Security Blogs

Happy 18th Birthday Limited

Pete Finnigan - Wed, 2021-02-17 02:06
It has been an eventful year last year and 2021 started a bit strange due to lockdown. Last Friday our company Limited came of age; it was 18 years old. Wow, it has been a long and interesting journey....[Read More]

Posted by Pete On 16/02/21 At 02:43 PM

Categories: Security Blogs

Upcoming Webinar: Oracle Database 21c New Security Features

Thursday, January 28, 2021 - 2:00 pm to 3:00 pm EST

Oracle Database 21c has been released and is the latest innovation release of the Oracle Database.  A number of new security features are included with this release and should be adopted when creating new databases or upgrading existing databases. This educational webinar will review the new security features and changes in security for this database release. Key new security features are blockchain table, gradual database password rollover, mandatory case sensitive passwords, and Unified Auditing enhancements.

>>> Register for this webinar <<< 

Oracle Database
Categories: APPS Blogs, Security Blogs

Upcoming Webinar: Oracle E-Business Suite Security for Auditors

Oracle E-Business Suite Security for Auditors

Thursday, December 17, 2020 - 2:00 pm to 3:00 pm EST

Auditors are trained to understand the financial aspects and the end user functionality of Oracle E-Business Suite. However, most auditors have not been trained in the security features and technical aspects of Oracle E-Business Suite. This education webinar will dive into the key security features within Oracle E-Business Suite. Key configuration settings, protecting sensitive data, concerns and risks with user privileges, and compliance issues related to SOX will be discussed and how to audit these areas.

>>> Register for this webinar <<< 

Sarbanes-Oxley (SOX), Oracle E-Business Suite, Auditor
Categories: APPS Blogs, Security Blogs

TCPS Connection With an Oracle Instant Client

Pete Finnigan - Fri, 2020-11-27 09:46
All of our products ( PFCLScan , PFCLCode , PFCLObfuscate and can use an Oracle instant client to connect to the target database(s) or even a full client. It is of course simpler to use an instant client if....[Read More]

Posted by Pete On 27/11/20 At 03:56 PM

Categories: Security Blogs

PL/SQL, AST, DIANA, Attributes and IDL

Pete Finnigan - Tue, 2020-04-07 01:06
I have been wanting to write a detailed post about this subject for a very long time and indeed I have had some notes and screen dumps for some of this for more than 15 years for some parts of....[Read More]

Posted by Pete On 06/04/20 At 08:57 PM

Categories: Security Blogs

PL/SQL Machine Code Trace - event 10928

Pete Finnigan - Thu, 2020-04-02 11:06
I have had an interest in PL/SQL for more around 25 years. I have always liked this great language as its powerful and simple and a great tool for writing code in the database. I wrote my very first PL/SQL....[Read More]

Posted by Pete On 02/04/20 At 01:33 PM

Categories: Security Blogs

Be Careful of What You Include In SQL*Net Security Banners

Pete Finnigan - Wed, 2020-04-01 16:46
A short post today to add a little to the post I made the other day. In that post Add A SQL*Net Security Banner And Audit Notice I talked about using the sqlnet.ora parameters SEC_USER_AUDIT_ACTION_BANNER and SEC_USER_UNAUTHORIZED_ACCESS_BANNER to add security....[Read More]

Posted by Pete On 01/04/20 At 11:50 AM

Categories: Security Blogs

Oracles Free TNS Firewall - VALIDNODE_CHECKING

Pete Finnigan - Tue, 2020-03-31 22:26
I said in a post a couple of days ago that my overall plan to secure an Oracle database; actually my plan is to secure the data in an Oracle database not blindly just secure Oracle. We must focus on....[Read More]

Posted by Pete On 31/03/20 At 12:26 PM

Categories: Security Blogs

Add A SQL*Net Security Banner And Audit Notice

Pete Finnigan - Mon, 2020-03-30 09:46
I would have to say whilst I see security banners on customers Unix boxes when I am allowed to log in as part of a security audit I canot ever remember seeing a security banner when I log into a....[Read More]

Posted by Pete On 30/03/20 At 02:02 PM

Categories: Security Blogs

ORA-28050 - Can I drop the SYSTEM User?

