Are Security Vulnerabilities fixed by applying Oracle Server Patchsets

Similar Messages

• ORACLE SERVER AND UNIX TP MONITOR-2

  제품 : ORACLE SERVER
  작성날짜 : 1995-01-24
  Subject: Oracle Server and UNIX Transaction Processing Monitors-2
  Page(3/4)
  This file contains commonly asked questions about Oracle7 Server and UNIX
  Transaction Processing Monitors (TPMs). The topics covered in this article are
       o Oracle Parallel Server and TP Monitors
       o Oracle and DCE-based TP Monitors
       o Other commonly asked questions
  The questions answered in part 3 provide additional detail to the information
  provided in part 1.
  Oracle Parallel Server and TP Monitors
  ======================================
  How does Oracle Parallel Server (OPS) work with TP Monitors?
  If you are using Oracle-managed transactions, there are no special
  considerations. But if you are using TPM-managed transactions, and
  thus need to use the XA interface, then Oracle requires release 7.1.3
  or later and a special version of the Distributed Lock Manager, called
  the session-based lock manager. This version of the DLM is not yet
  available for all platforms. To understand this restriction, let's take
  a look at one of the technical details of XA.
  The XA specification requires that the Resource Manager be able to
  move a transaction from one process to another, and even to be
  able to commit in a separate process. In Oracle, transactions are
  attached to sessions, so that means that we also have to be able to
  move sessions. Therefore, the session/transaction can't have any state
  which is tied to a particular process. The first generation distributed
  lock managers were all built to use the process id as the lock owner,
  which doesn't work for locks which need to move with the transaction.
  Oracle and DCE-based TP Monitors
  ================================
  How does Oracle interface to the Encina TP monitor? To CICS/6000? I've
  heard that they require OSF DCE facilities in order to run?
  Oracle interfaces to Encina and CICS/6000 just as it does to any other
  TP Monitor. The TP Monitor issues XA commands to control transactions, and
  Oracle executes the commands. Encina and CICS/6000 do use DCE features for
  their own operation. However, this use is transparent to the Oracle Server.
  What DCE facilities can Oracle products take advantage of when working with
  a DCE-based TP Monitor?
  The two most commonly mentioned DCE features which might be useful
  to Oracle users are multi-threading and security. We look at these in
  the subsequent questions in this section.
  Encina documentation suggests that a Resource Manager such as Oracle can
  be either single-threaded or multi-threaded? Which way is Oracle XA
  implemented?
  The Oracle XA implementation is single-threaded, as is any Oracle client.
  Within a single process, at most one thread can access Oracle at a time.
  Does that mean that only a single Encina application can access an instance
  of Oracle transactionally at any given moment?
  No. Oracle XA is only single-threaded within a single application server
  process. Multiple applications can access Oracle simultaneously using XA
  by using different application processes. Encina allows
  (1) serial reuse of a single server by different clients. There are
  two options for this. The server can use long term reservation
  but be defined to be in shared or concurrent access mode, which
  allows the server to be used by another client as soon as an RPC
  completes. Alternatively, the server can use default reservation
  and exclusive mode, which allows the server to be used by another
  client as soon as the current transaction ends.
  (2) concurrent execution by multiple servers, even if they are accessing
  the same Oracle database. These may be executing the same or different
  procedures.
  These two features should let you get as much concurrency as you need.
  Why isn't the Oracle XA library multi-threaded?
  The XA specification specifically states that its use of the phrase
  "thread of control" means a process. If an RM were to multi-thread its
  XA, it would be in violation of the specification. This restriction
  was put place in because at the time the specification was written,
  there were numerous thread packages: if the TM used one, the application
  another, and perhaps the RM yet a third, there's no way it could work.
  As threads standards settle down, the later versions of XA will probably
  relax this restriction.
  Will Oracle change if the XA specification changes?
  Very likely. The exact time frame will of course depend on the priority of
  all work items at that time.
  Does Oracle use DCE security via the TP Monitors?
  The integrity of the connection between a DCE TP Monitor client and DCE
  TP Monitor server is protected by the DCE security functionality.
  Theoretically, the TP Monitor could make the DCE-protected client security
  information available to Oracle. Unfortunately, there's no standard way
  for a TP Monitor to pass security information information to a Resource
  Manager such as Oracle. Oracle is leading an effort to extend the X/Open
  model to allow use of the security information provided by the Monitor.
  In the meantime, the basic DCE security features such as encryption are
  useful within TP Monitors.
  Effective use of DCE security would normally also mean that the security of
  the TP Monitor client be passed through the TP Monitor, through the Oracle
  client (application server), to the Oracle Server, and possibly on
  to other Oracle Servers through database links. The ability to transfer
  security information to other processes, called delegation, is missing
  in DCE version 1.0. DCE version 1.1, expected to emerge in late 1994,
  has some delegation features. Oracle is examining these features to see
