Precondition : sqlplus can connect to the database server using a kerberos ticket. I wrote The long long route to Kerberos – Laurent Schneider in 2014, but most of the bugs in 11.2.0.2 / 12.1.0.2 are no longer interesting, so probably you should be fine to just read Configuring Kerberos Authentication (oracle.com) let’s see sqlplus […]
Author: Laurent Schneider
Log4J and OEM Part II
After part 1, where Oracle wrote in an official document there is no impact for your targets, Critical Patch Advisory April 2022 reveals multiple vulnerabilities, one of them is Log4J severity 9.8/10. 9.8 means it is kindergarden easy to compromise confidentiality, integrity and availability even without a login. In the meanwhile, per 30. April, Oracle […]
jdbc url with ldap ssl in 21c
the basic : you have tns resolution over ldap. To change from ldap to ldaps, you modify : jdbc:oracle:thin:@ldap://ldap.example.com:389/DB01,cn=OracleContext,dc=example,dc=com to jdbc:oracle:thin:@ldaps://ldap.example.com:636/DB01,cn=OracleContext,dc=example,dc=com now the advanced : Oracle Support mentions, there is no support for Mode 2 SSL (note 1664857.1) So one approach was to either not use ldaps, or to use level 1, which means no […]
Restore controlfile without catalog
The easiest is : restore controlfile from autobackup Also possible : restore controlfile from “/bckdir/c-123-45” If you use tape run { allocate channel c1 type ‘SBT_TAPE’ PARMS ‘ENV=(TDPO_OPTFILE=…)’; restore controlfile from “c-3635577900-20220330-02”; }
Log4J and Oracle Enterprise Manager
Log4j issues allow a remote client to execute code without authentication. Software vendors spent the last two months thinking of the impact and the mitigations. The bad: If you have Enterprise Manager, you have multiple web services, like em itself (https://oms.example.com:7799/em), the weblogic console (https://oms.example.com:7102/console), the agent (https://dbsrv01.example.com:3872/emd/main/) and others. This makes you an easy […]
Log4J and Oracle Database
CVE-2021-44228 issue allows an user without authentication to execute code. It is tremendously easy to exploit, it is more a working-as-designed feature than a hard-core memory glitch. Log4j is a logging library for java. If you enter some unexpected string, your web server may log it to a logfile. What’s your name? John What’s your […]
TNS resolution with LDAP and SSL
Long time ago, ldapsearch without password and without ssl was the way to go. But clear-text authentication (so called simple-bind) is a security leak. More and more, directory server vendors and administrators are closing the default non-ssl port and enforce authentication. And if you use ldap for TNS naming, things will break. Back in 2003, […]