In my previous blog, I tried to explain why the fundamental Oracle flaw is dangerous. On the other hand, in my tests I couldn't find a way to pass a higher SCN to a target DB to crash it. Since then, I'm trying to verify that this flaw can be can exploited. Here's a short video of one of my tests:
Thursday, January 26, 2012
Wednesday, January 18, 2012
Fundamental Oracle Flaw Revealed (Let's create a storm in a teacup)
InfoWorld magazine published an detailed article regarding Oracle Database security bug yesterday. InfoWorld says Oracle requested them to hold the story until they release a patch for the flaw. The bug is related with System Change Number (SCN). If SCN is increased beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN), database gives ORA-600 errors and crashes.
As we know, the System Change Number (SCN) is a number that increments sequentially with every database commit (inserts, updates, and deletes), and usually it's not possible to reach the maximum value. The biggest problem is the SCN is also incremented through linked database interactions.
As I see, most Oracle experts do not realize the importance of this security threat. Some people even say that the Oracle SCN issue is a storm in a teacup. I think they miss that it's possible to increase the SCN intentionally and use database links to exploit the bug. So let's create a storm in a teacup :) I should remind you that I will not take any responsibility if you mess up your databases. Just read the blog, do not test it on your systems.
As we know, the System Change Number (SCN) is a number that increments sequentially with every database commit (inserts, updates, and deletes), and usually it's not possible to reach the maximum value. The biggest problem is the SCN is also incremented through linked database interactions.
As I see, most Oracle experts do not realize the importance of this security threat. Some people even say that the Oracle SCN issue is a storm in a teacup. I think they miss that it's possible to increase the SCN intentionally and use database links to exploit the bug. So let's create a storm in a teacup :) I should remind you that I will not take any responsibility if you mess up your databases. Just read the blog, do not test it on your systems.
Tuesday, January 10, 2012
How to Uninstall the Agent Oracle Home that registered with inventory
A long title for a short trick. I have uninstalled my cloud control agent and tried to re-install it. I gave the same directory I previously used to install and EM Cloud Control Agent Deploy Wizard gave an error at remote prerequisite check:
So it says I should deploy to a different directory or uninstall the Agent Oracle Home already registered. Because of our deployment standards, I need to deploy this agent to the same directory so I searched how I can uninstall the Agent Oracle Home.
So it says I should deploy to a different directory or uninstall the Agent Oracle Home already registered. Because of our deployment standards, I need to deploy this agent to the same directory so I searched how I can uninstall the Agent Oracle Home.
Monday, January 2, 2012
Is It Possible to Build an Exadata Simulator?
The idea of creating an Exadata simulator arose at Oracle Day 2011 Istanbul. One of my friends was trying to fix a virtual machine in a hurry (right before his presentation), he said his "fake Exadata" crashed. He was just joking but I wondered if it's possible to build an Exadata Simulator using virtual Box (or any other visualization). I googled and found nothing useful but I started to work on it.
An important point is, simulating Exadata does not mean simulating all features of Exadata Database Machine. The key features of Exadata Database Machine are infiniband connections and Exadata Storage Servers (the offloading capabilities and Flash Cache). It's obvious that we do not need to simulate infiniband. All we need is to simulate "Exadata Storage Servers".
Smart scanning, storage indexes, hybrid columnar compression, I/O resource manager, smart flash cache are all handled by the Exadata Storage Server "Software". Although it's called Oracle Exadata Database "Machine", its heart is the Exadata Storage Server "Software". You may say that all hardware needs software but the Exadata software is not an embedded one, it's just an application running on Oracle Linux 5.x 64bit.
An important point is, simulating Exadata does not mean simulating all features of Exadata Database Machine. The key features of Exadata Database Machine are infiniband connections and Exadata Storage Servers (the offloading capabilities and Flash Cache). It's obvious that we do not need to simulate infiniband. All we need is to simulate "Exadata Storage Servers".
Smart scanning, storage indexes, hybrid columnar compression, I/O resource manager, smart flash cache are all handled by the Exadata Storage Server "Software". Although it's called Oracle Exadata Database "Machine", its heart is the Exadata Storage Server "Software". You may say that all hardware needs software but the Exadata software is not an embedded one, it's just an application running on Oracle Linux 5.x 64bit.
