPTURES
DBA_USED_PRIVS
DBA_UNUSED_PRIVS
DBA_USED_OBJPRIVS
DBA_UNUSED_OBJPRIVS
DBA_USED_OBJPRIVS_PATH
DBA_UNUSED_OBJPRIVS_PATH
DBA_USED_SYSPRIVS
DBA_UNUSED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH
DBA_UNUSED_SYSPRIVS_PATH
DBA_USED_PUBPRIVS
DBA_USED_USERPRIVS
DBA_UNUSED_USERPRIVS
DBA_USED_USERPRIVS_PATH
DBA_UNUSED_USERPRIVS_PATH

 

thanks for reading this note;

In the near future, I will give much more information about this subject.

Y. Anıl Akduygu

 

January 2018 Oracle Critical Patch Update

Oracle announced January 2018 Critical Patch Update. This patch includes  238 new security fixes. At the same this patch contains a special   Addendum Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) for  Intel processor vulnerabilities.( https://yusufanilakduygu.wordpress.com/2018/01/17/oracle-announcement-about-spectre-and-meltdown/)

All details about this CPU  can be found at this site :

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

At this note; we will focus on Oracle Database , Oracle WebLogic Server and MySQL products.

Let’s start with Oracle Database;

This PSU contains 5 new security fixes for the Oracle Database Server.  With there of these vulnerabilities , Oracle database may be exploited over a network without requiring user credentials.  And one vulnerability  which is called  CVE-2017-10282 is very critical in 12.1.0.2 and 12.2.0.1 versions. In this vulnerability; If you have CREATE SESSION and EXECUTE CATALOG ROLE privilege you can make privilege escalation easily.

Capture

You can find fixes about these vulnerabilities  at  this Metalink note;

Critical Patch Update (CPU) Program January 2018 Patch Availability Document (PAD) (Doc ID 2325393.1)

Simple ; the Oracle Database Patch List is given below:

  • Combo OJVM PSU 11.2.0.4.180116 (CPUJan2018) and Database SPU 11.2.0.4.171017 (CPUOct2017) Patch 27010991 for UNIX
  • Combo OJVM PSU 12.1.0.2.180116 and Database PSU 12.1.0.2.180116 Patch 27010839 for UNIX, or
  • Combo OJVM RU 12.2.0.1.180116 and Database RU 12.2.0.1.180116 Patch 27010695 for UNIX, or

Continue with Oracle Fusion Middleware. The Base score for this product starts from 9.9.

This CPU contains 27 new security fixes for Oracle Fusion Middleware and  21 of these vulnerabilities may be remotely exploitable without authentication,

The most critical fixes is given below. If  you have Oracle Web Logic Servers which serve in the Internet; you have to apply these patches immediately.

 

Capture

To find patches you should look at ; Metalink document (Doc ID 2325393.1)

Oracle MySQL CPU contains  25 new security fixes for Oracle MySQL and  6 of these vulnerabilities may be remotely exploitable without authentication. The most important vulnerabilities are given below.

Capture

We do not need to say.  But I have to say;

you should apply this patch as soon as earlier.

Thanks for reading this note

Good Luck.

Anıl Akduygu

Oracle Announcement about Spectre and Meltdown vulnerabilities

Oracle announced January 2018 Critical Patch Update  today.  I will prepare a special note about this patch in the near future. But the important point is; there is a special addendum in this Critical Patch Update about  Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.

You can read this addendum at “Addendum to the January 2018 CPU Advisory for Spectre and Meltdown (Doc ID 2347948.1)” – Metalink document.

Put in a simple;

At the moment ; Oracle puts Spectre and Meltdown affected products in  three different categories which are; Products with Patches Available , Products with Patches Pending and  Products under Investigation

Now Oracle offers solution for only below products which are;

Documents
Oracle Linux MOS Note 2348448.1
Oracle VM MOS Note 2348460.1
Oracle VM VirtualBox MOS Note 2339562.1
Oracle X86 Servers MOS Note 2336753.1

But at the moment “pacth pending” products are too much. Some important Pending Products  especially about Oracle Database are listed below ( you can read the full list at Doc ID 2347948.1 )

  • Oracle Big Data Appliance
  • Oracle Database Appliance
  • Oracle Exadata Database Machine
  • Oracle Exalogic Elastic Cloud
  • Oracle Solaris Cluster
  • Oracle Solaris Operating System
  • Oracle SPARC Servers
  • Oracle SuperCluster
  • Oracle ZFS Storage Appliance (ZFSSA)

As you see these  are the major products  for Oracle Company and they are waiting for solution.  Oracle announced that ;  the status of these products will be mailed to OTN Security Alerts subscribers soon.

