I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but if you are vulnerable to this attack, you probably have bigger issues that should have been addressed already. Specifically:
- Don’t leave development tools and accounts/environments on production databases, especially those that serve web content.
- Don’t leave development schemas and associated users/grants/roles on production database servers. This just adds to the complexity and potential overlooked security holes.
- Occasionally run checks for weak passwords. There are free tools available for most of the common database platforms like Oracle Password Checker, SQL Ping, Scuba and others (just be careful where you download them from), there are vendors that offer this for sale as part of their assessment suite (Fortinet, Application Security), or you can write your own. Some look for a small subset of known default passwords, so I recommend using one where you can edit the dictionary to adjust as you see fit.
- At least a couple of times a year, review the database accounts to see if there are accounts that should not be there, or if accounts that have execute privileges that should not. Once again, I believe there are free tools, vendor tools as well as scripts that are available from database user groups that will accomplish this task and can be customized to suit your needs.
APEX is a handy development tool, but if you are a DBA or a security professional, reading Oracle’s description should make the hair on the back of your neck stand up: “APEX is operated from a web browser and allows people with limited programming experience to develop professional applications.” A powerful tool in the hands of inexperienced programmers sounds like handing out loaded guns. Patch if you think you are susceptible to this vulnerability, but for self-preservations sake, run some assessments to catch this class of vulnerability and not just this issue.