Security

Why you simply can’t upgrade from Oracle 11g or 12c to Oracle 23c

It’s time for a Monday morning rant. I receive more and more questions which all start similar. “My customer is on Oracle 11g and/or 12c, and want to know whether the next long term support release …“. Now let me clarify Why you simply can’t upgrade from Oracle 11g or 12c to Oracle 23c. And why you MUST upgrade to Oracle Database 19c.

Why you simply can't upgrade from Oracle 11g or 12c to Oracle 23c

Photo by SpaceX on Unsplash

What is the intention?

After a lot of discussions across many regions, especially in JAPAC during the past weeks I realized that there is a reason for all …

Continue reading...

Patching all my environments with the January 2022 Patch Bundles

It’s patching time. When I checked an SR and had a quick discussion with a customer yesterday, Peter reminded me that it’s patching day. And at about 20:00h CET the new patch bundles appeared on MOS. So let me show you again Patching all my environments with the January 2022 Patch Bundles for 11.2.0.4, 12.2.0.1, 19c and 21c.

As usual, an important annotation upfront: I patch in-place due to space issues. But in reality, you please patch always out-of-place with a separate home. Please see this blog post about how to apply the

Continue reading...

Welcome onboard at Oracle: Rodrigo Jorge

We are thrilled to announce that as of June 7, 2021 we have a new member in our Product Management team: Rodrigo Jorge joins our group as Product Manager for Database Cloud Migrations, Upgrade and Patching. Many of you may know Rodrigo already. He “was” an Oracle ACE Director until June 6, presented at many conferences and user group events – and he has an excellent technical blog. We are really excited to welcome Rodrigo at Oracle.

Who is Rodrigo?

Rodrigo is joining us from Accenture / Enkitec. He’s very well known in
Continue reading...

Patching all my environments with the April 2021 Patch Bundles

Oh well, time flies. And it is April 2021, and hence I will start Patching all my environments with the April 2021 Patch Bundles. In my case, this will be 19.11.0 and 12.2.0.1 Release Updates. But there will be an additional blog post for the OJVM bundle, too.

As usual, an important annotation upfront: I patch in-place due to space issues. But in reality, you please patch always out-of-place with a separate home. Please see this blog post about how to apply the RU directly when you provision a new home with OUI

Continue reading...

No RURs for 12.2.0.1 – and Oracle 11.2.0.4 left Extended Support

Last week I blogged about the quarterly patching fun when applying the Release Updates to my environments. But I completely forget to mention and explain a few things. There are No RURs for 12.2.0.1 – and Oracle 11.2.0.4 left Extended Support.

No RURs for 12.2.0.1 - and Oracle 11.2.0.4 left Extended Support

Photo by Md Mahdi on Unsplash

No Release Update Revisions for Oracle 12.2.0.1

Thanks to my friend Rodrigo Jorge who messaged me on the weekend. He goes way deeper with applying the quarterly patches and highlights the differences. And he recognized and blogged already about the fact that there are no RURs available for Oracle 12.2.0.1.

And …

Continue reading...

Patching all my environments with the January 2021 Patch Bundles

Groundhog day on the upgrade blog. It’s time for my quaterly Patching all my environments with the January 2021 Patch Bundles blog post. And still no RAC and ASM. Sorry for that … too many virtual events and other tasks since months unfortunately.

Patching all my environments with the January 2021 Patch Bundles

Photo by Bofu Shaw on Unsplash

As usual, an important annotation upfront: I patch in-place due to space issues. But in reality, you please patch always out-of-place with a separate home. Please see this blog post about how to apply the RU directly when you provision a new home with OUI.

Security Alert January 2021

Find …

Continue reading...

JDK patching happens with every RU since January 2020

A while ago, a customer asked me whether he needs to apply JDK patches separately. He discovered that the JDK in the $ORACLE_HOME is quite outdated. But there was no clear answer available. And the MOS Note he pointed me to, seemed to be quite incomplete. But times have changed. And JDK patching happens with every RU since January 2020.

JDK patching happens with every RU now

Photo by David Billings on Unsplash

JDK who?

JDK stands for Java Development Toolkit. As the Wikipedia article explains, “the JDK includes a private JVM and a few other resources to finish the development of a Java Application”. …

Continue reading...

Oracle Security Alerts for July 2019 got published

It’s patching day. And I’m already downloading the patch bundles for all my installations (11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c). The Oracle Security Alerts for July 2019 got published today.

Oracle Security Alerts for July 2019 got published

Patch Advisory and Risk Matrix

You can find the July 2019 Patch Advisory here. I checked the risk matrix for the database. It contains 8 new fixes for the database server. Please pay attention that 3 of the vulnerabilities may be exploitable from a client without an Oracle Database server being installed. The highest score is 9.8.

Please check the risk matrix by yourself:

Continue reading...

Behavior Change: READ privilege for user SYSTEM in Oracle 12.2

Behavior Change: READ privilege for user SYSTEM in Oracle 12.2All credits here go to Marcel Pils from Logicalis, a German Oracle partner. Thanks Marcel! In Oracle 12.2 there’s an interesting behavior change: READ privilege for user SYSTEM in Oracle 12.2.

