Compiled Messages: ------------------------------------------------------------ Message no. 99 Posted by Ravinder Gaur (rgaur) on Monday, August 28, 2006 2:02pm Subject: Oracle Security Webcast If anyone is interested in learning more about the "Best Practices for securing Oracle databases", there is an online webcast from Oracle on Wed, Sep 20 -- Wednesday, September 20, 2006 11:00 a.m. – 12:00 p.m. PST 1:00 p.m. – 2:00 p.m. EST The URL is (you need to pre-register) -- http://www.oracle.com/webapps/events/EventsDetail.jsp?p_eventId=55214&src=4889200&src=4889200&Act=4 I might attend that while from India at that time! - Ravi ------------------------------------------------------------ Message no. 100[Branch from no. 99] Posted by Lakshmikar Padmaraju (lpadmaraju) on Monday, August 28, 2006 2:30pm Subject: Re: Oracle Security Webcast Hi Ravi, That is a good one, I have to my schedule and i may participate in it. Raju ------------------------------------------------------------ Message no. 101[Branch from no. 99] Posted by Krishnamurth Ashwini (kashwini) on Monday, August 28, 2006 2:34pm Subject: Re: Oracle Security Webcast Thanks for the link. This could be interesting. Ash ------------------------------------------------------------ Message no. 102 Posted by Lakshmikar Padmaraju (lpadmaraju) on Monday, August 28, 2006 2:43pm Subject: Oracle Critical Patch Updates and Security Alerts link Hi, Here is the Link for oracle website where you can see --Critical Patch Updates --Security Alerts --MetaLink Security Notes --Public Vulnerabilities Fixed --Policies --Reporting Security Vulnerabilities http://www.oracle.com/technology/deploy/security/alerts.htm raju. ------------------------------------------------------------ Message no. 103 Posted by Daniel Thurston (dsthurston) on Monday, August 28, 2006 2:49pm Subject: oracle and performance Well I finally got around to the install. Mostly because I put oracle on a clean install of windows 2003 R2 server. Last week there was a lot of talk about performance issues and peoples machines slowing down. the oracle installation guide Requirements say: Physical memory (RAM) 256 MB minimum; 512 MB recommended Now looking at my machine, that is running nothing else (user programs), there is 548MB of ram in use. some of the main Oracle culprits are: oracle - 210,428K Java - 58,040K Java - 41,552K emagent - 17,580K tnslsnr.exe 7,508K isqlplussve.exe - 6,472K . . . It is fairly easy to see that 256MB will leave your machine doing a great deal thrashing. 512 may suffice but I would not hope to use the machine for much else and enjoy any kind of responsiveness. I have also seen a regular CPU spiking (quickly to 30-60%) pattern that appears to be caused by the oracle process. That should not greatly affect other processes. Of course results will vary from OS to OS. As stated by others shut it down if not in use and you need the machine for other things. Cheers Dan ------------------------------------------------------------ Message no. 105[Branch from no. 101] Posted by Anjana Divakar (adivakar) on Monday, August 28, 2006 2:59pm Subject: Re: Oracle Security Webcast Thanks for the link. I think it would be a great idea to register for it. anjana ------------------------------------------------------------ Message no. 106[Branch from no. 99] Posted by Naziya Shaik (snaziya) on Monday, August 28, 2006 3:59pm Subject: Re: Oracle Security Webcast Thats pretty interesting to learn more about it. Thank you for giving us that information. ------------------------------------------------------------ Message no. 108 Posted by Eric Knuth (elknuth2) on Monday, August 28, 2006 9:31pm Subject: Great source for Linux installs I found this web site the other night and check out a couple of his configurations. They seem to be right on the money. http://www.puschitz.com/InstallingOracle10g.shtml ------------------------------------------------------------ Message no. 111[Branch from no. 99] Posted by Eric Knuth (elknuth2) on Monday, August 28, 2006 9:53pm Subject: If you ever have the money and time..... I have always found the Oracle seminars to be a little dry and they never seem to admit their own issues. Now Black Hat is where the real geeks hang. I couldn't make it this year, but I WILL be there next year. This is the place to learn. http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-dl-oracle.html I also recommend googling "black hat oracle" for some great articles. Eric ------------------------------------------------------------ Message no. 115[Branch from no. 111] Posted by Lakshmikar Padmaraju (lpadmaraju) on Tuesday, August 29, 2006 10:15am Subject: Re: If you ever have the money and time..... Eric, This is good link, I will forward