Oracle announced a new security Alert CVE-2017-10269 on November 14th, 2017. Oracle strongly recommends applying this patch. This security alert is affecting only the Jolt server within Oracle Tuxedo. Nothing to do with Oracle database or any other products. This vulnerability is remotely exploitable without authentication and therefore its base score is 10.0.
It means it is very critical.
Affected Products in detail is Oracle Tuxedo, versions 11.1.1, 12.1.1, 12.1.3, 12.2.2
The Patch Availability Document is ( Metalink Document )
Oracle Security Alert CVE-2017-10269 Patch Availability Document for Oracle Tuxedo (Doc ID 2326009.1)
This patch solves the problem of below vulnerabilities.
CVE-2017-10269, CVE-2017-10272, CVE-2017-10267, CVE-2017-10278, CVE-2017-10266
The link for the vulnerability.
Thanks for reading this note.
Oracle announced a new security Alert CVE-2017-10151 . This is affecting only Oracle Identity Manager. Nothing to do with Oracle database or any other products. This vulnerability is remotely exploitable without authentication. Ant it is base score is 10.0.
It means it is very critical.
The Patch Availability Document is Doc ID 2322316.1
( Oracle Security Alert CVE-2017-10151 Patch Availability Document for Oracle Identity Manager (Doc ID 2322316.1)
The workaround is very simple; Just change the password for the user OIMINTERNAL.
If you use Oracle Identitiy Manager use this workaround as soon as possible.
Oracle announced Critical Patch Update – October 2017 today. More or less this PSU affects all Oracle Products.The general document that covers all information about October-2017 PSU is found in the Metalink.
Patch Set Update and Critical Patch Update October 2017 Availability Document (Doc ID 2296870.1)
At this note; we will focus on Oracle Database , Oracle WebLogic Server and Mysql products.
Let’s start with Oracle Database;
This PSU contains two important new security fixes for Oracle database. With these vulnerabilities , Oracle database may be exploited over a network without requiring user credentials. The base score of these vulnerabilities is 8.8. If you compare these scores with July-2017 PSU, these scores are low.
Actually , there are 6 new security fixes at this PSU. But I will show only two critical fixes at this note.
If you want to apply these patches ; you can find them at Metalink
For Oracle Database 126.96.36.199
Patch 26636246: COMBO OF OJVM RU COMPONENT 188.8.131.52.171017 + GIRU 184.108.40.206.171017
For Oracle Database 220.127.116.11
Patch 26636270: COMBO OF OJVM COMPONENT 18.104.22.168.171017 DBPSU + DBPSU 22.214.171.124.171017
For Oracle Database 126.96.36.199
Patch 26636315: COMBO OF OJVM COMPONENT 188.8.131.52.171017 DB PSU + DB SPU 184.108.40.206.171017
Continue with Oracle Fusion Middleware. The Base score for this product starts from 9.8. It is very high if you compare to Oracle Database.
If you want to install this PSU. You can find patch from Doc ID 2296870.1
Patch number for Oracle WebLogic Server are given below.
Now go on with MySQL; It is base score is lower than Oracle Database and two of them are critical
As a result; I advice you to apply this PSU as soon as earlier.
At this note ; we will start to work on Data Redaction by explaining Full Redaction . If you want to get a brief introduction about Data Redaction ; you can read the first part of this note.
Let’s start with Full Redaction.
Put in a simple ; in Full Redaction ; The table columns are completely masked.
Numeric columns become 0 and character columns become a space character.
Let’s show it with an example. In the example ; we will redact salary column (SAL) column of SCOTT.EMP table. First start our application user. We will use this user to check how SAL column is redacted.
Now check the original table. ( The emp table of Scott user ). Before redaction all columns are visible as you see.
Now by using DBMS_REDACT package we will redact SAL column. Simply by using add_policy procedure we can create a policy and add a column to this policy. The parameters of add_policy procedures are self explained. Therefore I am not given any explanation about these parameters. But the only expression parameter is very important. The expression parameter should contain a logical expression. If the expression is TRUE, column mentioned in the column_name parameter will be redacted. If the expression is FALSE , the column will not redacted. In this example I use a simple logical expression which is ‘1=1’. As you know It is always TRUE. This redacts SAL column for all users ( except users who have EXEMPT REDACTION POLICY privilege – I will explain it in the next note)
Now Check redaction polices by querying REDACTION_POLICIES view.