  how they might be used.
  Are there any special considerations for CICS/6000?
  There are two:
  (1) It is inefficient to run without XA. CICS/6000 is designed to
  use XA. It uses XA so that the CICS server can log on to Oracle
  when it starts, after which it makes that Oracle connection available
  to any transaction it executes. If you don't use XA, the CICS server
  does not itself log on to Oracle so each transaction has to log on
  and log off - a very expensive mode of operation. Also, it is very
  un-cics-like in that the application does the log{on,off} and also
  commits - in a mainframe CICS database program CICS would implicitly
  do these operations. Oracle does not recommend this mode because of the
  performance penalty.
  (2) CICS servers are generic and dynamically load application modules.
  In order for these modules to access the Oracle connection made by
  CICS, the applications must be built with a shared object version of
  the Oracle libraries. This is an installation option on platforms which
  support CICS/6000 and other products using its architecture such as
  CICS 9000.
  Other commonly asked questions
  ==============================
  What other Resource Managers can be included in an Oracle XA transaction?
  Several other relational database vendors have an XA implementation
  available or in progress. There is an XA C-ISAM product from
  Gresham Telecomputing. There are also Resource Managers contained
  within some of the TP Monitors which can be coordinated in the same
  transaction. For example, CICS/6000 has VSAM files and other data
  stores, Encina has its RQS queuing system, and Tuxedo has its /Q queuing
  system.
  What is Recoverable Queuing Service (RQS) and how does it interoperate with
  Oracle7 and Encina? What about /Q?
  Recoverable Queuing Service is a feature provided by Encina which allows
  transactional, distributed queuing (enqueue/dequeue). Tuxedo has a similar
  product called /Q. Because these products are themselves coordinated by the
  TM component of the TP Monitor, their queue operations are atomically
  coordinated with with operations on XA Resource Managers such as Oracle7
  Server. That is, they can atomically put something on one of their queues
  and commit an Oracle transaction, then at some later time dequeue an
  entry atomically with doing some other Oracle transaction. The queue
  system guarantees that the message will not be lost or transmitted twice.
  Can I mix TP Monitor applications with standard Oracle7 Server applications?
  Yes, you can have existing Oracle applications connected to the database
  with alongside TPM applications against the same database. The TPM does
  not manage the whole database, just those transactions which are started
  by the TPM. The Oracle Server will properly handle concurrency control
  between the transactions managed by itself and those managed by the TPM.
  Is Oracle planning to change its tools to be more suitable for TP Monitors?
  With Oracle Procedure Builder 1.5, to be available with CDE2,
  Oracle will provide a foreign function interface that allows you to
  dynamically set up PL/SQL calls that access C functions. In other
  words, you can access C routines in Windows DLLs from within your
  PL/SQL procedures. This will allow PL/SQL under Windows easy access to
  TP Monitor APIs.
  Does Oracle7 Server itself use XA-compliant TPMs as the interface to
  foreign RMs?
  No, for this purpose Oracle Server uses the SQL*Connect products or the new
  Transparent and Procedural Gateway products.
  Does Oracle7 Server use XA to coordinate Oracle7-only distributed
  transactions?
  No, it uses an internal mechanism.
  Can database links be used with XA?
  If an Oracle7 database is running under XA, it can access other Oracle7
  databases through database links, with some restrictions. First, the
  access to the other database must use SQL*Net V2 and be running MTS.
  Second, it must currently be to another Oracle7 database. Assuming those
  restrictions, the Oracle 7 database can do distributed update to another
  Oracle 7 database by using a database link, whether it is started by an
  Oracle application or a TP Monitor application. The TPM will see Oracle
  as only a single RM, but Oracle7 will propagate all the transaction
  commands to the other database, including the two-phase commit. If
  the transaction is started by a TP Monitor application and is using XA,
  it can also update non-Oracle resources managed by the TPM. If it
  is started from an Oracle application, it can only include resources
  managed by Oracle.
  Here's a sample configuration:
  | TPM | | TPM |
  | client | | client |
  | |
  | |
  | TPM |
  | |
  | |
  | Oracle | Forms, Forms, | Oracle | | non-XA | | XA |
  | client | Plus, Plus, | client | | TPM | | TPM |
  --------- Pro, Pro, --------- | server | | server |
  | Financials, Financials, | |(note 1)| ----------
  | etc. etc. | ---------- |
  | | | |
  | SQL | SQL | SQL | XA
  | commit | commit | commit | commit
  | | | |
  | Oracle | | Oracle | | Oracle | | Oracle |
  | server | | server | | server | | server |
  | | | |
  | | | |
  | | | |
  | Database 1 | | Database 2 |
  | | | |
  | A | A
  | | dblink to database 1 | |
  | ------------------------------------ |
  | |
  dblink to database 2
  Note 1: Oracle will work having both XA and non-XA servers but some TPMs
  may have restrictions on this.
  Are multiple direct connections possible from a Pro* program?
  Using XA, you can not only specify multiple direct connections to Oracle7
  databases, you can also update them both in the SAME transaction. The
  way to do this is to use a precompiler feature called a named database.
  When you use a named database, you qualify the SQL statement with the
