Practical Oracle Database Security Posture Improvement with guidance from Trustwave’s SpiderLabs! Part 1.
Trustwave Skillz Middle East Dr. Dieter Hovorka Stefan Magnusson SpiderLab Agnieszka Borkowska Paulina Skrzypińska
This is a part one of two in a series.
According to a recent study by Forrester, nearly 75% of surveyed organizations were victims of a data breach in the prior 12 months. (Wrozek, Brian, Allie Mellen, et al., “Top Cybersecurity Threats In 2023,” Forrester,April 16, 2023)
Recently I was tasked with analyzing and improving the security of an Oracle 12.1.0.2 database running on Solaris Operating system for a customer.
Some top security risks for databases are:
?Trustwave’s AppDetectivePRO is a handy solution to scan the instance for any known vulnerabilities and misconfigurations for a multitude of databases, wherever you run it.
It allows for 53 different security scan profiles depending on industry and regulatory framework. If you don’t have the database credentials, you can attempt a “pen test” profile to scan for obvious exploits.
These scans execute “remotely” and does not add any measurable load on the database itself, hence is safe even for production environments.
In this engagement I selected the “Database Best Practice Audit” profile as I did not need to meet an industry specific regulation.
For example, there are 23 Oracle specific security guidance's published at https://public.cyber.mil/stigs/ for the US Government.
The resulting report was appalling:
High Risk vulnerabilities found!
As a first remediation step we usually propose to address the critical security patch updates released by the vendor, in this case Oracle, to serve as a baseline.
Database 12.1.0.2 Proactive Patch Information (Doc ID 2285558.1) Identified Patch 34386266 as most recent for this Operating System.
?As this is an older Oracle database, the first obstacle is that OPatch, the Oracle patch updating tool, requires Java 1.8, and 12.1.0.2 ships with 1.6, thus preventing patches from being applied. One elegant workaround is to use the Java shipped with OPatch itself, by running:?
[oracle@mullet]:~/34086863> opatch apply -jre $ORACLE_HOME/OPatch/jre
After applying the latest Patch Set Update, I reran the scan to verify that the vulnerabilities had been addressed.
领英推荐
?To my shock and horror, the 46 High Risk Vulnerabilities all still remained!
(Despite following the Oracle patch guidance to the letter.)
The Java Challenge!
Nearly every major database vendor have added Java support to their RDBMS product
Again we reference the Database 12.1.0.2 Proactive Patch Information document. To completely establish the correction baseline, the corresponding Db OJVM patch 34086863 must also be installed.
After downloading and unpacking the 34086863 OJVM patch, proceed with installation:
~/34086863> opatch apply -jre $ORACLE_HOME/OPatch/jre
...
Applying interim patch '34086863' to OH '/u01/app/oracle12/product/12.1.0/db_1'
Patch 34086863 successfully applied.
...
34086863 (Database PSU 12.1.0.2.220719,Oracle JavaVM Component (JUL2022))
Now the scan correctly assessed the remaining security issues:
Patching addresses many vulnerabilities.
In the next post in this series, we will look at these remaining High-risk issues to reach a clean bill of health.
See part two for the exiting continuation, can we fully eliminate all threats?
Let us to the same with your databases!
While our expertise and partnership originate with Oracle, through our network we can also support SAP HANA and MSSQL along with the 30 other databases supported by Trustwave’s AppDetectivePRO.
Please connect and lets talk about it!