Entries For: 2007
- December (2)
- November (3)
- October (4)
- September (1)
- August (1)
- July (4)
- May (2)
- April (4)
- March (3)
- February (2)
- January (9)
December 12, 2007
Friendly Breaches? Not with Oracle IRM and URM, except at Oracle
I do respect Oracle for being an early adopter of their own products internally, including a very large implementation of the latest Oracle E-Business Suite. Unfortunately, it appears that Oracle does not run all their products everywhere.
Today, Billy Cripe of the Oracle Fusion Enterprise Content Management blog discussed Oracle's Information Rights Management (IRM, formerly SealedMedia) and Universal Records Management (URM) products. The IRM product is used to encrypt sensitive information everywhere including desktops, e-mail, file servers, etc.
The ironic part is that today the Breach Blog posted information on a security breach at Oracle due to a lost laptop. A few weeks ago Oracle disclosed to the New Hampshire Attorney General that a lost Oracle laptop contained confidential information on 123 employees at recently acquired Lodestar. Since the New Hampshire privacy statue requires notification when sensitive data is not encrypted, I have to assume the data was unencrypted on the laptop and Oracle IRM was not being used.
Today, Billy Cripe of the Oracle Fusion Enterprise Content Management blog discussed Oracle's Information Rights Management (IRM, formerly SealedMedia) and Universal Records Management (URM) products. The IRM product is used to encrypt sensitive information everywhere including desktops, e-mail, file servers, etc.
The ironic part is that today the Breach Blog posted information on a security breach at Oracle due to a lost laptop. A few weeks ago Oracle disclosed to the New Hampshire Attorney General that a lost Oracle laptop contained confidential information on 123 employees at recently acquired Lodestar. Since the New Hampshire privacy statue requires notification when sensitive data is not encrypted, I have to assume the data was unencrypted on the laptop and Oracle IRM was not being used.
December 10, 2007
Hashing Credit Card Numbers: Revisited Again
I recently had to revisit the estimates I provided in our white paper on brute forcing credit card hashes since new techniques were published that can speed the brute forcing up by at least a factor of 5 using off-the-shelf video cards. Well, a month later I am having to revise the estimates again. Nick Breese of New Zealand has published a paper at Kiwicon on using a PlayStation 3 to crack hashes. His estimates are about 1.4 billion hashes per second for MD5. Our proof of concept code running at about 2 million hashes per second seems kind of slow now. Probably at least 2 billion hashes per second is feasible in the near future with readily available hardware and source code.
Storing credit cards using a simple single pass of a hash algorithm, even when salted, is fool-hardy. It is just too easy to brute force the credit card numbers if the hashes are compromised. Based on the potential value of the card numbers, there is more than enough financial incentive to buy a $500 PlayStation 3 and develop a little code.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strongest available cryptographic hash functions, large salt values, and multiple iterations.
Storing credit cards using a simple single pass of a hash algorithm, even when salted, is fool-hardy. It is just too easy to brute force the credit card numbers if the hashes are compromised. Based on the potential value of the card numbers, there is more than enough financial incentive to buy a $500 PlayStation 3 and develop a little code.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strongest available cryptographic hash functions, large salt values, and multiple iterations.
Categories:
November 26, 2007
Oracle Employees Really Do Read This Blog
From the Integrigy servers statistics, I have known that we get hundreds of visits a day from the Oracle proxy and cache servers. Many days collectively the Oracle domains (.com, .uk, etc.) are number one. The vast majority of the hits are on blog, RSS feeds, and our whitepapers. But I have not known how Oracle actually uses this information internally. Well, now I know someone is at least reading our comments and recommendations.
Last month, I posted about an issue we encountered during a number of recent Oracle Applications 11.5.10.2 assessments regarding the system profile option SIGNON_PASSWORD_HARD_TO_GUESS being incorrectly set. This issue turned out to be related to the 11.5.10.2 maintenance pack instructions (Metalink Note ID 316365.1). My comment was "Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes." Well, two weeks later Oracle has updated the instructions in Section 3 Step 2 to remind customers to reset the profile option.
