Category: Security

Recent Oracle Data Pump patches (19.17 and later, involving bug fix 33517865) have modified the behavior of DBMS_METADATA.GET_DDL, removing hashed passwords from its output as a security enhancement. Previously, users with the EXP_FULL_DATABASE role could easily access this data. Now, even with that privilege, hashed passwords are inaccessible unless explicit access to SYS.USER$ is granted. Oracle has introduced a fix (bug fix 35018026) that allows access to hashed passwords under strict conditions. Alternatively, a definer-rights PL/SQL function can be used to provide controlled access to this information.

Unified Auditing mechanism currently in 19c lacks affected rows count reporting and column-level monitoring, presenting challenges in detecting data accesses. Upcoming Oracle Database 23ai will introduce column-level monitoring, allowing focused audits on specific sensitive columns like PAN and SSN. Until then, Fine-Grained Auditing can help track sensitive data at a granular level. Both auditing methods can be effectively used together for comprehensive auditing solutions. Is it possible to audit a specific column for specific users only, and only when rows are returned? I demonstrate how to do this using DBMS_FGA.

The Oracle Database 12.2 or later uses Unified Auditing to track activity. However, certain fields are not captured in the syslog of Unified Audit Trail, impacting the completeness of log data. To address this, a simple method of sharing audit records with SIEM tools like WAZUH involves using SQL/JSON functions to stream data in NDJSON format. This can be done using a shell script scheduled with cron.

The “RockYou2024” password leak contains 9,948,575,739 unique plaintext passwords, making it valuable for cybercriminals aiming to perform brute-force attacks. Ensuring the security of Oracle databases is crucial, as weak passwords pose a significant vulnerability. To mitigate this risk, it is recommended to compare database passwords against the 1 million most common ones. A provided SQL script guides this process and demonstrates how to perform the comparison.