Thanks for reading this note;

Anil Akduygu.

 

 

Patching for Meltdown CPU Vulnerability CVE-2017-5754 on Linux

A few weeks ago a very critical vulnerability was announced – Meltdown CPU Vulnerability CVE-2017-5754. This vulnerability breaks isolation between the user application memory and the operating system memory. By this vulnerability, attackers can access other programs memory to reach secret information. Nearly all operating systems are affected by this vulnerability. In this note, I will show you how you can protect your Oracle Linux servers and Ubuntu client from this vulnerability.

for RHEL Linux; fix available for the below versions.

RHEL 6.x [2.6.32-696.18.7]/7.x [3.10.0-693.11.6]

At my test server;

[oracle@ol7 ~]$ uname -r
3.8.13-35.3.1.el7uek.x86_64

an then start updating the patches with root user.

[oracle@ol7 ~]$ yum update

The screen shoot of  yum update.

Capture

 

For Ubuntu Linux  v16.04  /v17.10 /v14.04  , patches are avaible; to deploy these patches;

First ; check the version of operating system

uname -r

and get the latest version;

sudo apt-get update

The screen shot of the fixes.

Capture

Thanks for reading this note.

Anıl Akduygu

 

To get more information;

https://www.cyberciti.biz/faq/patch-meltdown-cpu-vulnerability-cve-2017-5754-linux/

https://meltdownattack.com/

https://access.redhat.com/security/cve/cve-2017-5754

https://access.redhat.com/security/vulnerabilities/speculativeexecution

 

 

 

 

Installing MySQL to Ubuntu 17.10

In this note; I will show you how you can install the latest version of MySQL to Ubuntu 17.10. For this reason; I will use a virtual machine  which runs on Oracle VM VirtualBox

Before the installation; you need to download and install MySQL APT repository. This repository provides deb packages to install and manage the MySQL server, client, and other components on the Linux machines.

Go to this website to get the latest version of MySQL APT repository;

https://dev.mysql.com/downloads/repo/apt/

And use this web page to follow latest installing instructions

https://dev.mysql.com/doc/mysql-apt-repo-quick-guide/en/#apt-repo-fresh-install

Check your Linux version with this command

lsb_release -a

Capture

Now as you see; In this document, we are using Ubuntu 17.10. Download the MySQL APT repository from this page. You need Oracle account to download this repository.

 

Capture

 

After downloading DEB package, installation starts immediately

Capture

Click Install

Capture

And enters the password for the authentication. The configuration phase starts

Capture

Choose Forward

At the end of configuration; Choose Ok an installation starts.

Capture

Now we can install MySQL;

Update package information from the MySQL APT repository with the following command

sudo apt-get update

Capture

Install MySQL by the following command;

sudo apt-get install mysql-server;

Enter the password for the root user.

Capture

 

check the status of the MySQL server with the following command;

sudo service mysql status

Capture

In order to stop the MySQL server use the following command

sudo service mysql stop

In order to restart the MySQL server use the following command

sudo service mysql start

 

Capture

Now your MySQL database is ready for your use.

Thanks for reading this note.

Anıl Akduygu

DBHack – Black Box Database Testing Tool

 

Hello guys

I developed a free open source software appliance – DBHack –   for ethical hackers to make black box testing on databases. All of its codes is on the GitHub. But it is served as an Oracle VirtualBox machine. It is free and can be used anywhere. At this version only Oracle and MS SQL Server black box tests are ready. It is still under development. You can download and get information from below web address.

https://www.dbsecurity.info/

I hope that you will try it.

Capture