  database name. For example, you write EXEC SQL AT dbname UPDATE emp ....
  We have a complementary feature in the xa open string to let the user
  associate the name with a particular RM instance, called the DB clause.
  You will also want to use the SqlNet clause in the open string so you
  can give the two different SIDs. This clause does not require the use of
  the SQL*Net product, it is just a naming convention. For more information,
  see Oracle7 Server for UNIX Administrator's Reference Guide.
  Some TP Monitors may not support having multiple Resource Mangers in the
  same server; check with the TPM vendor.
  Is there any collateral available for XA or TP Monitors?
  Oracle At Work 52684.0692
  Oracle7 Server for UNIX Administrator's #A10324-1
  Reference Guide
  Guide to Oracle's Products and Services #A10560
  Oracle7 Server and CICS/6000               #A14200
  Where can I get more information on the DTP model?
  X/Open's address is
  X/Open company Ltd (Publications)
  P O Box 109
  Penn
  High Wycombe
  Bucks HP10 8NP
  Tel: +44 (0)494 813844
  Fax: +44 (0)494 814989
  Request
  G307 Distributed Transaction Processing: Reference Model Version 2
  X/Open Guide G307 ISBN 1-859120-19-9 28cm.44p.pbk.220g.11/93
  Page(4/4)
  This file contains commonly asked questions about Oracle Server and UNIX
  Transaction Processing Monitors (TPMs). The topics covered in this article are
       o Performance with Oracle Server and TP monitors
       o Performance using Oracle's XA Library
  The questions answered in part 4 provide additional detail to the information
  provided in part 1.
  Performance with Oracle Server and TP Monitors
  ==============================================
  I have heard that Transaction Processing Monitors (TPMs) will increase
  Oracle Server performance. Is this true?
  Several hardware and TPM vendors have made the claim that TPMs
  will increase RDBMS performance. This claim is based on TPC-A
  benchmarks. The key point to understand about TPC-A is that it
  requires, for every transaction-per-second, ten times that many
  users to be connected. For example, to get 600 TPS, you need 6000
  users. The next question will answer in more detail how the the
  three-tier architecture addresses this requirement, but first let's
  look more generally at what TP Monitors can and can't do to improve
  performance.
  TP Monitors can provide better performance:
  (1) When there are more than several hundred users connected.
       This is because of the TP Monitor's role in the three-tier
       architecture, described in the next question. In this
       architecture, terminal handling is offloaded to one or more
       separate machines, freeing up those cycles to do database work.
       Note that this does NOT mean that Oracle itself runs faster,
       just that we've given it more CPU cycles to use.
  (2) When, because of the high potential concurrency of requests,
       significant resource contention exists. Use of a TP Monitor can
       limit the degree of concurrency and thus reduce contention.
  TP Monitors can not provide better performance:
  (1) For existing applications. The applications must be designed
       to fit the TP Monitor architecture.
  (2) For applications which are highly interactive in their use of
       the database. These applications put many messages
       through the transport system, and the TP Monitor is not as
       efficient as SQL*Net for point-to-point communication.
  (3) For CPU intensive single-query decision support. When executing
       a single large command, Oracle query facilities work efficiently,
       especially with the use of Oracle Parallel Query, available in 7.1.
  How does the three-tier solution help TPC-A, or other situations with
  thousands of on-line users?
  The TPC-A test calls for a large number of users to produce a given
  result. In the high-end results we produced in June, 1992, for example,
  6150 terminals were simulated to produce 618 TPC-A transactions.
  Thus, terminal concentration accounts for a large portion of the total
  processing time used.
  First, let's look at how the Multi Threaded Server would work for
  this benchmark. In this case, there are many client processes,
  but only a few server processes, which handle client requests on a
  first-come first serve basis. When they are done with a request,
  they take another client's request.
  ORACLE7 CLIENT/SERVER ARCHITECTURE WITH MULTI THREADED SERVER
  | Client | | Server |
  | __________ |______________|_____ _____________ _____________ |
  | | Client | | SQL*Net | |_|Dispatcher | | | |
  | | Process| | | ____| Process |___| | |
  | |________| | | | __|___________| | | |
  |____________| | | | | | | | |
  | | | | | | Oracle7 | |
  ______________ | | | __|__|____ | Server | |
  | Client | | | | __|_|_____ | | | |
  | __________ | | | | | Shared | |____| | |
  | | Client | | SQL*Net | | | | Server |_|____| | |
  | | Process|_|______________|__| | | Process|_| | | |
  | |________| | | | |________| |___________| |
  |____________| | | |
  | | |
  ______________ | | |
  | Client | | | |
  | __________ | | | |
  | | Client | | SQL*Net | | |
  | | Process|_|______________|____| |
  | |________| | | |
  |____________| | |
  |_______________________________________|
  Client processes = N Dispatcher processes >= 1
  Shared server processes >= 1
  If there are 500 clients in this environment, there will be one or more
  dispatcher processes, dynamically tunable, and one or more shared
  server processes, dynamically tunable, on the server. The reduction
  in the total number of processes handled by the server system
  results in more processing time available for RDBMS activity. Thus
  higher RDBMS transaction throughput can be obtained on the
  server system.
  But the problem for the TPC-A, and for certain large customer
