Database Security

Updates from July, 2017 Toggle Comment Threads | Keyboard Shortcuts

• 

  Anıl Akduygu 18:28 on 22 July 2017 Permalink | Reply
  Tags: CPU ( 3 ), Critical Patch Update ( 3 ), database ( 45 ), installation ( 15 ), Oracle ( 47 ), Oracle 2017 patch, security ( 44 )   

  Oracle July 2017 Critical Patch Update 

  Oracle July 2017 Critical Patch Update (CPU)  has been released on this page. This CPU includes 308 new security fixes across all Oracle products. A Critical Patch Update (CPU) is a collection of patches for  security vulnerabilities and these are released in cumulative manner.

  In  Document ID 2282980.1 ( metalink note ) you can find Executive Summary and Analysis for Oracle 2017 july CPU.

  At this note; I will give brief information about the critical vulnerabilities which are solved in this CPU.  I especially will give information about very critical vulnerabilities. The importance of the vulnerabilities are scored by  Common Vulnerability Scoring System v3.0 and according to this classification the CVVS score between 9 and 10 is called critical vulnerabilities.  The important point of these vulnerabilities is you can compromise a  system without authentication on the network.

  Let’s start with Database CPUs

  In this patch there is a solution for CVE-2017-10202;  Vulnerability in the OJVM component of Oracle Database Server.  This vulnerability remotely exploitable without authentication. It is CVVS score is 9.9 and it is very high if you compare this score with other patches in 2017 . This is the maximum score in 2017.

  

  And if you look at ; Oracle Fusion Middleware patches you will see; CVE-2017-10137 (JINDI)  CVSS Base Score: 10.0 . By HTTP protocol intruder can easily compromise  Oracle WebLogic Server without authentication.

  

  And another very important patches for MYSQL database is CVE-2016-4436 (Apache Struts 2). It is score is 9.9. An  attacker can compromise MYSQL database via  HHTP over TLS without authentication

  

  As you see ; there are very important solutions for security vulnerabilities in July-2017 CPU. Therefor I advice you to  apply this CPU in mean time.
   

  Reply Cancel reply

  Required fields are marked *

  Name *

  Email *

  Website

  Notify me of new comments via email.

  Notify me of new posts via email.

  Δ

• 

  Anıl Akduygu 11:49 on 20 July 2017 Permalink | Reply
  Tags: database ( 45 ), dba ( 9 ), dba_users;, new features ( 4 ), Oracle ( 47 ), oracle 12c ( 8 ), security ( 44 )   

  Oracle 12c New Security Features – 02 DBA_USERS new columns 

  One of the the security improvement  in Oracle 12c version is the new columns at DBA_USERS view.
  These new added columns are very uesfull for security administrators.
  At the below picture you can see the definition of DBA_USERS in Oracle 11g version

  

  And the definition of DBA_USERS in Oracle 12c version is given below.

  As you see; four new colums are added. These are

  PROXY_ONLY_CONNECT
  COMMON
  LAST_LOGIN
  ORACLE_MAINTAINED

  Now we work on these new columns

  PROXY_ONLY_CONNECT

  This column shows  you  whether a user can connect directly ( if it is value N ) or can only be   proxied (if it is value Y) by users.
  Let’s query this column;

  

  You can enable or disable this attribute of a user by alter user command

  

  COMMON

  This column shows whether the user  is a COMMON user.

  COMMON users   are used in Multitenant databases which are introduced in Oracle 12c version. In another note ; I will explain multitenant databases in Oracle 12c version.

  This column can have two values ; YES or NO

  YES means this user is a COMMON user.

  NO means this user is a local user.

  Let’s query this column

  

   

  LAST_LOGIN

  Last_login column is very useful column for database security administrator and it solves very important problem in Oracle 11g version. This column shows  the user’s last logon time. In Oracle 11g version we have create a logon trigger  and a special table to find and keep user’s last logon time. Now in Oracle 12c version you have nothing to do ; just you need the query this column to find the time of the users logon.

  To query Last_login column  you use the below query. If the LAST_LOGIN column is null It means that this user has not been connected to the database yet.

  

  ORACLE_MAINTAINED

  This is another very important new column at Oracle 12c database.

  If the value of this column is ‘Y’. It means that this  user was  created and could only managed by Oracle-supplied script ( Scripts are given by Oracle company) . You must not change  any properties of these users. This column is very important when running security control scripts.  At some security controls  you would like to exclude  Oracle pre-defined application users. In Oracle 11g version , you have to know these Oracle usernames (  for example DBSNMP, MDSYS,CTXSYS,OUTLN…) . In Oracle 11g version , if you want to exclude Oracle managed users  from your selection in any security control, you have to write a very big condition like below;

  USERNAME NOT IN

  (

  ‘ANONYMOUS’,’CTXSYS’,’DBSNMP’,’EXFSYS’,’LBACSYS’,’MDSYS’,’MGMT_VIEW’,’OLAPSYS’,

  ‘OWBSYS’,’ORDPLUGINS’,’ORDSYS’,’OUTLN’,’SI_INFORMTN_SCHEMA’,’SYS’,’SYSMAN’,

  ‘SYSTEM’,’TSMSYS’,’WK_TEST’,’WKSYS’,’WKPROXY’,’WMSYS’,’XDB’,’APEX_PUBLIC_USER’,

  ‘DIP’,’FLOWS_30000′,’FLOWS_FILES’,’MDDATA’,’ORACLE_OCM’,

  ‘SPATIAL_CSW_ADMIN_USR’,’SPATIAL_WFS_ADMIN_USR’,’XS$NULL’,

  ‘OWBSYS_AUDIT’,’ORDDATA’,’APEX_030200′,’APPQOSSYS’,’DVSYS’,’DVF’

  )

  But in Oracle 12c version you can add a condition like

  ORACLE_MAINTAINED <> ‘Y’

  to exclude Oracle  managed users.

  

  I downloaded  all scripts which are given on this note  to  github

  https://github.com/yusufanilakduygu/Wordpress-Posts/blob/master/DBA_USERS%20new%20columns

   

  Have a good day.

  Anıl
   
• 

  Anıl Akduygu 11:36 on 9 July 2017 Permalink | Reply
  Tags: installation ( 15 ), proggramming, Python ( 6 )   

  Starting to Pyton – Python Installation on Windows 

  In this note; I will show you how you can install Python to your Windows system.

  If you have any Linux, Unix or Mac machines. You will see that ; Python is already installed. For example at my virtual Linux system Python is already installed as you see on the below picture.

  

   

  But this is a Python 2 . In this note I will show you how you can install Python 3.

  Actually There is no to many differences between Python 2 and Python 3 .  Now the  most widely used libraries have been ported to Python 3 and for new projects I advice you to start with Python 3.

  Before starting to install Python 3 , Please check that Python is already installed to your windows. Now  we can download Python 3 from this web site.

  https://www.python.org/downloads/

  

  And run python-3.6.1 from downloaded directory. At my computer I already download Python 3 therefore when I start python-3.6.1.exe below screen will appear.

   

  

  If your first installation please check Custom installation . Because If you choose default installation ; The installation directory will be under your user directory.  The best way is to choose default installation and install Python 3 to a directory named like c:\Python361

  Go on Custom installation; Choose all optional Features

  

  Then Press Next; At Advanced Options choose a directory to install Python

  

  wait for a while; and Python is installed and start it with a command “python” in installed directory

  

  I can  put the python directory in PATH variable. By this way you can call python from any directory at your system

  

  Now you can play with your python.