David,Your paper from last November listed three bypass methods (i.e. RETURNING INTO, XMLQuery, and iterative inference) along with the escalation vulnerability, which makes a total of four problems. Is the iterative inference method the one which is still remaining?
I looked at the README <https://updates.oracle.com/Orion/Services/download?type=readme&aru=17639413> for patch 18522516 (DB PSU 12.1.0.1.4) and couldn't find direct references to security bugs or anything involving "redaction" or "xmlquery", but I did find some generically named fixed bugs (highlighted in red typeface below) whose description I can't seem to reference within MOS...
_Oracle Security_ 14595800 - CONTEXT INDEX ON FGA POLICY ENABLE TABLE WITH XMLTYPE COLUMN FAILS 15953721 - TT12.1SQLFUZZ2: FAILED LOGIN ATTEMPT FOR PROXY USER INCREASED WHEN ORA-1948 RAIS 16969016 - LNX_MAIN: ORA-600 [KZDUSERPRIVILEGEUPDATE-1] 16703112 - Fix for bug 16703112 17006570 - Fix for bug 17006570 17786278 - Fix for bug 17786278 18061914 - Fix for bug 18061914 18096714 - Fix for bug 18096714 18554871 - Fix for bug 18554871 19049453 - Fix for bug 19049453 _XML Utilities_ 17158214 - ORA-4031 FATAL OUT-OF-MEMORY CRASH ON NT EXECUTING LPXXSLINITIALIZECTX API 15905421 - Fix for bug 15905421Just curious how you were informed that three of the four bugs had been addressed, and which of the four is still remaining?
Thanks so much! -Tim On 7/16/14, 6:45, david@xxxxxxxxxxxxxxxxxxxx wrote:
Hey all,As part of yesterday’s Critical Patch Update, Oracle fixed 3 security flaws in data redaction services – one a privilege escalation vulnerability and two redaction bypass methods. I reported these issues to Oracle in November last year and have documented them here: http://www.davidlitchfield.com/Oracle_Data_Redaction_is_Broken.pdfCheers, David