IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oracle]

an American computer technology company based in California. Oracle specialize in computer hardware and enterprise software products including it's own brand RDBMS, along with MySQL and Java as a result of purchasing Sun Microsystems.

Oracle Corporation is an American computer technology company based in California. Oracle specialize in computer hardware and enterprise software products including it's own brand RDBMS, along with MySQL and Java as a result of purchasing Sun Microsystems.

Related reading

63 questions
21
votes
3 answers

What precautions should I take when creating users that will be used by applications and not by people?

I have some applications that need to access to a webservices bus. Own applications that access to the bus authenticate using a webservice on that bus but in this case I need that third party applications access some webservices in the bus. These…
Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
14
votes
1 answer

Is there a list of default, standard or third-party "users" for Oracle?

When installed, and depending on which options it is installed with, there are a bunch of standard users pre-created in Oracle. Additionally, third-party software often has its own set of schemas/users that will be created in the database as part of…
Gary
  • 884
  • 7
  • 12
12
votes
4 answers

How to protect against "padding oracle attacks."

I need to encrypt something on my server and save the result. Since I am not a security expert, I want to implement as much existing code as possible. I found a fully build function on php.net but it says that "is not protected against padding…
phduser
  • 221
  • 1
  • 2
  • 3
10
votes
2 answers

Is there a benefit in using Oracle's WRAP to obfuscate PL/SQL Code

Oracle stored program units (procedures, functions, packages and types) can be obfuscated using the WRAP functionality. Apart from the generic arguments about 'security through obscurity' are there any specific issues in using the wrapping…
Gary
  • 884
  • 7
  • 12
8
votes
2 answers

Do any Exchange hardening guidelines recommend disabling OWA Webready? Should they?

For the fourth time in over a year, Exchange OWA has put our internal network at risk due to a remote code execution flaw that exists on the server runtime. This risk is compounded by the fact Microsoft won't support OWA in the DMZ. The issue has…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
8
votes
3 answers

Can .ova file contain an exploit?

Is it possible to prepare an .ova file for Oracle Virtualbox that will access NAT network when is set to use Whonix? There are preconfigured virtual machines like Windows to use in Whonix, but are they safe to import? I wonder because there is a…
curiosity4
  • 91
  • 1
  • 3
8
votes
3 answers

Are encrypted Cookies vulnerable to Padding Oracle Attacks

I'm currently helping write a fast compiled web framework in the crystal language and am trying to find a way to speed up sessions using encrypted cookies. We're currently taking a json string and encrypting it with AES. We're then base64 encoding…
isaacsloan
  • 185
  • 8
7
votes
1 answer

What evaluation criteria would you use for an Oracle scanning tool?

What evaluation criteria would you use to select the right Oracle scanning tool? Context: To deploy an automated scanning tool (nessus / SQuirreL etc) for use by both development teams and security teams. One tool to be used by both teams during the…
David Stubley
  • 2,886
  • 1
  • 17
  • 28
7
votes
2 answers

Is it reasonable to prevent timing attacks by using fixed processing time

I have systems that perform cryptographic operations within a SSL/TLS tunnel. My concern is that I may leak timing information when encrypting, decrypting, or hashing. Part 1 Is it a good idea to have a fixed processing time (or increment thereof)…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
2 answers

Is the separation of data from different applications via Oracle schemas considered secure?

I am evaluating the pros and cons of having different Oracle schemas vs. separate Oracle servers. Having a dedicated server for each application is really expensive and I only want to consider this if the security benefits are worth it. One of the…
Demento
  • 7,249
  • 5
  • 36
  • 45
6
votes
1 answer

Security announcement mailing list for Java

I didn't find a security announcement mailing list for Java (from Oracle). How to get notified about new Java patches? I am not interested in other Oracle products. For example Apple provides such a list with signed mails:…
Sybil
  • 1,435
  • 2
  • 15
  • 29
5
votes
2 answers

Oracle ExaData Security best practice

Does anybody have experience with Oracle ExaData Security? Client wants to move all of his Oracle DB to central Oracle ExaData server. So on same machine will be hosted DBs of different vendors and even competitors. What should we be aware of? (We =…
AaronS
  • 2,575
  • 5
  • 22
  • 26
5
votes
2 answers

Oracle Internet Directory (OID) hardening

What are best practices, recommendations, required reading for securing/hardening an Oracle internet directory? note: OID is compatible with LDAP version 3.
Aaron
  • 51
  • 1
4
votes
1 answer

How can I securely delete items in a database?

I know that to securely delete files on a system I have to apply some kind of secure deletion (overwritting empty clusters, for example). But when I want to delete some information on a database (Oracle or MySQL), is it completely deleted? I mean, I…
BrainSCAN
  • 85
  • 2
  • 6
4
votes
1 answer

Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks?

Does the Oracle Database Built-in Password Protections prevent pass-the-hash or replay attacks? Reading the "What Are the Oracle Database Built-in Password Protections?" from…
Rodney
  • 141
  • 2
  • 3
1
2 3 4 5