  configurations, is not the only ability of the Oracle Server to
  process transactions, but also the ability of the operating
  system to handle huge numbers of incoming connections.
  There is one incoming connection for each client. Most UNIX
  operating systems have a limit on how many such connections they can
  handle. Even if a particular operating system allows a large number of
  connections, each takes some amount of overhead to manage.
  In order to service all 6150 terminals, we selected a 3-tier hardware
  environment where the middle tier, using a TPM, acted as a terminal
  concentrator. The high-end TPC-A architecture looked like the following.
  The Application Servers, which contain the Pro*C statements used to
  perform the transaction also run on the terminal concentrator machine
  in order to offload as much work from the database serve as possible.
  They send the compiled SQL over SQL*Net to the Oracle7 Server processes.
  ORACLE7 TPS-A CLIENT/SERVER ARCHITECTURE
  | Client | | Terminal | | Server |
  | ________ | | Concentrator | | |
  | | Client | |TPM | | | |
  | | Process|_|_____|__ _____ | | |
  | |________| |Comm | | | | | | |
  |____________| | | | | | | |
  | |__| | | | |
  ____________ | | TPM | | | |
  | Client | | ___| | _______ | | ________ _______ |
  | ________ | | | | |_| |__|_______|__| Oracle | | | |
  | | Client | |TPM | | | | |Appl. | |SQL*Net| | Server |__| | |
  | | Process|_|_____|_| |_____| |Server | | | | Process| | | |
  | |________| |Comm | |_______| | | |________| | | |
  |____________| | | | | | |
  |_______________________| | | | |
  | | | |
  ____________ _______________________ | |Oracle7| |
  | Client | | Terminal | | |Server | |
  | ________ | | Concentrator | | | | |
  | | Client | |TPM | | | | | |
  | | Process|_|_____|__ _____ | | __________ | | |
  | |________| |Comm | | | | _______ |SQL*Net| | Oracle | | | |
  |____________| | | | |_| |__|_______|__| Server |__| | |
  | |__| | |Appl. | | | | Process| | | |
  ____________ | | TPM | |Server | | | |________| |_______| |
  | Client | | ___| | |_______| | | |
  | ________ | | | | | | | |
  | | Client | |TPM | | | | | | |
  | | Process|_|_____|_| |_____| | | |
  | |________| |Comm | | | |
  |____________| | | | |
  |_______________________| |________________________|
  Clients = 6150 Terminal concentrators = 17
  TP Monitor instances = 17
  Application server processes Oracle Server processes
  = 17*8 = 17*8
  The TPM is the software component of the terminal concentrator. In this role
  it offloads terminal handling from the the machine running Oracle Server.
  Since more than one terminal concentrator can be configured, whereas the
  database in this case had to run on a single machine, concentrator machines
  can be added until the performance of the back-end machine was optimized.
  This three-tier solution resulted in the outstanding transaction throughput
  announced with Oracle7 Server. Even with Oracle Parallel Server, it may pay
  to offload the terminal handling so that the cluster can be exclusively used
  for database operations.
  Can you summarize the performance discussion for me?
  Depending on the number of users required, different architectures may be
  used in a client/server environment to maximize performance:
  1) For a small number of users, the traditional Oracle two-task
  architecture can be used. In this case, there is a one-to-one
  correspondence between client processes and server processes. It's
  simple, straightforward, and efficient.
  2) For a large number of users, Multi Threaded Server might be a better
  approach. Although some tuning may be required, Multi Threaded Server
  can handle a relatively large number of users for each machine size
  compared to the traditional Oracle approach. Using this approach,
  customers will be able to handle many hundreds of users on many
  platforms. Furthermore, current Oracle applications can move to this
  environment without change.
  3) For a very large number of users, where transactions are simple and
  terminal input concentration is the overriding performance issue, a
  3-tier architecture incorporating a TPM may be useful. In this case,
  terminal concentration is handled by the TPM in the middle tier. As
       you might expect, it is a more complex environment requiring more
       system management. For existing Oracle customers, significant Oracle
  application modifications will be required.
  Oracle provides all of these choices.
  Performance using Oracle's XA Library
  =====================================
  Are there any performance implications to using the XA library (in other
  words, to using TPM-managed transactions)?
  (1) The XA library imposes some performance penalty. You should use
  TPM-managed transactions only if you actually need them. Even if you
  are getting the one-phase commit optimization, the code path is
  longer because we need to map back and forth between external
  formats and internal ones. Also, prior to 7.1, XA requires you
  to release all cursors at the end of a transaction, which results
  in extra parsing. Even with shared cursors, there is time spent
  looking up the one you need and re-validating it. This has been
  improved for 7.1.
  (2) If you need to use two-phase commit, this will incur additional cost
  since extra I/Os are required. If you do need 2PC, you need to account
  for that when sizing the application.
  (3) Although some TPMs allow parallel execution of services (such as Tuxedo's
  "tpacall"), this will not normally enhance performance unless different
  resource managers are being used. In fact, Oracle Server must serialize
  accesses to the same transaction by the same Oracle instance, and the
  block/resume code will in fact degrade performance in that case compared
  to running the services sequentially.