If you want to query which column is redacted , you can use REDACTION_COLUMNS view.
Lets’s check Data redaction is working on or not. You can check it with previously created user USERA01. Connect with this user and query; SCOTT.EMPT table
As you see; All SAL column is redacted with 0. As a result ; USERA01 can not see the salary of employees.
I hope that this small example will be a good start for the Data Redaction. I will explain this subject with examples in the next notes.
You can find all these scripts at github
And one more thing ; If you want to get much more information about Data Redaction; you can read my book . It is written by Turkish language but the examples will be very beneficial.
Data Redaction option is a part of Oracle Advanced Security. Oracle Advanced Security ( OAS ) can be used after Oracle 220.127.116.11 version and it is a licensed product. You do not need to make any special installation to use Oracle Advanced Security. Just there are some database codes ( packages) to use OAS options. In this note and the following notes I will show you can use Data Redaction option of OAS . First let’s me explain what is Data Redaction and where you can use it.
Data Redaction can bu used for masking sensitive data by using special security policies. Data is masked at the database level and can not be seen on the network as well. The important point is; you do not need to change your applications to mask data. Data is masked for only special logins which are defined by security policies. Applications can reach data as usual. Data can be seen from applications. Especially ; This product is used to hide the data when connected from ad-hoc query tools ( like SQLPlus or TOAD ).
With the Data Redaction option, we use one of the following methods to hide data.
Full Redaction : The table columns are completely masked.
numeric columns become 0 and varchar columns become a space character.
Partial Redaction : Only a certain part of the a column is redacted.
For example, a part of the column is masked with ‘*’ character
Regular Expressions: It is used to mask a specific part of the data for character columns of different sizes
Random Redaction: Depending on the type of colon, the data is redacted randomly.
No Redaction : In this type of redaction, there is no change in the data. This redaction is used to test the effect of the redaction on the database performance.
Now I gave a brief introduction on the Data Redaction. On the following notes ; we will work on all these redaction types with examples.
Although Oracle is going to release Security Patch Updates on 17th of October 2017, It announced a new security patch for CVE-2017-9805 on 22nd of September. And Oracle strongly recommends to apply this patch. If you think that; you should apply it first to test environment and than Live environment. It is hard to decide to apply the quarterly Critical patch or to apply a single patch for three weeks. The decision is up to customers .
This patch is not related with Oracle databases. It is about Apache Struts 2 product. Simply It is a middleware product. All affected products are;
· Oracle Financial Services Applications
· Oracle Fusion Middleware
· Oracle MySQL
· Oracle Fusion Middleware
Especially ; Oracle WebLogic Server is affected by this security vulnerability.
If you are using these products ; This is the web page about CVE 2017-9805 .
But the detailed information and to see all affected products. You should look at this page.
Oracle Security Alert Advisory – CVE-2017-9805 List of Affected Products and Versions
And if you decided to apply this patch for Oracle WebLogic Server ; you can find patches from this metalink notes.
Security Alert CVE-2017-9805 Patch Availability Document for WebLogic Server (Doc ID 2309128.1)
At this note I will show to you how you can mask data according to the role of users by using Data Redaction. Actually I will not explain Data Redaction in detail , I assume that you already know about Data Redaction. But in the future I will give detailed information about Oracle Advanced Security and Data Redaction.
Now in this note we will use Data Redaction to mask data according to session roles. Virtual Private database can be used instead of Data Redaction. I will show it in the another note.
I will explain this subject with a sample. In the sample we have an user which holds data (rep_user) , application user ( app_user which can see all data ) and inq_user ( data will be masked for this user) . At the example; Only users which have a special role (redact_role) can not be affected by data redaction policy.
Let’s build up the environment and create users.
First ; Create rep_user
Create inq_user and redact_role
We simple create a table with one column and we mask this column with data redaction.
Insert some data to this table and grant this table to app_user and inq_user
Now app_user and inq_user can select this table as below
Now create Data Redaction policy to hide data
And according to our policy only users with redact_role can not be affected by this policy.
To do this grant redact_role to app_user;
And now app_user can see the masked data but other users( inq_user) can not reach this data.
Lets’s test it
Masked numeric data can be seen as 0 in Data Redaction ( on default).
As you see we can hide data according to user’s role by using SYS_CONTEXT function. You can change this case according to your needs.
you can reach all scripts from github