Database Security

Updates from September, 2017 Toggle Comment Threads | Keyboard Shortcuts

• 

  Anıl Akduygu 19:20 on 24 September 2017 Permalink | Reply
  Tags: CVE, CVE-2017-9805, Oracle WebLogic Server, security ( 44 ), security patch ( 4 )   

  New Security Patch -CVE-2017-9805 

  Although Oracle is going to release Security Patch Updates on 17th of October 2017, It announced a new security patch for CVE-2017-9805 on 22nd of September. And Oracle strongly recommends to apply this patch. If you think that; you should apply it first to test environment and than Live environment. It is hard to decide to  apply  the quarterly Critical  patch  or  to apply a single patch for three weeks. The decision  is up to customers .

  This patch is not related with Oracle databases. It is about Apache Struts 2 product. Simply It is  a middleware product. All  affected products are;

  ·         Oracle Financial Services Applications

  ·         Oracle Fusion Middleware

  ·         Oracle MySQL

  ·         Oracle Fusion Middleware 

  Especially ; Oracle WebLogic Server is affected by this security vulnerability.

  If you are using these products ; This is the web page about CVE 2017-9805 .

  But the detailed information and to see all affected products. You should look at this page.

  Oracle Security Alert Advisory – CVE-2017-9805 List of Affected Products and Versions

  And if you decided to apply this patch for Oracle WebLogic Server ; you can find patches from this metalink notes.

  Security Alert CVE-2017-9805 Patch Availability Document for WebLogic Server (Doc ID 2309128.1)

  Good Luck.

  Anıl.

   
   

  Reply Cancel reply

  Required fields are marked *

  Name *

  Email *

  Website

  Notify me of new comments via email.

  Notify me of new posts via email.

  Δ

• 

  Anıl Akduygu 17:34 on 23 September 2017 Permalink | Reply
  Tags: data masking ( 3 ), data redaction ( 7 ), database ( 45 ), Oracle ( 47 ), oracle advanced security ( 7 ), security ( 44 ), session_roles, sys_context ( 2 ), sys_session_roles   

  Masking Data according to User roles in Oracle Database with Data Redaction 

  At this note I will show to you how you can mask data according to the role of users by using Data Redaction. Actually I will not explain Data Redaction in detail , I assume that you already know about Data Redaction. But in the future I will give detailed information about Oracle Advanced Security and Data Redaction.

  Now in this note we will use Data Redaction to mask data according to session roles. Virtual Private database can be used instead of Data Redaction. I will show it in the another note.

  I will explain this subject with a sample. In the sample we have an user which holds data (rep_user) , application user ( app_user which can see all data ) and inq_user ( data will be masked for this user) . At the example; Only users which have a special role (redact_role) can not be affected by data redaction policy.

  Let’s build up the environment and create users.

  First ;  Create rep_user

  

  Create app_user

  

  Create inq_user and redact_role

  

  

   

  We simple create a table with one  column and we mask this column with data redaction.

  

  Insert some data to this table and grant this table to app_user and inq_user

  

  Now app_user and inq_user can select this table as below

  

  Now create Data Redaction policy to hide data

  

  And according to our policy only users with redact_role can not be affected by this policy.

  To do this grant redact_role to app_user;

  

   

  And now app_user can see the masked data but other users( inq_user)  can not reach this data.

  Lets’s test it

  

  Masked numeric data can be seen as 0  in Data Redaction ( on default).

  As you see we can hide data according to user’s role by using SYS_CONTEXT function. You can change this case according to your needs.

  you can reach all scripts from github

  Thanks.

  Anıl Akduygu
   
• 

  Anıl Akduygu 20:02 on 9 September 2017 Permalink | Reply
  Tags: database ( 45 ), installation ( 15 ), Oracle ( 47 ), security ( 44 ), security patch ( 4 ), weblogic ( 2 )   

  Applying July 2017 Oracle WebLogic Server Security Patch Part – 2 

  At this note ; I will show you how you can install July 2017 Oracle WebLogic Server Security Patch. At my first note I showed how you can download this security patch.