  hello,
  the role is the same on all plattforms. the reports server takes requests for running reports, spawns an engine that executes the request. in addition to that, the server also provides scheduling services and security features for the reports environment.
  regards,
  the oracle reports team

• Security Vulnerabilities on CPUCMS

  Hi All
  Could someone assist me please?
  We running a demo version of CPUCMS at a customer and the System administrator has advised that there are
  security vulnerabilities on the server that runs CPUCMS and he would like to do the following:
  1) Locate file C:\PROGRA~1\CSCOpx\MDC\Apache\conf\httpd.conf
  Remove      -    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!LOW:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL
  Add below:-
  SSLHonorCipherOrder On
        SSLCipherSuite RC4-SHA:HIGH:!ADH
  2.)    Disable remote service rexec  , rlogin and rsh
  Please advise if anyone has done this and also the impact it might cause on the application?
  Many thanks
  Shabeer

  Hi All
  Could someone assist me please?
  We running a demo version of CPUCMS at a customer and the System administrator has advised that there are
  security vulnerabilities on the server that runs CPUCMS and he would like to do the following:
  1) Locate file C:\PROGRA~1\CSCOpx\MDC\Apache\conf\httpd.conf
  Remove      -    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!LOW:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL
  Add below:-
  SSLHonorCipherOrder On
        SSLCipherSuite RC4-SHA:HIGH:!ADH
  2.)    Disable remote service rexec  , rlogin and rsh
  Please advise if anyone has done this and also the impact it might cause on the application?
  Many thanks
  Shabeer

• IPhone security vulnerabilities ????

  This was sent out to all employees at my local gov offices... anyone know what she is talking about?
  I know iPhones are the latest cool gadget. However, there are security vulnerabilities associated with having them on our network in order to get your e-mail from the Exchange server. We are researching and trying to stay current on the issues and solutions. I do recommend that before you purchase an iPhone with expectations of using County network resources like e-mail, please contact us.
  <Edited by Moderator>

  Security is a 'cool' word to say, we're not sure how we're going to support this, or we don't want you to use it. Essentially this is a cool myth to make people afraid. (think of airport security and the 'orange' alerts we're conditioned to be fearful of)
  If you can get your work email at home via POP, IMAP and/or web access, the iPhone poses no more or less security threat than your home PC or laptop do.
  The only 'security issue' I can really see is that an iPhone is much easier to loose or have stolen, in which case, since there is no password needed to access the emails stored on the phone, someone 'could' view confidential emails stored on the phone, as well as send new emails, until a password is changed on the corporate side.

• Lenovo software and driver security vulnerability fixes

  I have noticed there are security vulnerability fixes (among other fixes) in several Lenovo software and driver updates.
  Synaptics ThinkPad UltraNav Driver (2013/04/25, version 16.2.19.7)
  http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/6hgx75ww.txt
  <16.2.19.7>
  - (Fix) Fixed security vulnerability issues.
  Hotkey Features Integration (2013/04/25, version 3.84.5000)
  http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/8jvu35ww.txt
  <3.84.5000>
   - (Fix) Fixed security vulnerability issues in service registration path and function calls inside the program binary.
  Power Manager (2013/04/26, version 6.54)
  http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/hfu406ww.txt
  <6.46>
  - (Fix) Fixed a vulnerability security issue.
  ThinkVantage Access Connections (2013/04/08, vesion 6.01)
  http://download.lenovo.com/pccbbs/mobiles/ggc709ww.txt
  <5.97>
   - (Fix) Fix for security vulnerabilities privately and responsibly disclosed by Frederic BOURLA of High-Tech Bridge SA

  There are several reports of fixed vulnerabilities in Lenovo software and drivers that I have summarized here
  Unfortunately there are no detailed descriptions of these security issues. Currently there are databases like CVE MITRE that collects such reports for any software. Could Lenovo be more specific about these vulnerabilities and add CVE references ?
  Moderator Note; Threads merged; link to this thread removed

• Oracle Security Vulnerabilities?

  Hi all,
  We're running many PHP 5.x applications in a distributed environment that use the OCI client to access Oracle 10g databases.
  Our server administration group is migrating to a new server and is refusing to install or support the OCI Instant client under Linux saying it's a security problem. Specifically, they say that the OCI Instant Client is exposed to buffer overflows and stack smashing. Their recommendation? Rewrite all our apps to use another database. Yeah, right.
  They provided me with two sources to explain the issues:
  http://www.dummies.com/WileyCDA/DummiesArticle/id-2900.html
  and
  Re: Problems with libclntsh.so.10.1 and PHP/Apache HTTPD
  Is this really a security problem? If so, what can be done to mitigate the risk?
  Thanks,
  John