Last month, I posted about an issue we encountered during a number of recent Oracle Applications 11.5.10.2 assessments regarding the system profile option SIGNON_PASSWORD_HARD_TO_GUESS being incorrectly set. This issue turned out to be related to the 11.5.10.2 maintenance pack instructions (Metalink Note ID 316365.1). My comment was "Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes." Well, two weeks later Oracle has updated the instructions in Section 3 Step 2 to remind customers to reset the profile option.
Categories:
November 01, 2007
Connect It and The Hackers Will Come
When clients are deploying an unpublished supplier or customer application to the Internet for the first, they are always amazed at the sheer number of random attacks. Granted many of these are looking for PHP pages or some other long ago patched vulnerability. The question that always arises is "How did they find the server so quickly?" Well, the hackers are just searching blocks of addresses on a continual basis.
The IPv4 address space is over 4 billion addresses (255*255*255*255), but in reality only a small portion of it is actually meaningful. A very nice graphic representation is here and the original comic version is available here.
The IPv4 address space is over 4 billion addresses (255*255*255*255), but in reality only a small portion of it is actually meaningful. A very nice graphic representation is here and the original comic version is available here.
Categories:
Hashing Credit Card Numbers: Revisited
This past March, I published a white paper looking at how some applications hash credit card numbers and how vulnerable these hashes are to brute forcing. I developed a proof of concept to roughly estimate the timings (about 2 million hashes per second). Looking ahead, I estimated with additional optimization, multi-threading, and faster processors probably 50 million hashes per second is achievable.
Well, I was probably off by a factor of at least 5 on my future estimate. Elcomsoft announced this week that it has filed a patent for a technique to use the "massively parallel processing" capabilities of the GPU on a video card to brute force passwords. Others have also been doing research in this area.
A better estimate is at least 200 million hashes per second for a single pass of SHA-1 or MD-5 and I wouldn't be surprised if someone could achieve 500 million hashes per second in the near future. This would allow someone to brute force all possible unsalted SHA-1 hashes in just 10 days rather than 3 years. Adding intelligence with regards to brands and common issuing bank prefixes, most of the brute force times are reduced to minutes or seconds. Storing plain-text digits (prefix and/or last 4) makes brute forcing a trivial exercise.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strong cryptographic hash functions, large salt values, and multiple iterations.
Well, I was probably off by a factor of at least 5 on my future estimate. Elcomsoft announced this week that it has filed a patent for a technique to use the "massively parallel processing" capabilities of the GPU on a video card to brute force passwords. Others have also been doing research in this area.
A better estimate is at least 200 million hashes per second for a single pass of SHA-1 or MD-5 and I wouldn't be surprised if someone could achieve 500 million hashes per second in the near future. This would allow someone to brute force all possible unsalted SHA-1 hashes in just 10 days rather than 3 years. Adding intelligence with regards to brands and common issuing bank prefixes, most of the brute force times are reduced to minutes or seconds. Storing plain-text digits (prefix and/or last 4) makes brute forcing a trivial exercise.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strong cryptographic hash functions, large salt values, and multiple iterations.
Categories:
October 30, 2007
11i: The Application Upgrade Made Me Do It
Performing security assessments on Oracle Applications implementations sometimes involves some detective work. During our assessments, we have encountered a number of 11.5.10 CU2 implementations where the "Signon Password Hard to Guess" profile option was set to No rather than the strongly recommended Yes. Each time, the client claimed it used to be set to Yes and closer analysis showed a vast majority of the passwords matched the complexity rules -- so it most likely had been set to Yes.
After a little digging, the culprit turns out to be the CU2 Maintenance Pack. Step 22 of 24 in Section 1 Pre-Update Tasks is as follows -
Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes.
Securing Oracle Applications is an on-going task that never ends. After every major upgrade, mini-pack, and RUP, you need to re-evaluate the environment to determine if any security holes have been inadvertently opened.
After a little digging, the culprit turns out to be the CU2 Maintenance Pack. Step 22 of 24 in Section 1 Pre-Update Tasks is as follows -
22. Change password policy control (conditional)
If the profile option SIGNON_PASSWORD_HARD_TO_GUESS exists with a value of Y, set it to N. You can restore this value to Y after you complete Section 2 of these instructions.
Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes.
Securing Oracle Applications is an on-going task that never ends. After every major upgrade, mini-pack, and RUP, you need to re-evaluate the environment to determine if any security holes have been inadvertently opened.
Categories:
October 16, 2007
OAUG eLearning: Oracle Critical Patch Update October 2007
This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, October 16th. In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday. The presentation will focus on the impact to Oracle E-Business Suite environments.
Thursday, October 18 at 9:00 am and 5:00 pm U.S. Eastern Time
"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the October 2007 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."
This session is available free to OAUG members and you can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007
Thursday, October 18 at 9:00 am and 5:00 pm U.S. Eastern Time
"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the October 2007 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."
This session is available free to OAUG members and you can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007
Categories:
Oracle Critical Patch Update - October 2007 - E-Business Suite Impact
Oracle released the twelfth Critical Patch Update (CPU) yesterday. This quarter is the same as the previous eleven with many patches and long hours in order to get all the security patches applied in a timely manner. Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i. For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.3 patch.
This quarter does have a larger than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, so the database security patch should be a priority. Also, unlike the vast majority of previous database security bugs, this quarter has 7 vulnerabilities that can be exploited without a database account. It appears most of these issues are denial of service or low risk, nevertheless, another reason to prioritize the database patch.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3 for the database and RUP4 or RUP5 for the Oracle E-Business Suite 11i.
Most information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - October 2007 - E-Business Suite Impact
Oracle Critical Patch Update - October 2007 - Version Support Matrix
I will be presenting an OAUG eLearning Community Thursdays session this Thursday October 18th giving additional information on the CPU and its impact on your Oracle Applications implementation. You can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007
Categories:
October 11, 2007
Critical Patch Update October 2007 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming October 2007 Oracle Critical Patch Update (CPU) -
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
Note: The pre-release announcement is removed when the CPU is released.
- Overall, 51 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix is similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. There are no new vulnerabilities in Oracle Collaboration Suite. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.8, 11.5.9, 11.5.10.x, and 12.0.x
- Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request. Fortunately according to the July 2007 CPU note (Metalink Note ID 432873.1), all supported platform/version combinations will have patches proactively released for the October 2007 CPU. The database note for the October 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
- This is the first CPU using version 2.0 of the CVSS metric. CVSS 2.0 scores seem to be more consistent, but still grossly understate the severity of many database and application vulnerabilities. Even a vulnerability may allow a complete compromise of the database, the score is less than 7.
- There are 5 remotely exploitable without authentication vulnerabilities, which are not typical of previous database vulnerabilities. Most previous database vulnerabilities require database authentication to exploit. Depending on the exact nature of the 5 remotely exploitable without authentication vulnerabilities, this quarter's CPU could prove to be the most critical in the past 2 years.
- At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.
- The major version support change for this quarter is that 9.2.0.7 is no longer supported.
Oracle Application Server
- 7 of the 11 vulnerabilities are remotely exploitable without authentication. A number of these vulnerabilities are probably related to recently fixed Apache which is the base of the Oracle HTTP Server. Organizations with Internet facing Application Server deployments will most likely want to prioritize this quarter's CPU patches as Oracle HTTP Server, Oracle Single Sign-on, and Oracle Portal are all affected.
- There are no major changes to the support Oracle Application Server versions for this quarter.
Oracle E-Business Suite 11i and R12
- Only 1 of the 8 vulnerabilities in the Oracle E-Business Suite is remotely exploitable without authentication.
- All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.3). This will be the last CPU for 11.5.8.
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Note: The pre-release announcement is removed when the CPU is released.
September 10, 2007
Oracle Jinitiator 1.1.8 Vulnerabilities
US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps.
All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control – the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used.
This vulnerability is different than previous Oracle vulnerabilities in that it is in the client web software. Potentially, all client PCs that have accessed an Oracle Forms application like Oracle E-Business Suite 11i, Oracle Clinical, Retek, Sungard Banner, FLEXCUBE, or any custom Oracle Forms application could be vulnerable. A targeted attack against your organization may be successful, especially as it requires only one unsuspecting user to click a URL.
