Contrary to claims by Oracle Corporation C.E.O., Larry Ellison, Oracle 9 is breakable. Perhaps Oracle’s “Unbreakable” marketing campaign was more to show their commitment to getting close to producing a secure product, and indeed, Oracle do take security very seriously. Oracle product has undergone and passed fourteen independent security evaluations including the Common Criteria assessment. In the database world this is quite an achievement with all of Oracle’s competitors far behind. Whilst Oracle 9 has not yet been certified it is no doubt currently being assessed. In the mean time this paper will hopefully help Oracle customers get closer to the secure environment they were promised.

Some would consider writing a white paper on securing Oracle a task worthy of Sisyphus himself. Oracle Corporation develop hundreds of products and each product could have their own dedicated paper. Limiting the scope of this document, then, we will examine the most common environment – an Oracle web front end feeding into an Oracle database server. The main emphasis will be on the web front end, however, we will touch briefly upon the database as well. A more in-depth look at the database security will be reserved for another paper. This approach has been taken, as the web server is the first port of call for an attacker. This paper will show how an attacker can break into an Oracle-based site, gaining control of the web front end and from there the database server. With each attack explained, the defense against it will be covered. Whilst some of the issues discussed in this paper require only a tweak to a configuration file, where security patches are required to resolve a problem they may be accessed from the Oracle Metalink site: http://metalink.oracle.com/.

Download