  Hi all,
  I thought I’d jump in this thread with a few thoughts.
  Security flaws unfortunately affect software, both commercial and open source. I believe that what sets Oracle apart from many other vendors is the company’s commitment to security. Oracle Software Security Assurance (http://www.oracle.com/security/software-security-assurance.html) includes the most transparent vulnerability remediation policy in the industry. Furthermore, the Critical Patch Update (CPU) process (http://www.oracle.com/technology/deploy/security/alerts.htm) provides a predictable mechanism for the remediation of security vulnerabilities in Oracle software. By comparison, open source involves unpredictable releases of security fixes.
  Now, getting back to the discussion in this thread: as much as we try to prevent vulnerabilities during development, as is the case with all large software products, some make their way into released code. As vulnerabilities are discovered, Oracle fixes them in order of severity and release fixes for them through the Critical Patch Update.
  An attacker could attempt to exploit the unpatched vulnerabilities through OCI or other protocols providing access to the database (This is not specific to OCI). Oracle’s recommendation is therefore to remain current on the Critical Patch Update (the last one was issued on July 17, 2007). Keep in mind that the CPU is cumulative for the database, and applying the most recent CPU will bring you at current security patch level, and this will significantly contribute to improving your organization’s security posture.
  Do not hesitate to contact me if you have questions at [email protected]
  Sincerely
  Eric Maurice
  Manager – Oracle Software Security Assurance

• Oracle XDK Java removing security vulnerabilities

  Hi All,
  I am looking for removing security vulnerabilities that may be associated with XML parsers.
  I am looking which version of Oracle XDK Java has removed security vulnerabilities associated with XML Parsing.
  Also what is the latest version Oracle XDK Java is present in market.
  Also is new version are backward compatible. Do we need to see is any change in API level occurs.
  Currently we are using Oracle XDK Java 10.2.0.2.
  Just a description of security vulnerabilities that may be associated with XML parsers are
  "The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.:
  Regards
  Atul Parti

  Which JVM is the security tool complaining about (what is the directory path, for example)?
  My guess is that the tool is complaining about the older JVM that Oracle installs in order to run the Oracle Universal Installer and the other Java-based installation tools.  If that's the case, those JVMs do not generally represent a security issue because they are not running anything on a day-to-day basis.  They're only used by things like the OUI which only get invoked when someone wants to do something like install new software.  Ideally, you'd be able to have the conversation with the security folks and explain that those older JVMs exist only for the limited purpose of running the OUI and the other configuration tools. 
  If the security folks want you to upgrade the Java version (as opposed to just installing patches to the older JVMs), that has a decent probability of breaking the various installation and configuration tools.  That may not have much impact on a day-to-day basis but may make administration tasks in the future more challenging. 
  Justin

• Security vulnerabilities in apache that comes with oracle database.

  Hi,
  We are having a QA database in Oracle enterprise version 9.2.0.4 on OS : OSF1.
  Recently our security team ran a test and found that the apache1.3 that comes as component of Oracle database is prone to security vulnerabilities. Also they suggested to remove the apache or upgrade to latest as remedy.
  When contacted to Oracle support, Oracle team replied apache upgrade should not be done instead latest apache seprately can be installed as reverse proxy. But when asked for steps/document there is no reply. Anyone faced this problem can provide any help/suggestion in this regard.
  I am attaching some of the threads identified by our Security Team for reference.
  1. Apache 1.3 HTTP Server Expect Header Cross-Site Scripting XXXX and YYYYYY ports 7782, 4889, 3339.
  2. Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
  3. Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=iso-8859-1
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>417 Expectation Failed</TITLE>
  </HEAD><BODY>
  <H1>Expectation Failed</H1>
  The expectation given in the Expect request-header
  field could not be met by this server.<P>
  The client sent<PRE>
  Expect: <script>alert(document.domain)</script>
  </PRE>
  but we only allow the 100-continue expectation.
  -CR

  I dont know how to find which components are using the apache. Help me if there is any way to find it. Only information i can say you is there is no other software installed that in that server other than oracle Database.