this to our director, let's see he sponsors for this event. Thanks for the info. Raju. ------------------------------------------------------------ Message no. 116[Branch from no. 103] Posted by Lakshmikar Padmaraju (lpadmaraju) on Tuesday, August 29, 2006 10:36am Subject: Re: oracle and performance Daniel, Very good diagnostic analysis. I have installed oracle on two machines one has 512MB AMD processor(I installed for TEC 5323) and new dell laptop1GB RAM Pentium M processor, When oracle instance is running I don't see any difference in performance between two, both are slow. Raju. ------------------------------------------------------------ Message no. 118[Branch from no. 99] Posted by Gnaneshwar Bukka (gbukka) on Tuesday, August 29, 2006 3:05pm Subject: Re: Oracle Security Webcast Hi Ravi, This stuff looks interesting, should plan to register for that. Thank you. Cheers, Gnaneshwar Bukka. ------------------------------------------------------------ Message no. 121[Branch from no. 111] Posted by Rhonda Nichols (renichols2) on Tuesday, August 29, 2006 9:31pm Subject: Re: If you ever have the money and time..... Eric, Sounds like a new civil service position...Hacker I, Hacker II, Hacker II:breaking into your own system, could become a full time job. -Rhonda ------------------------------------------------------------ Message no. 123 Posted by Naziya Shaik (snaziya) on Tuesday, August 29, 2006 10:35pm Subject: Vulnerability issues...in Oracle 10g release 2 82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, conduct SQL injection attacks and compromise a vulnerable system. Details have been disclosed for the following vulnerabilities: 1) Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, DBMS_METADATA_INT, DBMS_METADATA, CTXSYS.DRILOAD, CTXSYS.DRIDML, CTXSYS.CTX_DOC, CTXSYS.CTX_QUERY, and CATINDEXMETHODS Oracle PL/SQL packages is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been reported in Oracle 10g Release 1. 3) Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been reported in Oracle 10g Release 1. 4) Design errors in the Oracle Database causes the Oracle TDE (Transparent Data Encryption) wallet password to be logged in cleartext, and the masterkey for the TDE wallet to be stored unencrypted. The security issues have been reported in Oracle Database 10g Release 2 version 10.2.0.1. 5) Some errors in the Reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports. The vulnerability has been reported in versions 1.0.2.0 through 10.1.0.2. 6) Unspecified input is not properly sanitised in the "sys.dbms_metadata" package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 7) Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges. The vulnerability has been reported in Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0). 8) Some boundary errors exist in the GENERATESCHEMA and GENERATESCHEMAS public procedures in the DBMS_XMLSCHEMA and DBMS_XMLSCHEMA_INT PL/SQL packages. This can be exploited by malicious users to execute arbitrary code on the database server via overly long parameters passed to the procedures. The vulnerability has been reported in Oracle Database Server version 9i Release 2 and 10g Release 1. ------------------------------------------------------------ Message no. 126[Branch from no. 123] Posted by Daniel Thurston (dsthurston) on Tuesday, August 29, 2006 11:46pm Subject: Re: Vulnerability issues...in Oracle 10g release 2 Only 82 . . . bet microsoft wishes they could claim that. Yeah, nothing is "Secure". That is the Joy of Administration; you are either patching or upgrading and that is just the stuff they know about. Cheers Dan T ------------------------------------------------------------ Message no. 127[Branch from no. 111] Posted by Daniel Thurston (dsthurston) on Tuesday, August 29, 2006 11:48pm Subject: Re: If you ever have the money and time..... >I have always found the Oracle seminars to be a little dry and they never seem to admit their own issues. The same with most operating system seminars sponsored by the companies. DanT ------------------------------------------------------------ Message no. 128[Branch from no. 99] Posted by Venkat Munagala (vrmunagala) on Wednesday, August 30, 2006 12:14am Subject: Re: Oracle Security Webcast Hi ravi, The link looks pretty interesting as it is provided by the Oracle's security experts. I think I should go for it. Thank you Ravi. Rohit ------------------------------------------------------------ Message no. 131 Posted by Kelsey Pooley (kjpooley) on Wednesday, August 30, 2006 9:23am Subject: Enterprise Manager I may be completely dense, but how do you get to the enterprise manager? I am looking all over the place trying to log into it and I can't find it. HELP!! Kelsey ------------------------------------------------------------ Message no. 132[Branch from no. 131] Posted by Daniel Thurston (dsthurston) on Wednesday, August 30, 2006 10:06am Subject: Re: Enterprise Manager http://"your machine name here":1158/em or in windows look for something called Database Control under the start button-> oracle... cheers dan ------------------------------------------------------------ Message no. 133[Branch from no. 132] Posted by Anjana Divakar (adivakar) on Wednesday, August 30, 2006 10:18am Subject: Re: Enterprise Manager Hi, The path information is given in the oracle installation folder. Go to to the destination where you stored the oracle folder and under that you will come across a folder db_1. When you enter that folder click on the folder named install. There open the notepad named portlist. It gives you both the iSQL *PLUS HTTP port no. which is 5560 and also the Enterprise Manager Console HTTP Port which is 1158. thanks, anjana ------------------------------------------------------------ Message no. 134[Branch from no. 99] Posted by Suresh Methuku (smethuku) on Wednesday, August 30, 2006 12:11pm Subject: Re: Oracle Security Webcast Hi ravi, Thanks for the website. It is really an interesting one. I am looking forward to attend it. Suresh Methuku ------------------------------------------------------------ Message no. 135[Branch from no. 131] Posted by Naziya Shaik (snaziya) on Wednesday, August 30, 2006 12:37pm Subject: Re: Enterprise Manager go to programs-orcle10g-(systemname:1158em).... it opens internet explorer and then you can login as SYSTEM or so..and enter the password you gave while installing. ------------------------------------------------------------ Message no. 136[Branch from no. 108] Posted by Sagun Piya (srpiya2) on Wednesday, August 30, 2006 2:34pm Subject: Re: Great source for Linux installs Thanks Eric for the information. Sagun ------------------------------------------------------------ Message no. 137[Branch from no. 135] Posted by Kelsey Pooley (kjpooley) on Wednesday, August 30, 2006 4:56pm Subject: Re: Enterprise Manager Thanks everyone! Kelsey ------------------------------------------------------------ Message no. 138[Branch from no. 108] Posted by Paras Pradhan (ppradhan) on Wednesday, August 30, 2006 5:19pm Subject: Re: Great source for Linux installs Here is another one addition: http://www.togaware.com/linux/survivor/Oracle_10g.html Paras. ------------------------------------------------------------ Message no. 144[Branch from no. 103] Posted by Sagun Piya (srpiya2) on Wednesday, August 30, 2006 9:26pm Subject: Re: oracle and performance you guys are right. downloading oracle will make your computer slow but not that slow. My laptop is quite fast even though I installed oracle on it. Sagun ------------------------------------------------------------ Message no. 146[Branch from no. 126] Posted by Rhonda Nichols (renichols2) on Wednesday, August 30, 2006 9:29pm Subject: Re: Vulnerability issues...in Oracle 10g release 2 job security. -rhonda ------------------------------------------------------------ Message no. 148[Branch from no. 99] Posted by Sagun Piya (srpiya2) on Thursday, August 31, 2006 11:58am Subject: Re: Oracle Security Webcast thanks for providing valuable information Ravi sagun ------------------------------------------------------------ Message no. 154[Branch from no. 137] Posted by Venkat Munagala (vrmunagala) on Friday, September 1, 2006 10:11am Subject: Re: Enterprise Manager Thank u for the information. ------------------------------------------------------------ Message no. 162[Branch from no. 133] Posted by Suresh Methuku (smethuku) on Saturday, September 2, 2006 9:49am Subject: Re: Enterprise Manager Thanks for the inforamation anjana. ------------------------------------------------------------ Message no. 163[Branch from no. 102] Posted by Suresh Methuku (smethuku) on Saturday, September 2, 2006 9:53am Subject: Re: Oracle Critical Patch Updates and Security Alerts link Thanks for the links Raju, it helped me a lot. ------------------------------------------------------------ Message no. 164[Branch from no. 163] Posted by Ravinder Gaur (rgaur) on Saturday, September 2, 2006 1:31pm Subject: Re: Oracle Critical Patch Updates and Security Alerts link Thanks for pasting the link, Raju. BTW, we use that quite a lot since our Security staff keeps bugging us. There is also a listserve that you can sign up for and Oracle will send email notifications when they are out (usually every quarter). I think that should be somewhere in their metalink site. Also, the most recent CPU covers all other patchsets included in previous CPUs. - Ravi ------------------------------------------------------------