Personal tools
You are here: Home Oracle Security Blog Archive 2007 July
Navigation
 

Entries For: July 2007

July 27, 2007

11i: Best Practices for Securing the E-Business Suite Updated July 2007

Oracle has updated the white paper "Best Practices for Securing the E-Business Suite 11i" Metalink Note ID 189367.1 to version 3.0.5.  The major changes include -

  • For 11.5.10.x, inclusion of a script to disable unnecessary packages in FND_ENABLED_PLSQL.  The FND_ENABLED_PLSQL table contains a list of about 800 database packages and procedures that may be called through modplsql (think http://<host>:<port>/pls/<sid>/<package>.<procedure>).  The txkDisableModPLSQL.sql script will disable all but 128 packages.  I will post more details in the near future as all 11.5.10.x implementations will want to make sure this script has been run.
  • The new white paper "Removing Credentials from a Cloned EBS Production Database"Metalink Note ID 419475.1 is referenced in the new "Practice Safe Cloning" section, which discusses scrambling confidential information like social security numbers and changing all production passwords in a cloned instance.  Changing all production passwords (database accounts and application users) is CRITICAL and must be done for every clone from production, otherwise it is fairly easy and well documented on how to obtain all production application user passwords in a development or test instance (see the Integrigy white paper "Oracle Applications Password Decryption" for more information).
All the recommendations in the document should be implemented for a secure environment as well as secure development and change control practices.
Categories:

July 18, 2007

Oracle Critical Patch Update - July 2007 - E-Business Suite Impact

Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous ten with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.2 patch.

There are a number of high risk vulnerabilities that should be patches as soon as possible.  From the database perspective, there are multiple vulnerabilities that can be exploited using any database account including APPLSYSPUB.  For Oracle Applications, there are multiple SQL injection and cross-site scripting vulnerabilities.  All implementations that are externally accessible via the Internet (i.e., iStore, iRecruitment, etc.) should look to apply the AOL security patch 6045931 as soon as possible or disable on-line help.

Oracle Oracle Critical Patch Update - July 2007 - E-Business Suite Impact

Oracle Critical Patch Update - July 2007 - Version Support Matrix

I will be presenting an OAUG eLearning Community Thursdays session on July 19 giving additional information on the CPU and its impact on your Oracle Applications implementation.  You can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=7/1/2007

Categories:

July 16, 2007

OAUG eLearning: Oracle Critical Patch Update July 2007

This quarters Oracle Critical Patch Update (CPU) will be released on Tuesday, July 17th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday after the release.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, July 19 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the July 2007 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=7/1/2007
Categories:

July 12, 2007

Critical Patch Update July 2007 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming July 2007 Critical Patch Update (CPU) -

  • Overall, 46 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix is similar to previous CPUs with the notable addition of Oracle Application Express (APEX).  All supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  There are no new vulnerabilities in Oracle Enterprise Manager.
  • Oracle is instituting a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request.  Fortunately according to the April 2007 CPU note (Metalink Note ID 420061.1), all supported platform/version combinations will have patches proactively released for the July 2007 CPU.  The database note for the July 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database
  • There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.
  • At least one of the database security vulnerabilities has a CVSS metric of 4.2, which for database vulnerabilities should be considered high risk.
  • The major version support changes are that 10.1.0.4 and 10.2.0.1 will not be supported on any platform.

Oracle Application Server
  • The security vulnerabilities exist in Oracle JDeveloper, Oracle Internet Directory, and Oracle Single-Signon.  External application servers running OID or SSO should be prioritized as 3 of these vulnerabilities are remotely exploitable without authentication.  Although, the highest CSS metric is 2.3 for these vulnerabilities indicating they most likely are Cross Site Scripting (XSS) or Denial of Service (DoS) vulnerabilities.
  • The recently released (late June) version 10.1.3.3.0 must be patched.

Oracle E-Business Suite 11i and R12
  • There are six easy to exploit, remotely exploitable, and authentication not required vulnerabilities.  Some of these security bugs most likely exist in AOL, iRecruitment, Configurator and/or iExpense, which will require immediate patching.
  • 11.5.7 is not supported by the CPU due to the end of Premier Support in May 2007.
  • All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.1).

Planning Impact
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
  • Customers running iRecruitment or Configurator should considering applying these patches ASAP.

Note: The pre-release announcement is removed when the CPU is released.
Categories:
Feeds
RSS 2.0 Subscribe via RSS
Add to Google Add to Google
Add to Yahoo Add to Yahoo!
Add to Other Other Services
Topics
Topics in Detail…
Archives