Entries For: 2012
- March (1)
- January (1)
March 05, 2012
Upcoming Webinar: Out of the Fire - Adding Layers of Protection when Deploying Oracle E-Business Suite to the Internet
Out of the Fire - Adding Layers of Protection when Deploying Oracle E-Business Suite to the Internet
Thursday, March 8, 2:00pm - 3:00pm EST
When you externally deploy Oracle E-Business Suite Internet enabled modules such as iSupplier, iRecruitment, or iStore, you have potentially opened your entire environment to the Internet including all your financial and HR data. There are specific risks and inherent weaknesses in an Oracle E-Business Suite external deployment that must be properly addressed to prevent data loss or malicious use.
This education webinar follows our previous webinar "Into the Fire" (available upon request) and will discuss additional steps required for a secure implementation beyond the Oracle recommended configuration including deploying a web application firewall, a reverse proxy, and encryption.
Click here to register for the Oracle E-Business Suite webinar.
Thursday, March 8, 2:00pm - 3:00pm EST
When you externally deploy Oracle E-Business Suite Internet enabled modules such as iSupplier, iRecruitment, or iStore, you have potentially opened your entire environment to the Internet including all your financial and HR data. There are specific risks and inherent weaknesses in an Oracle E-Business Suite external deployment that must be properly addressed to prevent data loss or malicious use.
This education webinar follows our previous webinar "Into the Fire" (available upon request) and will discuss additional steps required for a secure implementation beyond the Oracle recommended configuration including deploying a web application firewall, a reverse proxy, and encryption.
Click here to register for the Oracle E-Business Suite webinar.
Categories:
January 17, 2012
Critical Oracle Database Bug - System Change Number (SCN) (CVE-2012-0082)
InfoWorld magazine today published detailed information regarding Oracle Database security bug CVE-2012-0082, which has associated fixes in the Oracle's January 2012 Critical Patch Update. This security vulnerability specifically relates to the Oracle System Change Number (SCN) and ways to increase the SCN beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN) in order to stop processing of database transactions.
Where this vulnerability gets interesting is that the SCN is synchronized to the highest SCN when two databases are connected via a database link. Therefore, it is possible to increase a database to the near maximum SCN through a database link, which will cascade through to all other interconnected databases. The result can be ORA-600 errors and potentially database crashes on the database with the lower SCN.
This vulnerability appears to have been discovered as the result of a bug in RMAN which can cause the SCN to reach current maximum SCN value and a change in the way the Maximum Reasonable SCN is calculated in 11.2.0.2. The 11.2.0.2 change appears to have impacted or crashed at least a hundred databases at a very large Oracle customer.
As this vulnerability will get significant press, we foresee an "arms race" ensuing with release of different methods to maliciously increment the current SCN and techniques to perform database denial of services attacks related to the SCN.
Integrigy will be publishing in the near future our analysis of the impact of this vulnerability along with recommendations on mitigating the risk in your organization.
Oracle has published more information regarding SCNs and potential impact in a My Oracle Support (MOS) note (requires My Oracle Support access) -
Information on the System Change Number (SCN) and how it is used in the Oracle Database [ID 1376995.1]
Where this vulnerability gets interesting is that the SCN is synchronized to the highest SCN when two databases are connected via a database link. Therefore, it is possible to increase a database to the near maximum SCN through a database link, which will cascade through to all other interconnected databases. The result can be ORA-600 errors and potentially database crashes on the database with the lower SCN.
This vulnerability appears to have been discovered as the result of a bug in RMAN which can cause the SCN to reach current maximum SCN value and a change in the way the Maximum Reasonable SCN is calculated in 11.2.0.2. The 11.2.0.2 change appears to have impacted or crashed at least a hundred databases at a very large Oracle customer.
As this vulnerability will get significant press, we foresee an "arms race" ensuing with release of different methods to maliciously increment the current SCN and techniques to perform database denial of services attacks related to the SCN.
Integrigy will be publishing in the near future our analysis of the impact of this vulnerability along with recommendations on mitigating the risk in your organization.
Oracle has published more information regarding SCNs and potential impact in a My Oracle Support (MOS) note (requires My Oracle Support access) -
Information on the System Change Number (SCN) and how it is used in the Oracle Database [ID 1376995.1]
Subscribe via RSS
Add to Google
Add to Yahoo!
Other Services