Pete Finnigan - Sat, 2020-03-28 02:46
Two things most annoy me with the Oracle database in terms of securing it and this is the abundance of default users in most Oracle databases that I perform security audits on and also the massive amount of PUBLIC grants....[Read More]

Posted by Pete On 27/03/20 At 06:11 PM

Categories: Security Blogs

Setting Users Impossible Passwords BY VALUES and Schema Only Accounts

Pete Finnigan - Thu, 2020-03-26 14:06
I plan to try and write some Oracle security based blog posts whilst working from home. These promises when I have made them in the past usually end up not coming true due to other work and things getting more....[Read More]

Posted by Pete On 26/03/20 At 02:38 PM

Categories: Security Blogs

CoronaVirus - We are Still Open

Pete Finnigan - Wed, 2020-03-25 19:46
Everyone must now be affected in some way about coronavirus. We had an inkling that Boris Johnson and his government would enact a more severe lock down in the UK. So in anticipation I decided on Monday that we needed....[Read More]

Posted by Pete On 25/03/20 At 01:27 PM

Categories: Security Blogs

XS$NULL - Can we login to it and does it really have no privileges?

Pete Finnigan - Tue, 2020-02-18 15:11
I have read on line about XS$NULL over the years and particularly the documentation that states that it has no privileges. The documentation states the following: An internal account that represents the absence of a user in a session. Because....[Read More]

Posted by Pete On 17/02/20 At 01:09 PM

Categories: Security Blogs

Bug Bounty

Pete Finnigan - Tue, 2020-02-11 18:04
There has been a rise on bug bounty programs and websites that help researchers find and disclose bugs to website and other owners with the hope of a payout from the owner of the vulnerable wesbsites. Some big well known....[Read More]

Posted by Pete On 11/02/20 At 10:09 AM

Categories: Security Blogs

PL/SQL That is not DEFINER or INVOKER rights - BUG?

Pete Finnigan - Sat, 2020-02-01 12:01
Note: Part 2 - PL/SQL Package with no DEFINER or INVOKER rights - Part 2 is available that takes this investigation further I always understood that PL/SQL objects in the database that are not explicitly changed to INVOKER rights....[Read More]

Posted by Pete On 24/01/20 At 03:19 PM

Categories: Security Blogs

PL/SQL Package with no DEFINER or INVOKER rights - Part 2

Pete Finnigan - Sat, 2020-02-01 12:01
I posted about a discovery I made whilst testing for an issue in our PL/SQL code analyser checks in PFCLScan last week as I discovered that the AUTHID column in DBA_PROCEDURES or ALL_PROCEDURES or USER_PROCEDURES can be NULL; this caused....[Read More]

Posted by Pete On 28/01/20 At 03:11 PM

Categories: Security Blogs

Upcoming Webinar: Is Your Sensitive Data Playing Hide and Seek with You?

Is Your Sensitive Data Playing Hide and Seek with You?

Thursday, December 12, 2019 - 2:00 pm EST

Your Oracle databases and ERP applications may contain sensitive personal data like Social Security numbers, credit card numbers, addresses, date of births, and salary information. Understanding in what tables and columns sensitive data resides is critical in protecting the data and ensure compliance with regulations like GDPR, PCI, and the new California Consumer Privacy Act (CCPA). However, sensitive data is like a weed and can spread quickly if not properly managed. The challenge is how to effectively and continuously find sensitive data, especially in extremely large databases and data warehouses.  This educational webinar will discuss methodologies and tools to find sensitive such as by searching column names, crawling the database table by table, and performing data qualification to eliminate false positives.  Other locations where sensitive data might reside such as trace files, dynamic views (e.g., V$SQL_BIND_DATA), and materialized views will be reviewed.

