Oracle has updated the white paper "Best Practices for Securing Oracle E-Business Suite version 3.0.4" Metalink Note ID 189367.1. The major changes to the document include -
- Added the new Oracle Applications 11.5.10 application accounts AME_INVALID_APPROVER and XML_USER to the list of accounts that require passwords changes and that should be disabled. (p. 21)
- Additional instructions for securing the APPLSYSPUB database account. (p. 52)
- Added the forms FNDFFMDC ("Define Descriptive Flexfield Segments") and FNDFFMVS ("Define Flex Value Sets")to the list of forms that accept SQL statements. (p. 47)
If you already implemented all the recommendations, you should look at the following -
- Check for the application accounts AME_INVALID_APPROVER and XML_USER and disable them and change the password if they exist.
- Review access to the forms FNDFFMDC and FNDFFMVS. I have not reviewed what responsibilities usually have access to these forms. Since they involve Flexfields, these two are different than the other AOL forms on the restricted access list and may require some work to secure.
If you have not implemented the "Managed SQL*Net Access Feature" in 11.5.10, then direct SQL*Net access to the database and access to the APPLSYSPUB database account is your most significant security hole. The most significant issue is that many of the security vulnerabilities fixed in the Critical Patch Updates can be easily exploited (see page 3 of our analysis). However, Integrigy has previously not recommended changing the APPLSYSPUB password because of known issues and since the password is often displayed or could be easily obtained. Rather we have pushed clients to make sure the APPLSYSPUB account is as secure as possible (see here).
Almost all the disclosure issues with the APPLSYSPUB password have been corrected in 220.127.116.11 and the issues with changing the password seem to have mostly been resolved. There is a procedure on page 52 that describes how to change the APPLSYSPUB account and the required patches to make sure AutoConfig changes the password in all the correct places.