7 Replies Latest reply: Aug 12, 2013 8:39 PM by davidp 2 RSS

    Is having Oracle Standard a vulnerability

    rumana2
      Hi,

      I Installed wireshark in my computer and could see every piece of bit of the communication between a Oracle Standard db an my pc. I know that SSL is not an option because ASO is only for Oracle Enterprise. Can you say that having Oracle Standard represent a vulnerability?

      How do you compensate this vulnerability in a Client-Server app? Does people live with this whithout worrying or there is any other 3rd party product that can help me avoid a hacker to capture information that I don't want him to do?

      Edited by: rumana2 on 04-jun-2013 13:52
        • 1. Re: Is having Oracle Standard a vulnerability
          JustinCave
          Every bit other than the password for the Oracle user which is sent encrypted.

          Encrypting data in transit requires the enterprise edition and the Advanced Security Option (ASO). Not having ASO certainly means that your system is less secure than it could be. Whether that is a vulnerability that you truly need to address, though, is a separate question. The vast majority of shops allow all sorts of unencrypted communication between a client application and the database. Assuming that you haven't opened the database up to the internet, the client is necessarily sitting on the internal network. So most places are perfectly happy to rely on other elements of their security plan to prevent people from sniffing data on the internal network-- you can monitor the network to see if unapproved devices connect, you control the end clients so that unauthorized people can't install and run unauthorized software, you rely on firewalls to keep out outsiders, etc.

          If you truly need to ensure that data in motion is encrypted, buying the enterprise edition license and the ASO license is the easiest (though far from the cheapest) option. Are there alternatives? Sure. You could, for example, have the client application encrypt data before sending it and store all data encrypted in the database. The application would need to then decrypt the data after fetching it. That requires complete rewriting of the application and the database model (turing lots of columns to RAW) and it requires you to build a key management infrastructure and it makes tuning harder and it uses more resources. Plus you probably have to create a database function to decrypt the data as well so that you can report on the data but that again allows unencrypted data to flow over the internal network. You could also do something like create an encrypted connection at the network level between the client machines and the server. But that, among other things, tends to make supporting the system much harder and is relatively easily thwarted if the attacker has access to the client machine to run whatever application he or she wants.

          Justin
          • 2. Re: Is having Oracle Standard a vulnerability
            davidp 2

            I just read In the 11.2 Oracle® Database Licensing Information "Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database."

            http://docs.oracle.com/cd/E11882_01/license.112/e10594/options.htm#CIHFDJDG

             

            So it seems that from 11.2 we can encrypt the network layer with Standard Edition.

            Can anyone confirm this?

            • 3. Re: Is having Oracle Standard a vulnerability
              JustinCave

              I believe that is correct.

               

              Apparently, this change was made in response to the release of a TNS listener poisoning attack.  This actually came up last week on the Oracle-L mailing list.  It was news to me-- I don't think Oracle publicized that change particularly well.

               

              Justin

              • 4. Re: Is having Oracle Standard a vulnerability
                Harm Joris ten Napel-Oracle

                Hi Justin,

                 

                the general ASO license change was not a response to the COST (TNS listener poisoning), when this vulnerability was being alerted, a change to the license was made such  that anyone could implement COST listener security following the implementation notes without the need to worry about their license, you could regard this as a 'restricted  use' license change since the use of general network encryption was still not covered. Now with 12c Oracle has totally liberated network encryption from the ASO license and only TDE and Data Redaction still requires it.

                 

                greetings,

                 

                Harm ten Napel

                • 5. Re: Is having Oracle Standard a vulnerability
                  JustinCave

                  I'm not sure that I follow.  The 11.2 Licensing Guide states that network encryption is no longer part of the Advanced Security option.  The blog post talks about a limited license to use SSL encryption if you've got a RAC cluster where you need SSL to prevent the listener poisoning attack.  Those seem to be at odds.

                   

                  My assumption was that the Licensing Guide was more authoritative than the blog post so the Licensing Guide was correct.  Are you saying that the 11.2 Licensing Guide incorrect?  Or is there something I'm missing that allows both statements to be true? 

                   

                  Justin

                  • 6. Re: Is having Oracle Standard a vulnerability
                    Harm Joris ten Napel-Oracle

                    Hi Justin,

                     

                    the 11.2 licensing guide is now old hat, when oracle updated the license tems for 12c, that automatically translates to previous versions,

                     

                    greetings,

                     

                    Harm

                    • 7. Re: Is having Oracle Standard a vulnerability
                      davidp 2

                      The 11.2 licensing guide has changed - the copy I have downloaded does not have the sentence I quoted. The current online version does. The online version says "July 2013" so I guess this is a change made when 12c was released.