Who Decommissioned My Enterprise Manager Agent?

I prefer to write blog posts about the interesting questions on OTN. This blog post is one of them. There are usually more than one EM admins managing the systems, and you may want to track other users’ activity. Enterprise Manager Cloud Control provides auditing mechanism called “comprehensive auditing”. It’s not enabled by default for all actions because it may consume a lot of disk space.

If you want to enable it for all actions, you should use “emcli” tool:

After you enable comprehensive auditing for all actions, you can go to “setup” >> “security” >> “audit data” to see all audited actions.

The audit data page, provides filtering on audit records so I can easily list who deleted a target from the system.

EM13c: Unauthorized Access to Performance Pages

I noticed an interesting security problem (exploit?) on Oracle Enterprise Manager Cloud Control 13cR2 (I tested on EM13cR1 and it also exists on there). When you create an Enterprise Manager administrator, you need to grant some special privileges to that administrator if you want them to access the performance pages, but it seems there’s an alternative way to access the performance pages without requiring extra privileges.

Let’s say I created a new administrator with default roles (EM_USER and PUBLIC), and granted “Connect Target Read-only” for a target “RAC database”. I also granted access to a named credential or shared database login credentials.


Fundamental Oracle Flaw Revealed (Let’s create a storm in a teacup)

InfoWorld magazine published an detailed article regarding Oracle Database security flaw yesterday. InfoWorld says Oracle requested them to hold the story until they release a patch for the flaw. The flaw is related with System Change Number (SCN). If SCN is increased beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN), database gives ORA-600 errors and crashes.

As we know, the System Change Number (SCN) is a number that increments sequentially with every database commit (inserts, updates, and deletes), and usually it’s not possible to reach the maximum value. The biggest problem is the SCN is also incremented through linked database interactions.

As I see, most Oracle experts do not realize the importance of this security threat. Some people even say that the Oracle SCN issue is a storm in a teacup. I think they miss that it’s possible to increase the SCN intentionally and use database links to exploit the bug. So let’s create a storm in a teacup 🙂 I should remind you that I will not take any responsibility if you mess up your databases. Just read the blog, do not test it on your systems.