  Now I assume that; you read the first note you downloaded B25A security patch.Now we can install it. Before your operation starts do not forget to take full backup of your system. This backup depends on your system configuration.

  First go to Middleware home and set environments with below commands;

  cd /oracle/Middleware/wlserver_10.3/server/bin
  . setWLSEnv.sh
  cd $MW_HOME/utils/bsu

  to check environment variables, look at java version with below commands.
  java weblogic.version

   WebLogic Server 10.3.6.0.170418 PSU Patch for BUG25388747 WED MAR 21 18:34:42 IST 2017                                                                                                                                              WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050

  As you see;  I  installed April – 2017 security patch , because WebLogic server version is 10.3.6.0.170418 . Before staring upgrade get a detailed information about WebLogic applied patches with below command.

  $ ./bsu.sh -prod_dir=/oracle/Middleware/wlserver_10.3  -status=applied -verbose -view

  ProductName:       WebLogic Server                                                                             ProductVersion:    10.3 MP6                                                                                         Components:        WebLogic Server/Core Application Server,WebLogic Server/Administration Console,WebLogic Server/Configuration Wizard andUpgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Server,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBCDrivers,WebLogic Server/Third Party JDBC Drivers,WebLogic Server/WebLogic Server Clients,WebLogic Server/WebLogic Web S erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog ic Server/Evaluation Database,WebLogic Server/Workshop CoCompletion Support

  BEAHome:           /oracle/Middleware                                                                      ProductHome:       /oracle/Middleware/wlserver_10.3                                          PatchSystemDir:    /oracle/Middleware/utils/bsu                                                          PatchDir:          /oracle/Middleware/patch_wls1036                                                            Profile:           Default                                                                                                  DownloadDir:       /oracle/Middleware/utils/bsu/cache_dir                            JavaVersion:       1.6.0_29                                                                                           JavaVendor:        Sun                                                                                                                        Patch ID:               RVBS                                                                                                    PatchContainer:    RVBS.jar                                                                                              Checksum:          1748595871                                                                                            Severity:          optional                                                                                                      Category:          General                                                                                                        CR/BUG:            25388747                                                                                                    Restart:           true                                                                                                               Description:       WLS PATCH SET UPDATE 10.3.6.0.170418                                                         WLS PATCH SET UPDATE 10.3.6.0.170418

   As you see; Download directory is

  DownloadDir:       /oracle/Middleware/utils/bsu/cache_dir 

   And the latest applied patch is

  PatchContainer:    RVBS.jar 

  First we will deinstall  this patch and then we will install the latest patch.

  cd /oracle/Middleware/utils/bsu

   ./bsu.sh -remove -patchlist=RVBS   -prod_dir=/oracle/Middleware/wlserver_10.3

  Now we deinstalled the latest patch and check WebLogic server version.

  java weblogic.version

  WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050                                         Use ‘weblogic.version -verbose’ to get subsystem information                                                 Use ‘weblogic.utils.Versions’ to get version information for all modules

   Now our version is 10.3.6.0  and this is the base release. Now we can apply July-2017 security patch. Now put the downloaded patch file into

  DownloadDir:       /oracle/Middleware/utils/bsu/cache_dir 

  And start applying patch with the below command:

  ./bsu.sh -install -patchlist=B25A -prod_dir=/oracle/Middleware/wlserver_10.3

  Checking for conflicts….                                                                                                                     No conflict(s) detected                                                                                                               Installing Patch ID: B25A..                                                                                                             Result: Success

   As you see; Result is success and check WebLogic Server version again.

  java weblogic.version

  WebLogic Server 10.3.6.0.170718 PSU Patch for BUG25869650 MON JUNE 05 18:34:42 IST 2017                                                                                                                                            WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050

  Now our version is 10.3.6.0.170718 this is correct version.

  Thanks for reading this note.

  Anil.