Some Background Information

In Oracle 12.1 the READ privilege has been introduced. Please find more information in the Oracle 12.1 Security Guide: New READ Object Privilege and READ ANY TABLE System Privilege for SELECT Operations. The idea behind the READ object and the READ ANY TABLE system privileges is that you can enable users query database tables, views, materialized views, and synonyms. But they can’t lock rows …

Continue reading...

Download and use the Oracle Database Security Assessment Tool

I visit customers on a regular basis. And when we sit together in front of the machine I sometimes spot tiny little things which may impose a security risk. This could be things such as SEC_CASE_SENSITIVE_LOGON=FALSE or the use of UTL_FILE_DIR or something else. To detect such sensitive spots you should download and use the Oracle Database Security Assessment Tool (DBSAT).

 CREATE SESSION SELECT on SYS.REGISTRY$HISTORY Role SELECT_CATALOG_ROLE Role DV_SECANALYST (wenn Database Vault aktiviert ist) Role AUDIT_VIEWER (nur 12c) Role CAPTURE_ADMIN (nur 12c) SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g und 12c) SELECT on AUDSYS.AUD$UNIFIED (nur 12c)

DBSAT – Oracle Database Security Assessment Tool – Collector and Reporter Components

Download and use the Oracle Database Security Assessment Tool

First of all, you need to download the tool from MyOracle Support:

Continue reading...

Having some fun with SEC_CASE_SENSITIVE_LOGON and ORA-1017

The init.ora/spfile parameter SEC_CASE_SENSITIVE_LOGON got deprecated since Oracle Database 12.1.0.1. This means, we don’t do any further developments to it, you shouldn’t change it from its default TRUE – and if you still do you’ll receive a nice warning during STARTUP of your database:

SQL> alter system set sec_case_sensitive_logon=false scope=spfile;

System altered.

SQL> startup force
ORA-32004: obsolete or deprecated parameter(s) specified for RDBMS instance
ORACLE instance started.

Recently a customer asked me if we’d changed the behavior of this parameter in Oracle Database 12c Release 2 as he receives now an ORA-1017: Invalid username or password error when …

Continue reading...

Unified Auditing – Performance Improvements in Oracle 12.1.0.2

Unified Auditing got introduced in Oracle Database 12.1.

Unified Auditing - Performance Improvements in Oracle 12.1The downsides of the “old” auditing facilities became obvious when too many users had activities or transactions at the same time leading to audit records being written into AUD$. Contention was a typical issue. The same thing happened when too many users tried to login at the same time. Furthermore protecting the auditing information required Database Vault as there was no default protection available.

This – and some other things – should be remedied by Unified Auditing which is available since Oracle Database 12c. It gets enabled in sort of a “mixed …

Continue reading...

Oracle 12.1.0.2 – Security Behavior Change with non-SYSDBA Triggers

Oracle Database SecuritySometimes things get revealed at unexpected occasions. This one happened during a recent customer upgrade to Oracle Database 12c with a 3rd party geospatioanl application installed (ESRI).

At the very end of the upgrade the customer saw many ORA-1031 (insufficient privileges) errors and it seemed to be that nothing was working correctly anymore.

This happened during the run of catupend.sql. The following code path in  catupend.sql causes the error.

cursor ddl_triggers
is
select o.object_id from dba_triggers t, dba_objects o
where t.owner = o.owner and t.trigger_name = o.object_name and o.object_type = 'TRIGGER'
and (t.triggering_event like '%ALTER%' or t.triggering_event like '%DDL%');
Continue reading...

New Behaviour in Oracle Database 12c and 11.2.0.4: SELECT ANY DICTIONARY with reduced privilege set

You’ve just upgraded to Oracle Database 12c – but your favorite admin tool receives an ORA-1031: Insufficient Privileges after connection?

Then the reason may be the reduced set of privileges for the SELECT ANY DICTIONARY privilege. This privilege does not allow access to tables USER$, ENC$ and DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$, and XS$VERIFIERS. Actually such changes are not new. For instance in Oracle 10.1 we removed the access to  LINK$ in SELECT ANY DICTIONARY (well, this may have happened because the dblink’s password was stored in clear text in LINK$ – a misbehavior which is fixed since

Continue reading...

October 2013 PSUs and CPUs – News for 12c

Last night CET the most recent Patch Set Updates (PSU) and Critical Patch Updates (CPU aka SPU) got published on MOS. And there’s a significant and remarkable change for Oracle Database 12c onwards. MOS Note: 1571391.1 – Patch Set Update and Critical Patch
Update October 2013 Availability Document
says:

2.1 Database Security Patching from 12.1.0.1 Onwards

Starting with Oracle Database version 12.1.0.1, Oracle only provides
Patch Set Updates (PSU) to meet the Critical Patch Update (CPU) program
requirements for security patching. Security Patch Updates (SPU) will no
longer be available. Oracle has moved to this simplified model due to
popular

Continue reading...