>>> Register for this webinar <<<

Oracle Database, Webinar
Categories: APPS Blogs, Security Blogs

Installing Oracle 19c on Linux

Pete Finnigan - Sat, 2019-12-07 20:53
I needed to create a new 19c install yesterday for a test of some customer software and whilst I love Oracle products I have to say that installing the software and database has never been issue free and simple over....[Read More]

Posted by Pete On 06/12/19 At 04:27 PM

Categories: Security Blogs

CVE-2019-2638, CVE-2019-2633, Oracle Payday Vulnerabilities - AppDefend Protection

Two Oracle E-Business Suite security vulnerabilities (CVE-2019-2638, CVE-2019-2633) fixed in April 2019 Oracle Critical Patch Update (CPU) have been recently publicized. These vulnerabilities allow an attacker to execute arbitrary SQL statements in the Oracle E-Business Suite data that can result in complete compromise of the environment including fraudulent transactions, changing of bank accounts, and circumvention of application security controls. Integrigy’s AppDefend, the application firewall for Oracle E-Business Suite, is the only solution that provides virtual patching for and proactive defense against these vulnerabilities.

These two vulnerabilities are in the Oracle E-Business Suite (EBS) TCF Server, which provides services to the professional Forms interface for a limited set of Forms. TCF Server is implemented and enabled in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. It can not be disabled without a customization to Oracle EBS.

TCF Server is a servlet running as part of the standard Oracle EBS web application server and communicates using HTTP or HTTPS between the Forms Java client and the web application server. For R12, the servlet is available at the URL /OA_HTML/AppsTCFServer. It uses a proprietary application-level protocol to communicate between the Forms client and server.

The risk is that unlike most Oracle EBS SQL injection vulnerabilities that only allow for fragments of SQL statements to be appended to standard Oracle EBS SQL statements being executed, these security bugs allow execution of complete SQL statements as the Oracle EBS APPS database account. When evaluating the risk of these vulnerabilities in your environment, it is important to differentiate between external access to the Oracle EBS environment through the Internet when modules like iSupplier, iStore, and iRecruitment are being used and internal access from only your internal network. The risk from external access is critical and should be immediately addressed. The internal risk is still high and dependent on the security posture of your internal network. It is important to realize that non-Oracle EBS aware web application firewalls, database security tools, and other network security products will not provide any protection from successful exploitation of these vulnerabilities.

Integrigy AppDefend is the only solution that provides virtual patching for and proactive defense against these TCF Server vulnerabilities as well other Oracle EBS security vulnerabilities. Integrigy recognized the potential issues with TCF Server and even the first release of AppDefend for R12 in 2007 blocked external access to the TCF Server by default.

AppDefend provides multiple layers of protection against TCF Server vulnerabilities as follows -

  1. Blocks all access to TCF Server externally (since 2007).
  2. Enforces Oracle EBS access control for TCF Server allowing only authorized EBS users to access to the TCF Server (since 2018).
  3. Whitelists the functions accessible through TCF Server (since 2018).
  4. Blocks specific vulnerabilities in TCF Server (2018, 2019).
  5. Advanced SQL injection protection optimized specifically for Oracle EBS will detect and block most of the SQL statements used in TCF Server and other 0-day attacks. (since 2007).

If you do not have AppDefend, applying the latest Oracle Critical Patch Update for Oracle EBS will remediate these specific vulnerabilities and for external sites it is critical that the Oracle EBS URL Firewall is implemented as documented in Appendix E of My Oracle Support Note ID 380490.1. However, these solutions will not protect you prior to applying the security patches or against future TCF Server vulnerabilities and other Oracle EBS 0-day attacks.

Please let us know if you have any questions regarding the latest Oracle EBS security vulnerabilities at

SQL Injection, Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Security Training Manuals for Sale

Pete Finnigan - Wed, 2019-11-20 20:50
We have one set of Manuals for the recent training we held here in York and one from 2018. These can be bought as individual books as follows: This manual is from the York class in October 2019 and can....[Read More]

Posted by Pete On 19/11/19 At 03:05 PM

Categories: Security Blogs


Subscribe to Oracle FAQ aggregator - Security Blogs