11i: The Application Upgrade Made Me Do It

Performing security assessments on Oracle Applications implementations sometimes involves some detective work. During our assessments, we have encountered a number of 11.5.10 CU2 implementations where the "Signon Password Hard to Guess" profile option was set to No rather than the strongly recommended Yes. Each time, the client claimed it used to be set to Yes and closer analysis showed a vast majority of the passwords matched the complexity rules -- so it most likely had been set to Yes.

After a little digging, the culprit turns out to be the CU2 Maintenance Pack. Step 22 of 24 in Section 1 Pre-Update Tasks is as follows -

22. Change password policy control (conditional)

If the profile option SIGNON_PASSWORD_HARD_TO_GUESS exists with a value of Y, set it to N. You can restore this value to Y after you complete Section 2 of these instructions.

Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes.

Securing Oracle Applications is an on-going task that never ends. After every major upgrade, mini-pack, and RUP, you need to re-evaluate the environment to determine if any security holes have been inadvertently opened.