Services
Information
Company |
Event 10053 logs TDE wallet password in cleartext
Details The event 10053 is storing the masterkey of Oracle Transparent Data Encryption unencrypted in a trace-file. A skilled attacker or non-security DBA could set this special event to get the plaintext masterkey for the TDE encryption. Test case SQL> alter session set events='10053 trace name context forever, level 1'; Session altered. SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword"; System altered. ######### Test case ###### ######### Excerpt from trace file ############ [] Current SQL statement for this session: ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword" [] ######### Excerpt from trace file ############ Patch Information Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2. History 11-jul-2005 Oracle secalert was informed 12-jul-2005 Bug confirmed 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) 17-jan-2006 Red-Database-Security published this advisory 19-jan-2006 Oracle Vuln# DB07 © 2006 by Red-Database-Security GmbH - last update 19-jan-2006 |
Oracle Transparent Data Encryption (TDE) |