Oracle and Backward Compatibility
At almost every Oracle Security Master Class I teach I find multiple students wondering why Oracle doesn't "just fix" some of the more obvious security flaws and other anomalies and I explain that Oracle puts great value in backward compatibility:
In not breaking existing customers. One example I use to illustrate that point is that DBA_TAB_PRIVS contains all object privileges ... not just those related to tables as the name implies. As to why there is a view named DBA_TAB_COLS and another named DBA_TAB_COLUMNS
... perhaps that one needs to be addressed by Mr. Ellison.
Tonight while updating the Morgan's Library website I found what must be the most poignant example possible of the value Oracle places on backward compatibility.
I couldn't make this up so the following is copied (I added the highlight) from $ORACLE_HOME/rdbms/admin/dbmsssql.sql from version 19c.
-- Named Datatype CONSTANTS
Varchar2_Type constant pls_integer := 1;
Number_Type constant pls_integer := 2;
Long_Type constant pls_integer := 8;
Rowid_Type constant pls_integer := 11;
Date_Type constant pls_integer := 12;
Raw_Type constant pls_integer := 23;
Long_Raw_Type constant pls_integer := 24;
Char_Type constant pls_integer := 96;
Binary_Float_Type constant pls_integer := 100;
Binary_Double_Type constant pls_integer := 101;
MLSLabel_Type constant pls_integer := 106;
User_Defined_Type constant pls_integer := 109;
Ref_Type constant pls_integer := 111;
Clob_Type constant pls_integer := 112;
Blob_Type constant pls_integer := 113;
Bfile_Type constant pls_integer := 114;
Timestamp_Type constant pls_integer := 180;
Timestamp_With_TZ_Type constant pls_integer := 181;
Interval_Year_to_Month_Type constant pls_integer := 182;
Interval_Day_To_Second_Type constant pls_integer := 183;
Urowid_Type constant pls_integer := 208;
Timestamp_With_Local_TZ_type constant pls_integer := 231;
-- #(10144724): The typo Binary_Bouble_Type is purposefully retained for
-- backward compatibility.
Binary_Bouble_Type constant pls_integer := 101;
It can't get clearer than this. If you want backward compatibility Oracle provides it.
If you want security Oracle provides the database that can be made more secure than any other but not by default with the GUI installation tools like OUI, NETCA, and DBCA.
If you want to leverage all of the built-in security abilities of the product you must override the defaults yourself.
An example of one of those default configurations you will want to override to secure your database,
one that is as clear as the code above:
SQL> SELECT grantee FROM dba_tab_privs WHERE table_name = 'ALL_SOURCE';
Can anyone explain why a user, with no privilege other than
CREATE SESSION, needs to be able to read source code?
We can't so we are working on a product we will be offering later this year that will
address this and hundreds of other configuration issues.
Oracle Security Alert CVE-2019-2729
Oracle strongly recommends that customers follow the recommended actions noted in the Security Alert.
The Security Alert Advisory is the starting point for relevant information. It includes a summary of the security vulnerability, and a pointer to obtain the latest patches.
Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Advisory is available at the following location:
Oracle Critical Patch Updates and Security Alerts:
Oracle Security Alert for CVE-2019-2729:
Customer Support of Oracle Corporation
We feel no need for comment.
Daniel Morgan from DBSecWorx
has been selected to present his "Oracle Security for DBAs and Developers for ODTUG on Tuesday, July 23, 2019 at 12:00 - 13:00 EDT.
To register [Click Here]
We are experiencing an interesting side effect from going through all of the pages at Morgan's Library and making decisions about which ones have security implications and how to rewrite them from a security point-of-view. We have known
GLOGIN.SQL was a threat since reading what Pete Finnigan wrote about it back in 2002-2003. But we had not realized Oracle has done nothing to address it.
We are currently working on a tool that we believe will put an end to this threat and hope to release it to Pete and others for Beta testing before month's end.
If it passes its Beta we will announce it here in the Blog, on our home page, and it will become the first resident of our Products page.
If the concept fails we will announce that here and provide background on what we were trying to accomplish and how.
Why are we posting this report of another breach that could have been easily prevented? Because we want to remind everyone out there that thinks doing what everyone else is doing will protect their organization and their data.
We want to issue a challenge to al of the companies that sell firewalls. Publish the names of all organizations where a breach has exceeded 1 million PII, PHI, or PCI records.
Stop telling IT shops "what your product can do" unless you are willing tot acknowledging the number of times your product has failed to do so.
Cisco, Palo Alto, Fortinet, Check Point, Symantec, Huawei, Blue Coat, Juniper, Intel, McAfee, publish your failure rate so IT organizations can truly evaluate your offerings.
Our bet: AMCA. has a firewall from one of them as did OPM, Equifax, Sony, etc. etc. etc.
IT shops: There is little value in buying a million dollar lock for the front door when the back door is wide open.
If the following surprises you ... chances are you have an account on Twitter. :-)
Twitter use decreases student's test scores by 25% to 40% of a standard deviation from the average result. Link
When I was teaching at the University of Washington, I learned very quickly that my student's learning improved if I banned mobile phones and laptops from the classroom during lectures.
Personally, I shut down both my Facebook and Twitter accounts long ago ... don't regret it for an instant. The phrase, if you are trying to remember it, is "Opiate of the Masses."
And, an associated book recommendation, for those that value earnest and intelligent discourse to manufactured angst.
Another day. Another major breach. Another event where millions of Americans are affected. Guess which generated the greatest amount of new: The breach of 885 million documents and the winner of the Iron Throne?
On the other hand, according to Bloomberg News, First American Financial Corp., one of the largest US title insurance companies, is being sued by a client because "lax security measures put him at risk of identity theft, along with millions
of others whose personal information could be easily access through its website." And, again according to Bloomberg, stockholders likely have good reason to be a bit concerned because "First American Financial Corp. tumbled the most in
nearly eight years amid concerns that a security flaw in the title insurer may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003.
First American has more than 112 million outstanding shares. Assuming each share lost $3.00 the total cost of the breach, measured in shareholder equity, is $336,000,000. Does anyone believe the data could not have been protected for 2-3% of that amount?
What the Board of Directors should do, but they won't, is fire most if not every member of the corporation's C Level with cause. As this moves forward expect mortgage rates to increase as they "pass the cost of doing business" to their customers.
The customers didn't get upset out the loss of 885 million documents. The customers won't get upset about paying increased costs. But what's more important?
A data breach or who's going to die in the next episode of some brain-dead of a TV show?
Last week, May 23 and 24 we attended the 2019 Central Ohio InfoSec Summit in Columbus which was an incredibly rich and thought provoking environment at which we met old friends, made new friends, learned, laughed, and came to a somewhat surprising realization.
That realization being that everyone talks about "Defense-in-Depth" but all of the focus from both speakers and vendors is on the perimeter.
There wasn't a single presentation or vendor that was targeting data and databases with the exception of a few trying to detect bad actions with behavior analytics.
There is nothing wrong with utilizing behavior analytics just as there is nothing wrong with firewalls. They are all essential parts of a Defense-in-Depth strategy.
What they miss, unfortunately, is that they don't have the expertise required to know that a call to DBMS_UTILITY.VALIDATE is a safe activity while a call to DBMS_UTILITY.INVALIDATE could be incredibly destructive?
Do the behavior analytics know what they are looking at if a call is made to DBMS_UTILITY.EXEC_DDL_STATEMENT? We leave you to consider that there is only one right answer to this questions.