Personal tools
You are here: Home Oracle Security Blog Archive 2007 October
Navigation
 

Entries For: October 2007

October 31, 2007

11i: The Application Upgrade Made Me Do It

Performing security assessments on Oracle Applications implementations sometimes involves some detective work.  During our assessments, we have encountered a number of 11.5.10 CU2 implementations where the "Signon Password Hard to Guess" profile option was set to No rather than the strongly recommended Yes.  Each time, the client claimed it used to be set to Yes and closer analysis showed a vast majority of the passwords matched the complexity rules -- so it most likely had been set to Yes.

After a little digging, the culprit turns out to be the CU2 Maintenance Pack.  Step 22 of 24 in Section 1 Pre-Update Tasks is as follows -

22. Change password policy control (conditional)
If the profile option SIGNON_PASSWORD_HARD_TO_GUESS exists with a value of Y, set it to N. You can restore this value to Y after you complete Section 2 of these instructions.

Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes.

Securing Oracle Applications is an on-going task that never ends.  After every major upgrade, mini-pack, and RUP, you need to re-evaluate the environment to determine if any security holes have been inadvertently opened.
Categories:

October 17, 2007

OAUG eLearning: Oracle Critical Patch Update October 2007

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, October 16th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, October 18 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the October 2007 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007
Categories:

Oracle Critical Patch Update - October 2007 - E-Business Suite Impact

Oracle released the twelfth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous eleven with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.3 patch.

This quarter does have a larger than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, so the database security patch should be a priority.  Also, unlike the vast majority of previous database security bugs, this quarter has 7 vulnerabilities that can be exploited without a database account.  It appears most of these issues are denial of service or low risk, nevertheless, another reason to prioritize the database patch.

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3 for the database and RUP4 or RUP5 for the Oracle E-Business Suite 11i.

Most information about the vulnerabilities and detailed recommendations on patching and testing is available at -

 

Oracle Oracle Critical Patch Update - October 2007 - E-Business Suite Impact

Oracle Critical Patch Update - October 2007 - Version Support Matrix

I will be presenting an OAUG eLearning Community Thursdays session this Thursday October 18th giving additional information on the CPU and its impact on your Oracle Applications implementation.  You can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007

Categories:

October 12, 2007

Critical Patch Update October 2007 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming October 2007 Oracle Critical Patch Update (CPU) -

  • Overall, 51 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix is similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  There are no new vulnerabilities in Oracle Collaboration Suite.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.8, 11.5.9, 11.5.10.x, and 12.0.x
  • Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request.  Fortunately according to the July 2007 CPU note (Metalink Note ID 432873.1), all supported platform/version combinations will have patches proactively released for the October 2007 CPU.  The database note for the October 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
  • This is the first CPU using version 2.0 of the CVSS metric.  CVSS 2.0 scores seem to be more consistent, but still grossly understate the severity of many database and application vulnerabilities.  Even a vulnerability may allow a complete compromise of the database, the score is less than 7.

Oracle Database
  • There are 5 remotely exploitable without authentication vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.  Depending on the exact nature of the 5 remotely exploitable without authentication vulnerabilities, this quarter's CPU could prove to be the most critical in the past 2 years.
  • At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.
  • The major version support change for this quarter is that 9.2.0.7 is no longer supported.

Oracle Application Server
  • 7 of the 11 vulnerabilities are remotely exploitable without authentication.  A number of these vulnerabilities are probably related to recently fixed Apache which is the base of the Oracle HTTP Server.  Organizations with Internet facing Application Server deployments will most likely want to prioritize this quarter's CPU patches as Oracle HTTP Server, Oracle Single Sign-on, and Oracle Portal are all affected.
  • There are no major changes to the support Oracle Application Server versions for this quarter.

Oracle E-Business Suite 11i and R12
  • Only 1 of the 8 vulnerabilities in the Oracle E-Business Suite is remotely exploitable without authentication. 
  • All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.3).  This will be the last CPU for 11.5.8.

Planning Impact
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.
Categories:
Feeds
RSS 2.0 Subscribe via RSS
Add to Google Add to Google
Add to Yahoo Add to Yahoo!
Add to Other Other Services
Topics
Topics in Detail…
Archives