Oracle’s much-ballyhooed data redaction feature in Database 12c is easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have heard.
The redaction features in 12c are designed to automatically protect sensitive database material by either totally obscuring column data or partially masking it – for example, recalling just the last four digits of a US social security number when a search query is run.
But according to David Litchfield, security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, the mechanism is so riddled with basic flaws that you don’t even need to execute native exploit code to defeat the redaction – some clever SQL is all that’s needed, we’re told.
“If Oracle has a decent security development lifecycle in place anyone would have found these flaws and stopped them in tracks,” Litchfield said.
“Anyone with a modicum of SQL would have found these bugs.”
Litchfield said that within five minutes of investigating the redactions system, he found serious flaws in the coding. He’s previously documented his findings here [PDF].