In the world of computer sicence – and especially within bank and finance – we recently have heard a lot of talk about PCI compliance. Yesterday I discovered a smal security threat related to the use of bind variables in Oracle. The use of bind variables actually stores sensitiv information – for instance social -and creditcardnumbers. It´s not the use of the bind variables itself that is the problem, but the fact that the bind values are stored unencrypted in a DBA view (DBA_HIST_SQLDATA) in the SYSAUX tablespace. When we add the fact that encryption of the SYSAUX tablespace is not supportet then it becomes a security problem, and this is not in accordance with our PCI requirements.
If this is the reason why Oracle in version 11.2.0.2 released the parameter cursor_bind_capture_destination (or if this was just to save disk space) is to me unknown.
But never the less – we now have the opportunity to set this parameter to MEMORY or OFF (instead of MEMORY+DISK which is the default). This limit the storage of bind data to a short period of time in MEMORY, or prevents the storage of bind values totally (OFF).
Post a Comment