• Oracle Security Patch Error while applying --The filename, directory name,

  Hello,
  I am running into strange error while applying Oracle Security Patch 68 by using Opatch.
  Supposedly, All the environment variables are set properly.
  ACTIVE_STATE_PERL=true
  DBMS_TYPE=ORA
  dbs_ora_tnsname=YBQ
  JAVA_HOME=C:\jdk1.3.1_10
  OPATCH_DEBUG=TRUE
  ORACLE_HOME=E:\oracle\ora92
  ORACLE_SID=YBQ
  Path=E:\oracle\OPatch;C:\jdk1.3.1_10\bin;E:\oracle\Perl\bin;E:\oracle\ora92\jre\1.4.2\bin\client;E:\oracle\ora92\jre\1.4.2\bin;E:\oracle\ora92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;C:\Program Files\Common Files\VERITAS Shared;\NetBackup\bin;C:\Program Files\Windows Resource Kits\Tools\;C:\Program Files\Support Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;E:\usr\sap\YBQ\SYS\exe\run
  Installed Active Perl. latest version
  downloaded Opatch 1.0.0.50
  and the patch number 3738339
  I went to that directory and run the command :
  perl opatch.pl apply
  It started of well.
  OPatch version is: 1.0.0.0.50
  Using ORACLE_HOME/oui to look up oui libs...
  Oracle Home = E:\oracle\ora92
  Location of Oracle Inventory = E:\oracle\ora92\inventory
  Oracle Universal Installer shared library = E:\oracle\ora92\oui\lib\win32\oraInstaller.dll
  Path to Java = "E:\oracle\ora92\jre\1.4.2\bin\java.exe"
  Location of Oracle Inventory Pointer = N/A
  Location of Oracle Universal Installer components = E:\oracle\ora92\oui
  Required Jar File under Oracle Universal Installer = jlib\OraInstaller.jar
  find under OH/oui/jlib
  found OraInstaller.jar
  Checking if this is a RAC system...
  Accessing inventory... This may take up to 300 seconds.
  (retry 10 times, delay 30 seconds each time)
  System Command: ""E:\oracle\ora92\jre\1.4.2\bin\java.exe" -Dopatch.retry=10 -Dopatch.delay=30 -DTRACING.ENABLED=TRUE -DTRACING.LEVEL=2 -Dopatch.debug=true -classpath "E:\oracle\ora92\oui\jlib\OraInstaller.jar;E:\oracle\ora92\oui\jlib\srvm.jar;jlib\opatch.jar;E:\oracle\ora92\oui\jlib\xmlparserv2.jar;E:\oracle\ora92\oui\jlib\share.jar;.:E:\oracle\ora92\jlib\srvm.jar" opatch/O2O "e:\oracle\ora92" "E:\oracle\ora92\oui" opatch.pl 1.0.0.0.50"
  Result:
  ----- DEBUG is ON -------
  oracle.installer.startup_location will be set to E:\oracle\ora92\oui
  oracle.installer.oui_loc will be set to E:\oracle\ora92\oui
  oracle.installer.scratchPath will be set to /tmp
  opatch.local_node_only is OFF
  retryOption is ON: 10
  delayOption is ON: 30
  Few more stuff here .. not pasting the entire contents
  System Command: ""E:\oracle\ora92\jre\1.4.2\bin\java.exe" -Dopatch.retry=10 -Dopatch.delay=30 -DTRACING.ENABLED=TRUE -DTRACING.LEVEL=2 -Dopatch.debug=true -classpath "E:\oracle\ora92\oui\jlib\OraInstaller.jar;E:\oracle\ora92\oui\jlib\srvm.jar;jlib\opatch.jar;E:\oracle\ora92\oui\jlib\xmlparserv2.jar;E:\oracle\ora92\oui\jlib\share.jar;." opatch/CheckConflict "E:\oracle\ora92\oui" "e:\oracle\ora92" opatch.pl 1.0.0.0.50 3738339 "3741539 3528282 3516951 3622875 3668572 3371796 3239873 3356103 3543125 3666502 2800494 2824035 2964252 3617042 3320622 3571233 3253770 3492040 3566469 3354470 3625370 3583686 3150750 3617519 3635177 3597640 3749394 3542588 3698501 2954891 2918138 3559212 3518909 3412818 3430832 3172282 3358490 3637624 3458446 3179637 2810394 3668224 3609791 3566813 3475932 2338704 3412136 3388633 3540576 3571226 3575743 2690205 3240280 3509265 3177513 3575747 3811906 3554319 3752406 3323435 " E:\3738339\etc\config\actions"
  Result:
  opatch.pl version: 1.0.0.0.50
  Copyright (c) 2001-2004 Oracle Corporation. All Rights Reserved.
  The filename, directory name, or volume label syntax is incorrect.
  Error in executing Java program to check conflict
  ERROR: OPatch failed during pre-reqs check.
  Now there is no problem with executing the last java program in the same prompt by removing the first and the last double quote "
  Please advise.
  Thanks in advance.

  hi somnath,
  this is the portal content management forum. for your database question please use the database forums:
  http://forums.oracle.com/forums/index.jsp?cat=18
  thanks,
  christian

• Find how many users are connected in the Oracle Server

  Hi,
  I am using Oracle 10g. My question is, is it possible to find how many users are connected in the Oracle Server. We are having one Server and we are having many client machines which will connect the Oracle.
  And one more question in the meanwhile i want to take Backup of one database which client as connected. Is it get any problem to the client machine which is accessing the server. And How to take the backup from the server machine. Any commands to process.
  Thank u...!

  Hi there.
  If You run
  select count(*) from v$session where username is not null;you'll get the number of users connected to Oracle server,
  and yes , you could do backup while users are connect to db you are backing up.
  cheers

• Where to find the doc for Oracle server security

  I am preparing for Oracle 9i upgrade OCP and looking for
  the document which talks about Oracle server security
  which includes Application context, Security Role and etc.
  Thanks

  hi,
  this is the portal content management forum. for your database question please use the database forums:
  http://forums.oracle.com/forums/index.jsp?cat=18
  thanks,
  christian

• What are the steps to apply Oracle Patch?

  What are the steps to apply Oracle Patch?

