In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance.
This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
Integrigy COLLABORATE 17 Sessions - Presentations on Oracle Database, Oracle E-Business Suite, and PeopleSoft Security
Integrigy is presenting nine papers this year at COLLABORATE 17 (https://collaborate.oaug.org/). The COLLABORATE 17 conference is a joint conference for the Oracle Applications User Group (OAUG), Independent Oracle Users Group (IOUG), and Quest International Users Group.
You can download a complete listing of Integrigy's sessions at Integrigy COLLABORATE 17 Sessions.
This is a quick summary of Integrigy’s latest research on PeopleSoft. Was sending this to a client and decided it was a good posting:
This is the forth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
This is the third posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
This is the second posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors. To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect. This also makes the Oracle E-Business Suite, like other ERP platforms, vulnerable to automated attacks.
With the upcoming on-premise release of Oracle Database 22.214.171.124, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 126.96.36.199 and 188.8.131.52. Currently (as of January 2017), only 184.108.40.206 and 220.127.116.11 are supported for CPUs.
The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 18.104.22.168 and July 2021 for 22.214.171.124. The first year of extended support for both versions is free until December 2018 for 126.96.36.199 and July 2019 for 188.8.131.52.
Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017. The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite. Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. Many of the 250 security vulnerabilities fixed are high risk vulnerabilities such as SQL injection, cross-site scripting (XSS), XML external entity attacks, and privilege escalation.
As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers. Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts. See My Oracle Support Note ID 1596629.1 for more information.
For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of reports are at risk.
Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts. As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i. October 2016 is the last CPU patch for Oracle E-Business Suite 11i. For 12.0, the last CPU patch was October 2015.
The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter. Starting with the October 2016 CPU, only 184.108.40.206 and 220.127.116.11 are supported. In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 18.104.22.168 or 22.214.171.124. As these are terminal database releases, the final CPU patch for 126.96.36.199 is July 2021 and for 188.8.131.52 is October 2020. For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a l
The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.