Re: Oracle Data Redaction is Broken

• From: <david@xxxxxxxxxxxxxxxxxxxx>
• To: <tim@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Wed, 16 Jul 2014 16:19:00 +0100

Hey Tim,
Oracle aren’t going to (or rather can’t) fix the iterative inference problem. 
As to the how I know the other three issues were fixed is because Oracle told 
me. This was their email:

“Report of Critical Patch Update Fixes for Datacom TSS
eMail Addresses:

Datacom TSS (No PGP Key) <david@xxxxxxxxxxxxxxxxxxx>,
David Litchfield (No PGP Key) <david@xxxxxxxxxxxxxxxxxxx>


The following issues reported by you are fixed in the upcoming Critical
Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on July
15, 2014. We ask that any information that you plan to publish
regarding these issues be released after this date and time.

This Critical Patch Update will contain fixes for the following issues:

Reporter: David Litchfield

S0447620  XMLQUERY FUNCTION REDACT FEATURE BYPASS

S0405238  DBMS_REDACT REDACTED DATA READ VIA UPDATE... RETURNING

S0404919  DBMS_REDACT CAN CREATE REDACTION POLICIES ON ANY TABLE IN
           ANY SCHEMA EXCEPT SYS
“
HTH!
David


From: Tim Gorman 
Sent: Wednesday, July 16, 2014 3:47 PM
To: oracle-l@xxxxxxxxxxxxx 
Subject: Re: Oracle Data Redaction is Broken

David,

Your paper from last November listed three bypass methods (i.e. RETURNING INTO, 
XMLQuery, and iterative inference) along with the escalation vulnerability, 
which makes a total of four problems.  Is the iterative inference method the 
one which is still remaining?

I looked at the README for patch 18522516 (DB PSU 12.1.0.1.4) and couldn't find 
direct references to security bugs or anything involving "redaction" or 
"xmlquery", but I did find some generically named fixed bugs (highlighted in 
red typeface below) whose description I can't seem to reference within MOS...


  Oracle Security

   14595800 - CONTEXT INDEX ON FGA POLICY ENABLE TABLE WITH XMLTYPE COLUMN FAILS
   15953721 - TT12.1SQLFUZZ2: FAILED LOGIN ATTEMPT FOR PROXY USER INCREASED 
WHEN ORA-1948 RAIS
   16969016 - LNX_MAIN: ORA-600 [KZDUSERPRIVILEGEUPDATE-1]
   16703112 - Fix for bug 16703112
   17006570 - Fix for bug 17006570
   17786278 - Fix for bug 17786278
   18061914 - Fix for bug 18061914
   18096714 - Fix for bug 18096714
   18554871 - Fix for bug 18554871
   19049453 - Fix for bug 19049453
XML Utilities

   17158214 - ORA-4031 FATAL OUT-OF-MEMORY CRASH ON NT EXECUTING 
LPXXSLINITIALIZECTX API
   15905421 - Fix for bug 15905421

Just curious how you were informed that three of the four bugs had been 
addressed, and which of the four is still remaining?

Thanks so much!

-Tim






On 7/16/14, 6:45, david@xxxxxxxxxxxxxxxxxxxx wrote:

  Hey all,
  As part of yesterday’s Critical Patch Update, Oracle fixed 3 security flaws 
in data redaction services – one a privilege escalation vulnerability and two 
redaction bypass methods. I reported these issues to Oracle in November last 
year and have documented them here: 
http://www.davidlitchfield.com/Oracle_Data_Redaction_is_Broken.pdf
  Cheers,
  David

• References:
  • Oracle Data Redaction is Broken
    • From: david
  • Re: Oracle Data Redaction is Broken
    • From: Tim Gorman

Other related posts:

• » Oracle Data Redaction is Broken- david
• » Re: Oracle Data Redaction is Broken- Niall Litchfield
• » Re: Oracle Data Redaction is Broken- Tim Gorman
• » Re: Oracle Data Redaction is Broken - david

1. Home
2. oracle-l
3. Archive
4. 07-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---