DBAs are used to applying patches to fix Oracle security vulnerabilities, but not in this case. This one requires some work first to identify what is out there and to work with the desktop management team to roll-out an uninstall type solution, especially since there may be 5 or more Jinitiator versions installed on a client PC. Also, upgrades may be required to Oracle Forms 6i applications in order to support Jinitiator 1.3.1.x.
Integrigy has released a detailed analysis of these vulnerabilities to provide additional information and comprehensive remediation steps. The analysis can be downloaded at -
http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jinitiator-vulnerability.pdf
All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control – the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used.
This vulnerability is different than previous Oracle vulnerabilities in that it is in the client web software. Potentially, all client PCs that have accessed an Oracle Forms application like Oracle E-Business Suite 11i, Oracle Clinical, Retek, Sungard Banner, FLEXCUBE, or any custom Oracle Forms application could be vulnerable. A targeted attack against your organization may be successful, especially as it requires only one unsuspecting user to click a URL.
DBAs are used to applying patches to fix Oracle security vulnerabilities, but not in this case. This one requires some work first to identify what is out there and to work with the desktop management team to roll-out an uninstall type solution, especially since there may be 5 or more Jinitiator versions installed on a client PC. Also, upgrades may be required to Oracle Forms 6i applications in order to support Jinitiator 1.3.1.x.
Integrigy has released a detailed analysis of these vulnerabilities to provide additional information and comprehensive remediation steps. The analysis can be downloaded at -
http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jinitiator-vulnerability.pdf
Categories:
August 19, 2007
11i: Setting Listener Passwords
Oracle has released a Metalink Note on the proper procedure for setting passwords for the database and FNDFS listeners. It is important to note that there are two listeners in an Oracle Applications 11i implementation. The first is the standard database listener and is the version from the installed database. The second is for FNDFS/FNDMS and is used by the concurrent managers, generic service manager, and other internal Oracle Applications processes. This second listener is part of the 8.0.6, thus is version 8.0.6.x. Passwords should be set for both listeners, especially the 8.0.6 listener since it is such an old version.
A recent AutoConfig configuration templates patchset (August 2006 - TXK.N or later) and Rapid Install (ADX.F + post fixes) are required in order to set a listener password. The Metalink Note states AutoConfig Rollup Patch N or higher, so at this time Rollup Patch Q August 2007 (5985992) is strongly recommended.
Follow the instructions in "How to enable/disable/change password of the listeners for Oracle Applications 11i" Metalink Note ID 386374.1 (Metalink access required).
A recent AutoConfig configuration templates patchset (August 2006 - TXK.N or later) and Rapid Install (ADX.F + post fixes) are required in order to set a listener password. The Metalink Note states AutoConfig Rollup Patch N or higher, so at this time Rollup Patch Q August 2007 (5985992) is strongly recommended.
Follow the instructions in "How to enable/disable/change password of the listeners for Oracle Applications 11i" Metalink Note ID 386374.1 (Metalink access required).
Categories:
July 26, 2007
11i: Best Practices for Securing the E-Business Suite Updated July 2007
Oracle has updated the white paper "Best Practices for Securing the E-Business Suite 11i" Metalink Note ID 189367.1 to version 3.0.5. The major changes include -
- For 11.5.10.x, inclusion of a script to disable unnecessary packages in FND_ENABLED_PLSQL. The FND_ENABLED_PLSQL table contains a list of about 800 database packages and procedures that may be called through modplsql (think http://<host>:<port>/pls/<sid>/<package>.<procedure>). The txkDisableModPLSQL.sql script will disable all but 128 packages. I will post more details in the near future as all 11.5.10.x implementations will want to make sure this script has been run.
- The new white paper "Removing Credentials from a Cloned EBS Production Database"Metalink Note ID 419475.1 is referenced in the new "Practice Safe Cloning" section, which discusses scrambling confidential information like social security numbers and changing all production passwords in a cloned instance. Changing all production passwords (database accounts and application users) is CRITICAL and must be done for every clone from production, otherwise it is fairly easy and well documented on how to obtain all production application user passwords in a development or test instance (see the Integrigy white paper "Oracle Applications Password Decryption" for more information).