Tuesday, December 27, 2011
Best Practices to Use Database Upgrade Assistant
I'm going to upgrade one of our main databases with DBUA (Database Upgrade Assistant), and I take some notes to provide a smooth upgrade. Upgrading your database with DBUA seems a very easy and automated task but there are three important points you should consider when updating:
PLAN: First of all, I recommend you to visit the upgrade guides and plan all steps of the upgrade process:
Upgrade Advisor: Database from 9.2 to 11.2 [ID 264.1]
Upgrade Advisor: Database from 10.2 to 11.2 [ID 251.1]
RTFM: Although everyone says the same, we all intend to pass this step. Read the manuals before it's too late :)
http://docs.oracle.com/cd/E11882_01/server.112/e23633/toc.htm
Very important and useful documents:
Oracle 11gR1 Upgrade Companion [ID 601807.1]
Oracle 11gR2 Upgrade Companion [ID 785351.1]
Use Internet Explorer to read upgrade companion documents (because they are interactive and requires IE) and don't forget to check "behavior changes"!
- Downtime: You would probably like to keep downtime to a minimum
- Errors while upgrading: It's not possible to re-run DBUA if an error is encountered mid-upgrade!
- Performance Degradations: Most of the upgrade problems appear as performance degradations after the upgrade operation completed
PLAN: First of all, I recommend you to visit the upgrade guides and plan all steps of the upgrade process:
Upgrade Advisor: Database from 9.2 to 11.2 [ID 264.1]
Upgrade Advisor: Database from 10.2 to 11.2 [ID 251.1]
RTFM: Although everyone says the same, we all intend to pass this step. Read the manuals before it's too late :)
http://docs.oracle.com/cd/E11882_01/server.112/e23633/toc.htm
Very important and useful documents:
Oracle 11gR1 Upgrade Companion [ID 601807.1]
Oracle 11gR2 Upgrade Companion [ID 785351.1]
Use Internet Explorer to read upgrade companion documents (because they are interactive and requires IE) and don't forget to check "behavior changes"!
Wednesday, November 23, 2011
Simple (demo) APEX Application in 2 mins
In Oracle Day 2011 Istanbul, I gave a presentation about Oracle APEX. APEX is not well-known in Turkey, so I wanted to demonstrate how fast an APEX Application can be created, and prepared a video. Unfortunately there are no sound and annotations (because it's planned to be shown with a narrator) but I think it's still easy to follow.
First, I created a sample table with 4 columns. APEX created the sequence and trigger to populate numbers for the primary key. Then I created a sample application with an input form, and run it to enter sample data. At last, I checked if data is inserted into the table (by using APEX user interface). All of these steps were completed in 2 minutes and 12 seconds:
The presentation is in Turkish, so I don't see any point in sharing it here but it'll be shared in TROUG web site.
First, I created a sample table with 4 columns. APEX created the sequence and trigger to populate numbers for the primary key. Then I created a sample application with an input form, and run it to enter sample data. At last, I checked if data is inserted into the table (by using APEX user interface). All of these steps were completed in 2 minutes and 12 seconds:
The presentation is in Turkish, so I don't see any point in sharing it here but it'll be shared in TROUG web site.
Wednesday, November 9, 2011
Oracle Releases Oracle Solaris 11
Oracle today announced availability of Oracle Solaris 11. Here are some key points about Oracle Solaris 11:
- Oracle Solaris Zones provides virtualization with lower overhead than VMware. New integrated network virtualization allows you to create data center topologies within a single OS instance with bandwidth control and monitoring.
- Oracle Enterprise Manager Ops Center provides enterprise wide, centralized control over hardware, OS and virtualization resources for Solaris 11, and it's "included" in systems support (not requires an extra license).
- Oracle Solaris 11 is "secure by default", it locks down services from first install and provides role-based root access.
- Oracle Solaris ZFS provides flash-enabled tiered storage pools, encryption and the scalability to store unlimited amounts of data. With Oracle Solaris ZFS deduplication, storage requirements in virtualized environments can be reduced by 10x.
- Oracle Solaris and Oracle software applications (such as Oracle Database 11g, Oracle Fusion Middleware 11g) are designed and tested together to provide faster fail-over, reliability and better application performance.
