Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle delays the October CPU and 11g Release 2 is out"] [Next entry: "Backups are valuable"]

Blog birthday, speaking, training and Oracle Java security



Well it seems like quite a while since I last blogged here (I do keep saying that don't I!); I have been very busy with client work and also working on the new Oak Table Apress Oracle book. I completed my two chapters a few weeks ago and now the review has come back so its time to do the edits and send it off again (more evening work), we have also been progressing our Database Security audit tool, PFCLScan which is looking really nice now. We have had a lot of interest from customers and investors so far which is really promissing.

I have also agreed to speak at the new Leeds chapter of OWASP on October 14th. Thats Leeds in the north of England of course, if your around please come along, its a fairly new chapter and the first event for them. I don't have the link/agenda details yet but when I have them I will post them here. I also have two slots at the up-coming UKOUG 2009 conference in Birmingham. I will be giving a presentation, "The right way to secure Oracle" on the 30th November at the ICC in Birmingham and I am also hosting an Oracle security round table on the 1st December again at the ICC of course. I always like the UKOUG conference, its a great place, great people and always good to catch up with a lot of people. I will update the speaking dates on my site shortly with links - lack of time to do it. sad at the moment.

I am also going to be teaching my two day seminar, "How to perform a security audit of an Oracle database" in conjunction with Oracle University in November, on the 3rd and 4th in Prague. I am really looking forward to that as I have not been back to Prague since the late 90s when I was last working there. I am also going to be teaching the same class in Helsinki, Finland on the 23rd and 24th of November. We are also planning to host the same class ourselves on the 20th and 21st October in York, England after the successful event we ran earlier in the year. The price will be £895 + VAT, contact me on my email address (its on the home page and also on the training page - link above) to register, places are still available at the moment.

I will update my training page with all the links and dates shortly for these events.

It is also this blogs fifth birthday, wow, in the UK that means it needs to start school! This is the longest running blog decicated to Oracle security and in general i do still keep almost completely on topic.

Time has flow by so fast, I cannot believe it. I will admit the posts have slowed down somewhat since i started this blog but I am still going strong and intend to carry on blogging. In the last year I have managed around 60 posts whereas in the first year I did 560 posts. Its slowed down from the year before where I reported that i posted around 110 posts. Its simply a fact of life that i have become more successful in my business and extra activities such as writing books and articles and software products that blogging has taken a back seat. This I hope will change as I plan to actually start a second blog (actually fifth blog as I have others not connected to Oracle security) that is going to be just about PFCLScan our new Oracle security audit tool.

Finally I also wanted to also point out Paul Wrights post titled "JAVA_ADMIN to OSDBA" which follows in his quest to find ways to escalate to SYSDBA from a lower position. I like the article and the idea but there are a couple of issues. The first comment is that the JAVA_ADMIN role is very powerful; the output below shows this.




SQL> @java_admin

G_R PERM GRANTEE PERMNAME ACTION
--- ------------------------- ---------- ---------------------------------------- ----------
G PolicyTablePermission JAVA_ADMIN 0:java.awt.AWTPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.io.FilePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.io.SerializablePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.lang.RuntimePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.lang.management.ManagementPermiss null
G PolicyTablePermission JAVA_ADMIN 0:java.lang.reflect.ReflectPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.net.NetPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.net.SocketPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.security.AllPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.security.SecurityPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.sql.SQLPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.util.PropertyPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:java.util.logging.LoggingPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.MBeanPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.MBeanServerPermission null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.MBeanTrustPermission# null
G PolicyTablePermission JAVA_ADMIN 0:javax.management.ManagementPermission# null
G PolicyTablePermission JAVA_ADMIN 0:javax.net.ssl.SSLPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:javax.security.auth.AuthPermission#* null
G PolicyTablePermission JAVA_ADMIN 0:oracle.aurora.rdbms.HandlePermission#* null
G PolicyTablePermission JAVA_ADMIN 0:oracle.aurora.rdbms.security.PolicyTab null
G PolicyTablePermission JAVA_ADMIN 0:oracle.aurora.security.JServerPermissi null

22 rows selected.

SQL>




This is a very powerful role BUT in the Java VM not in the database? - Paul says the same but I wanted to illustrate why. The list of Java privileges above shows that the JAVA_ADMIN role is the DBA of the Oracle Java world and this role should not be granted to anyone. These are privileges to grant privileges. This is an issue with Oracle that makes security harder to do; heirarchy. We have privileges on objects, privileges on objects that access the first objects, roles that encapsulate privileges and we also have database privileges that allow granting of other privileges. The GRANT ANY ROLE system privilege is a good example as it allows escalation to any role in the database for a user or role who has this privilege. This is what makes Oracle complex; because we must consider not just direct privileges but also privileges that grant privileges. Luckily no user except builtin users or roles have this JAVA_ADMIN role by default. Nice paper Paul!