Categories:
July 17, 2007
Oracle Critical Patch Update - July 2007 - E-Business Suite Impact
Oracle released the tenth Critical Patch Update (CPU) yesterday. This quarter is the same as the previous ten with many patches and long hours in order to get all the security patches applied in a timely manner. Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i. For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.2 patch.
There are a number of high risk vulnerabilities that should be patches as soon as possible. From the database perspective, there are multiple vulnerabilities that can be exploited using any database account including APPLSYSPUB. For Oracle Applications, there are multiple SQL injection and cross-site scripting vulnerabilities. All implementations that are externally accessible via the Internet (i.e., iStore, iRecruitment, etc.) should look to apply the AOL security patch 6045931 as soon as possible or disable on-line help.
Oracle Oracle Critical Patch Update - July 2007 - E-Business Suite Impact
Oracle Critical Patch Update - July 2007 - Version Support Matrix
I will be presenting an OAUG eLearning Community Thursdays session on July 19 giving additional information on the CPU and its impact on your Oracle Applications implementation. You can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=7/1/2007
Categories:
July 15, 2007
OAUG eLearning: Oracle Critical Patch Update July 2007
This quarters Oracle Critical Patch Update (CPU) will be released on Tuesday, July 17th. In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday after the release. The presentation will focus on the impact to Oracle E-Business Suite environments.
Thursday, July 19 at 9:00 am and 5:00 pm U.S. Eastern Time
"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the July 2007 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."
This session is available free to OAUG members and you can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=7/1/2007
Thursday, July 19 at 9:00 am and 5:00 pm U.S. Eastern Time
"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the July 2007 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."
This session is available free to OAUG members and you can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=7/1/2007
Categories:
July 11, 2007
Critical Patch Update July 2007 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2007 Critical Patch Update (CPU) -
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
Note: The pre-release announcement is removed when the CPU is released.
- Overall, 46 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix is similar to previous CPUs with the notable addition of Oracle Application Express (APEX). All supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. There are no new vulnerabilities in Oracle Enterprise Manager.
- Oracle is instituting a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request. Fortunately according to the April 2007 CPU note (Metalink Note ID 420061.1), all supported platform/version combinations will have patches proactively released for the July 2007 CPU. The database note for the July 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
- There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities. Most previous database vulnerabilities require database authentication to exploit.
- At least one of the database security vulnerabilities has a CVSS metric of 4.2, which for database vulnerabilities should be considered high risk.
- The major version support changes are that 10.1.0.4 and 10.2.0.1 will not be supported on any platform.
Oracle Application Server
- The security vulnerabilities exist in Oracle JDeveloper, Oracle Internet Directory, and Oracle Single-Signon. External application servers running OID or SSO should be prioritized as 3 of these vulnerabilities are remotely exploitable without authentication. Although, the highest CSS metric is 2.3 for these vulnerabilities indicating they most likely are Cross Site Scripting (XSS) or Denial of Service (DoS) vulnerabilities.
- The recently released (late June) version 10.1.3.3.0 must be patched.
Oracle E-Business Suite 11i and R12
- There are six easy to exploit, remotely exploitable, and authentication not required vulnerabilities. Some of these security bugs most likely exist in AOL, iRecruitment, Configurator and/or iExpense, which will require immediate patching.
- 11.5.7 is not supported by the CPU due to the end of Premier Support in May 2007.
- All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.1).
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- Customers running iRecruitment or Configurator should considering applying these patches ASAP.
Note: The pre-release announcement is removed when the CPU is released.
Categories:
May 28, 2007
Is the Oracle Database Indefensible?
Network security expert Richard Bejtlich recently posted some interesting comments regarding Oracle Security on his blog TaoSecurity.
I think his observation at a macro level is generally correct. Oracle seems to have arrived at the "secure coding" party late and has a significant C code base, some of which dates all the way back to around 1982. Many of the standard PL/SQL packages and associated C libraries were originally written in the early 1990's. A fun excursion is to look at the modification history of the $ORACLE_HOME/rdbms/admin SQL scripts -- you will see many of these scripts were created 10 to 20 years ago. Remember that the terms "buffer overflow" and "SQL injection" didn't really enter the lexicon until 1996 and 2000, respectively.