Wednesday, November 2, 2011
Oracle Day 2011 Istanbul (Part II)
Yesterday, I presented at Oracle Day 2011 Istanbul. It was taken place in Swiss Hotel. I found opportunity to talk with my friends in TROUG and some readers of my blog. There was a huge interest to the event which contains 9 parallel sessions. As usual, our (TROUG) sessions were the favorites for the technical staff. Thanks to Oracle Turkey, we gave our presentations at one of the biggest conference rooms in Swiss Hotel, and we managed to fill the room.
Tuesday, October 11, 2011
Oracle Day 2011 Istanbul
Oracle Day 2011 Istanbul will be take place at Swiss Hotel, Istanbul on November 1. It's the most essential, can't-miss business and technology event of the year. You will get a chance to see the latest development in Oracle's public and private cloud computing solutions and how the power of simplicity can change your IT to a force that drives business innovation.
You can find the event details and register at Oracle Events Website.
Thanks to Oracle Turkey, 6 members of TROUG will be presenting in Oracle Day 2011. I'm one of them. I'll give a presentation about Oracle Application Express. I'll try to give a brief introduction about Oracle APEX in 30 minutes.
Here's the agenda (in Turkish).
Presentations of TROUG Members:
6 presentations, 4 Oracle ACEs, 1 ACE Director, 1 Technologist of the Year: Too good to be true :) All presentations of TROUG members will be in Turkish. I believe that it will be a wonderful event for all Turkish Oracle users.
You can find the event details and register at Oracle Events Website.
Thanks to Oracle Turkey, 6 members of TROUG will be presenting in Oracle Day 2011. I'm one of them. I'll give a presentation about Oracle Application Express. I'll try to give a brief introduction about Oracle APEX in 30 minutes.
Here's the agenda (in Turkish).
Presentations of TROUG Members:
- Oracle Cloud G'nin Gidişi C'nin Gelişi by Zekeriya Besiroglu (Oracle ACE)
- Data Mining in 30 Minutes by Husnu Sensoy (Oracle ACE Director, DBA of the year 2009) - Have I mentioned that each presentation will take only 30 mins? :)
- Rapid Application Development Tool: Oracle APEX by Gokhan Atil (Oracle ACE)
- What has Exadata changed? by Ferhat Sengonul (Oracle ACE)
- Data Integration in Heterogeneous Environments by Gurcan Orhan - Gurcan is honored as Oracle Excellence Awards, Technologist of the Year 2011 Enterprise Architect.
- Forgotten Features by H. Tonguc Yılmaz (Oracle ACE)
6 presentations, 4 Oracle ACEs, 1 ACE Director, 1 Technologist of the Year: Too good to be true :) All presentations of TROUG members will be in Turkish. I believe that it will be a wonderful event for all Turkish Oracle users.
Saturday, October 8, 2011
How to Deploy Oracle Management Agent 12c
In my previous post, I tried to show how to install Enterprise Manager Cloud Control 12c, now I'll show how to add target hosts to our Enterprise Manager system. I assume that you're in a similar position (installed Cloud Control but haven't added any target yet).
As you know, we have to install Oracle Management Agent to the targets to be able to manage them via our Enterprise Manager. In OEM Cloud Control 12c, we can "Add Host Targets Wizard" which is accessible from the web interface. We can manually enter required information of host or we can use auto-discovery method.
If we'll use auto discovery, we need an active agent to discover targets in network. This agent can scan local services or network. "Nmap" is used for scanning network. Nmap requires root privileges to be able to use raw sockets for "Syn Scanning" (a method to detect open ports through firewalls). So we need to configure "privilege delegation" in the host of our agent (which we'll use for scanning).
As you know, we have to install Oracle Management Agent to the targets to be able to manage them via our Enterprise Manager. In OEM Cloud Control 12c, we can "Add Host Targets Wizard" which is accessible from the web interface. We can manually enter required information of host or we can use auto-discovery method.
If we'll use auto discovery, we need an active agent to discover targets in network. This agent can scan local services or network. "Nmap" is used for scanning network. Nmap requires root privileges to be able to use raw sockets for "Syn Scanning" (a method to detect open ports through firewalls). So we need to configure "privilege delegation" in the host of our agent (which we'll use for scanning).
Subscribe to:
Posts (Atom)