Hey Tim, Oracle aren’t going to (or rather can’t) fix the iterative inference problem. As to the how I know the other three issues were fixed is because Oracle told me. This was their email: “Report of Critical Patch Update Fixes for Datacom TSS eMail Addresses: Datacom TSS (No PGP Key) <david@xxxxxxxxxxxxxxxxxxx>, David Litchfield (No PGP Key) <david@xxxxxxxxxxxxxxxxxxx> The following issues reported by you are fixed in the upcoming Critical Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on July 15, 2014. We ask that any information that you plan to publish regarding these issues be released after this date and time. This Critical Patch Update will contain fixes for the following issues: Reporter: David Litchfield S0447620 XMLQUERY FUNCTION REDACT FEATURE BYPASS S0405238 DBMS_REDACT REDACTED DATA READ VIA UPDATE... RETURNING S0404919 DBMS_REDACT CAN CREATE REDACTION POLICIES ON ANY TABLE IN ANY SCHEMA EXCEPT SYS “ HTH! David From: Tim Gorman Sent: Wednesday, July 16, 2014 3:47 PM To: oracle-l@xxxxxxxxxxxxx Subject: Re: Oracle Data Redaction is Broken David, Your paper from last November listed three bypass methods (i.e. RETURNING INTO, XMLQuery, and iterative inference) along with the escalation vulnerability, which makes a total of four problems. Is the iterative inference method the one which is still remaining? I looked at the README for patch 18522516 (DB PSU 12.1.0.1.4) and couldn't find direct references to security bugs or anything involving "redaction" or "xmlquery", but I did find some generically named fixed bugs (highlighted in red typeface below) whose description I can't seem to reference within MOS... Oracle Security 14595800 - CONTEXT INDEX ON FGA POLICY ENABLE TABLE WITH XMLTYPE COLUMN FAILS 15953721 - TT12.1SQLFUZZ2: FAILED LOGIN ATTEMPT FOR PROXY USER INCREASED WHEN ORA-1948 RAIS 16969016 - LNX_MAIN: ORA-600 [KZDUSERPRIVILEGEUPDATE-1] 16703112 - Fix for bug 16703112 17006570 - Fix for bug 17006570 17786278 - Fix for bug 17786278 18061914 - Fix for bug 18061914 18096714 - Fix for bug 18096714 18554871 - Fix for bug 18554871 19049453 - Fix for bug 19049453 XML Utilities 17158214 - ORA-4031 FATAL OUT-OF-MEMORY CRASH ON NT EXECUTING LPXXSLINITIALIZECTX API 15905421 - Fix for bug 15905421 Just curious how you were informed that three of the four bugs had been addressed, and which of the four is still remaining? Thanks so much! -Tim On 7/16/14, 6:45, david@xxxxxxxxxxxxxxxxxxxx wrote: Hey all, As part of yesterday’s Critical Patch Update, Oracle fixed 3 security flaws in data redaction services – one a privilege escalation vulnerability and two redaction bypass methods. I reported these issues to Oracle in November last year and have documented them here: http://www.davidlitchfield.com/Oracle_Data_Redaction_is_Broken.pdf Cheers, David