To judge Oracle on secure coding, you really need to look at the number of vulnerabilities affecting only recent versions of the database and application server. So far, the results are mixed, but encouraging. Although, more time has to elapse to see what security bugs are in the queue.
Mary Ann Davidson, Oracle CSO, frequently talks about secure coding and how vendors should be more public about their development practices. I would really like to know what Oracle is doing about the large database code base where over 150 security bugs have been fixed to date. Oracle has purchased Fortify as a source code scanning tool, but is there a team of 20 or 100 people dedicated to reviewing every line of code. Many of the security bugs being found today could have been found internally 3 or 4 years ago.
"Speaking of database security, I got a chance to see Alexander Kornbrust of Red-Database-Security GmbH talk about Oracle (in)security at CONFidence 2007. His talk reminded me of comments Thomas Ptacek once made about certain software being indefensible ten years ago, whereas now we have a fighting chance with some software. After hearing Alex's talk I think Oracle belongs in the indefensible category. Oracle appears to be at least five years behind their peer group in terms of producing "secure" code."
I think his observation at a macro level is generally correct. Oracle seems to have arrived at the "secure coding" party late and has a significant C code base, some of which dates all the way back to around 1982. Many of the standard PL/SQL packages and associated C libraries were originally written in the early 1990's. A fun excursion is to look at the modification history of the $ORACLE_HOME/rdbms/admin SQL scripts -- you will see many of these scripts were created 10 to 20 years ago. Remember that the terms "buffer overflow" and "SQL injection" didn't really enter the lexicon until 1996 and 2000, respectively.
To judge Oracle on secure coding, you really need to look at the number of vulnerabilities affecting only recent versions of the database and application server. So far, the results are mixed, but encouraging. Although, more time has to elapse to see what security bugs are in the queue.
Mary Ann Davidson, Oracle CSO, frequently talks about secure coding and how vendors should be more public about their development practices. I would really like to know what Oracle is doing about the large database code base where over 150 security bugs have been fixed to date. Oracle has purchased Fortify as a source code scanning tool, but is there a team of 20 or 100 people dedicated to reviewing every line of code. Many of the security bugs being found today could have been found internally 3 or 4 years ago.
Categories:
May 02, 2007
11i: ATG RUP5 and CPU Impact
Oracle has released the latest ATG rollup RUP5 (official name is 11i.ATG_PF.H.delta.5). From a security perspective, RUP5 is important in three regards -
- The ATG rollups contain a number of security enhancements
- RUP5 incorporates ATG CPU patches from January 2005 to January 2007
- Starting with the July 2007 CPU, only RUP(n) and RUP(n-1) will be supported
RUP5 Security Enhancements
The recent ATG rollup patches have included a number of security enhancements. The following are some of the security enhancements in RUP5 -
- WebADI Parameter Security
- Improved delegation of Workflow monitoring privileges
- Improved delegation of access to Workflow notifications
Included CPU Patches
The RUP patches include previous CPU patches and RUP5 includes almost all ATG CPU patches from January 2005 to January 2007. THIS IS ONLY ATG PATCHES and not functional module patches. "The following core ATG products are included in 11i.ATG_PF.H.delta.5: FND, OAM, OWF, FWK, JTT, JTA, TXK, XDO, ECX, EC, AK, ALR, UMX, BNE, and FRM." For AutoConfig enabled customers, the only missing ATG CPU patch is 5658489, which is the cumulative TechStack patch for January 2007.
RUP5 Security Enhancements
"Beginning with the July 2007 Critical Patch Update (CPUJul2007), Oracle Applications Technology will support only the current and previous production rollups (RUP N and RUP N-1) as patching baselines for all 11i releases." Based on Oracle's policy and prior CPU support history, we anticipate only RUP4 and RUP5 will be supported for the July 2007 CPU. This includes all Oracle Applications 11i versions from 11.5.7 through 11.5.10.2, where April 2007 CPU and prior only included 11.5.10.x.