  Hi,
  apply patch != apply patchset
  Generally, patch is apply with opatch tool (from 9i), and there is an exe for patchset.
  But, as it already said, the reading of readme is always a good idea...
  Nicolas.

• Applying Windows Server fixes to a windows server 2012 R2 server with sql server 2012 with an AG

  I need to apply windows updates and I want to understand the proper method since I have 2 nodes using an AG. I see a distinction made to the process for sql server updates versus os updates but os updates seem to point to a cross-cluster migration document.
  But that document seems to be talking about moving from windows server 2008 to windows 2012. Can't I just follow the method for sql server rolling upgrades?

  Hi David,
  According to your description, you want to apply Windows updates in availability group. I recommend you to manually apply the updates instead of using windows updates. Do you want to apply SQL Server updates or operating system-related updates?
  If you just want to update SQL Server, you can follow the rolling update process. For how to follow rolling update process to update SQL Server instance in availability group, please refer to the article:
  https://msdn.microsoft.com/en-us/library/dn178483(v=sql.110).aspx.
  However, if you want to apply operating system-related updates, please download the
  white paper and follow the instructions in it.
  Regards,
  Michelle Li

• Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2

  I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
  So, Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2?
  In the Security Bulleting it reads like it does:
  Summary
  Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.
  source: http://www.adobe.com/support/security/bulletins/apsb10-11.html
  However, there are no solutions in the technote:
  Issue
  Note: This technote and the attachments have been updated on 05/13/2010. All ColdFusion users should review the technote again. An issue when this security fix was applied with Cumulative Hot Fix 4 for ColdFusion 8.0.1 has been identified and resolved. The issue was caused by a naming conflict.
  ColdFusion 9.0, 8.0.1 and 8.0 are affected with the issue mentioned in the security bulletin APSB10-11. This technote provides fixes for the security issues along with the installation instructions.
  source: http://kb2.adobe.com/cps/841/cpsid_84102.html
  Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
  Thank you any help will be benifitial.

  I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
  I have had phone support from them, and they were quite helpful.  Do you mean they don't do free phone support?  No, they don't.
  I cannot believe they suggested you raise an issue on the forum.  That's just sh!t.  There's no other way of describing that.
  Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
  http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
  Only for "Extended support", whatever that is.
  [searches]
  Hmmm... http://www.adobe.com/support/programs/policies/terms_customer.html:
  Extended Support. If version of software held by Customer at time of renewal has been end-of-lifed during the next renewal term, Customer may renew to Extended Support, provided that Extended Support is available for such software version.  Information about Software that has been or soon will be end-of-lifed and Extended Support availability dates by product version are published at www.adobe.com/support. If Customer elects to purchase Extended Support, the Annual Support Fee shall be twenty-five (25%) percent of the license fee paid for the Software (if such fee cannot be established, the percentage would be based on the then-current list price of the license fee for the Software), however in no event shall the amount be less than the last renewal prior to renewing under Extended Support.
  If extended support is renewed, the renewal fee would be the Annual Support Fee paid for the prior year increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date. Should Customer upgrade to the next major version of the Software (e.g., upgrade from 4.0 to 5.0), the Annual Support Fee for the upgraded version shall be the lesser of twenty percent (20%) of the then current list price of the license fee for such upgraded version, or the Annual Support Fee for the last renewal prior to renewing under Extended Support increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date.
  So there you go.  It's something you'd have to be paying for anyhow, and my reading of that is that it's too late to get it now anyhow.
  I think this will also mean that you're definitely out of luck in regards to any sort of patching going on for CFMX7.
  Adam

• Vulnerabilities in MySQL in Oracle 11g installation

  I have Oracle 11g as the database for my GUI application, there was a security analysis run on the server hosting the Oracle 11g database and it is showing security vulnerabilities with respect to MySQL such as CVE-2012-2750, CVE-2012-3163 etc. The vulnerability solution in the security report is showing solutions like:
  1) Download and apply the upgrade from: http://downloads.mysql.com/archives.php
  2) Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql
  My query is that any patches or fixes for the security bugs need to be coming from Oracle or should they be applied as stand-alone MySQL fixes.
  I hope my query is clear.
  Please revert with the reply to my query.
  Regards

  975148 wrote:
  I have Oracle 11g as the database for my GUI application, there was a security analysis run on the server hosting the Oracle 11g database and it is showing security vulnerabilities with respect to MySQL such as CVE-2012-2750, CVE-2012-3163 etc. The vulnerability solution in the security report is showing solutions like:
  1) Download and apply the upgrade from: http://downloads.mysql.com/archives.php
  2) Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql
  My query is that any patches or fixes for the security bugs need to be coming from Oracle or should they be applied as stand-alone MySQL fixes.
  I hope my query is clear.
  Please revert with the reply to my query.
  Regards
  Oracle (the product) is not MySQL (the product).
  Oracle (the product) does not know or care about MySQL issues.
  Is MySQL installed on this server? Is it being used?  Depending on your un-named OS, MySQL very will could have been installed simply as part of the OS installation, really just a form of 'bloat-ware'.