Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Event 10053 logs TDE wallet password in cleartext

Name Event 10053 logs TDE wallet password in cleartext
Systems Affected Oracle Database 10g Release 2
Severity High Risk
Category Information disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 17 January 2005 (V 1.00)
Oracle Bugno 5802023 (DB07)
Time to fix 190 days


Details
The event 10053 is storing the masterkey of Oracle Transparent Data Encryption unencrypted
in a trace-file. A skilled attacker or non-security DBA could set this special event to get
the plaintext masterkey for the TDE encryption.

Test case
SQL> alter session set events='10053 trace name context forever, level 1';

Session altered.


SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";

System altered.
######### Test case ######



######### Excerpt from trace file ############ 
[] Current SQL statement for this session:
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword"
[]
######### Excerpt from trace file ############


Patch Information
Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2.

History
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory
19-jan-2006 Oracle Vuln# DB07



© 2006 by Red-Database-Security GmbH - last update 19-jan-2006

Oracle Transparent Data Encryption (TDE)

Oracle Transparent Data Encryption enables you to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications..

Oracle Transparent Data Encryption is a new feature of Oracle 10g Release 2 and part of the Oracle Advanced Security Option (ASO).