With RUP4 being released in August 2006 and RUP3 in January 2006, we believe there is a 50% probability that Oracle will support RUP3 in the July 2007 CPU. Although, we believe there is no likelihood that RUP3 will be supported for the October 2007 CPU. Oracle's decision on RUP3 support will be based on customer feedback, rather than any technical issues or significant regression testing effort to certify the CPU patches for RUP3.
Categories:
April 19, 2007
Oracle 9.2.0.8 April 2007 CPU Patch Available
Oracle has released the Oracle 9.2.0.8 April 2007 Critical Patch Update (CPU) Windows 32-bit patch much ahead of scheduled April 30th date. Media reports (here) were critical of Oracle's failure to release this patch in a timely manner due to the severity of one of the bugs affecting the database running on the Windows platform.
However, the Oracle E-Business Suite patch available matrix has not yet been updated (Metalink Note ID 420072.1) to reflect the change and still has the April 30th date. It is most likely just an oversight, although the issue with the patch may be related to the Oracle E-Business Suite. If you are planning on or need to apply the patch this weekend, you should open a TAR with Oracle to verify the correct course of action.
However, the Oracle E-Business Suite patch available matrix has not yet been updated (Metalink Note ID 420072.1) to reflect the change and still has the April 30th date. It is most likely just an oversight, although the issue with the patch may be related to the Oracle E-Business Suite. If you are planning on or need to apply the patch this weekend, you should open a TAR with Oracle to verify the correct course of action.
April 17, 2007
Oracle Critical Patch Update - April 2007 - E-Business Suite Impact
Oracle released the tenth Critical Patch Update (CPU) yesterday. This quarter is the same as the previous nine with many patches and long hours in order to get all the security patches applied in a timely manner. Fortunately, this quarter there are no patches required for the Oracle Application Server or Developer 6i. For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.1 patch.
There are important patches for issues in iStore and iSupport that should be fixed as soon as possible.
Oracle Oracle Critical Patch Update - April 2007 - E-Business Suite Impact
I will be presenting an OAUG eLearning Community Thursdays session on April 26 giving additional information on the CPU and its impact on your Oracle Applications implementation. You can sign-up for the session at -
http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=4/1/2007
Categories:
April 11, 2007
11i: Encrypted Password String Disclosure
Integrigy has released an advisory regarding an undisclosed security vulnerability in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS). The attacker must have direct SQL*Net access to the database (e.g., SQL*Plus) and to exploit the vulnerability neither of the Oracle Applications security features "Managed SQL*Net Access" and "Server Security" can be enabled.
In a majority of Oracle Applications implementations, neither "Managed SQL*Net Access" nor "Server Security" are enabled. "Managed SQL*Net Access" is enabled by default beginning with 11.5.10, although, it is commonly disabled due to the complexity of managing permitted hosts and the limitations in only allowing a small number of hosts direct access to the database. "Sever Security" is not enabled by default in any version of Oracle Applications and seldom is enabled as the purpose and security benefits of this feature are poorly understood. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access".
The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published. There are a number of ways an attacker (most likely an insider) may obtain encrypted password strings, including through ad-hoc query access, from cloned instances like development, or through SQL injection vulnerabilities in the application or standard database packages. The advisory relates to an additional method of obtaining encrypted passwords strings through exploitation of a specific undisclosed security vulnerability.
For more information see the Integrigy Security Advisory Oracle Applications 11i Encrypted Password Disclosure
In a majority of Oracle Applications implementations, neither "Managed SQL*Net Access" nor "Server Security" are enabled. "Managed SQL*Net Access" is enabled by default beginning with 11.5.10, although, it is commonly disabled due to the complexity of managing permitted hosts and the limitations in only allowing a small number of hosts direct access to the database. "Sever Security" is not enabled by default in any version of Oracle Applications and seldom is enabled as the purpose and security benefits of this feature are poorly understood. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access".
The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published. There are a number of ways an attacker (most likely an insider) may obtain encrypted password strings, including through ad-hoc query access, from cloned instances like development, or through SQL injection vulnerabilities in the application or standard database packages. The advisory relates to an additional method of obtaining encrypted passwords strings through exploitation of a specific undisclosed security vulnerability.
For more information see the Integrigy Security Advisory Oracle Applications 11i Encrypted Password Disclosure
Categories:
