11i: The Application Upgrade Made Me Do It

Performing security assessments on Oracle Applications implementations sometimes involves some detective work.  During our assessments, we have encountered a number of 11.5.10 CU2 implementations where the "Signon Password Hard to Guess" profile option was set to No rather than the strongly recommended Yes.  Each time, the client claimed it used to be set to Yes and closer analysis showed a vast majority of the passwords matched the complexity rules -- so it most likely had been set to Yes.

OAUG eLearning: Oracle Critical Patch Update October 2007

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, October 16th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, October 18 at 9:00 am and 5:00 pm U.S. Eastern Time

Oracle Critical Patch Update - October 2007 - E-Business Suite Impact

Oracle released the twelfth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous eleven with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.3 patch.

Oracle Jinitiator 1.1.8 Vulnerabilities

US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps.



11i: Setting Listener Passwords

Oracle has released a Metalink Note on the proper procedure for setting passwords for the database and FNDFS listeners.  It is important to note that there are two listeners in an Oracle Applications 11i implementation.  The first is the standard database listener and is the version from the installed database.  The second is for FNDFS/FNDMS and is used by the concurrent managers, generic service manager, and other internal Oracle Applications processes.  This second listener is part of the 8.0.6, thus is version 8.0.6.x.  Passwords should be set for both listeners,

Oracle Critical Patch Update - July 2007 - E-Business Suite Impact

Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous ten with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.2 patch.

OAUG eLearning: Oracle Critical Patch Update July 2007

This quarters Oracle Critical Patch Update (CPU) will be released on Tuesday, July 17th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday after the release.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, July 19 at 9:00 am and 5:00 pm U.S. Eastern Time

11i: ATG RUP5 and CPU Impact

Oracle has released the latest ATG rollup RUP5 (official name is 11i.ATG_PF.H.delta.5).  From a security perspective, RUP5 is important in three regards -

  1. The ATG rollups contain a number of security enhancements
  2. RUP5 incorporates ATG CPU patches from January 2005 to January 2007
  3. Starting with the July 2007 CPU, only RUP(n) and RUP(n-1) will be supported

    RUP5 Security Enhancements

    Oracle 9.2.0.8 April 2007 CPU Patch Available

    Oracle has released the Oracle 9.2.0.8 April 2007 Critical Patch Update (CPU) Windows 32-bit patch much ahead of scheduled April 30th date.  Media reports (here) were critical of Oracle's failure to release this patch in a timely manner due to the severity of one of the bugs affecting the database running on the Windows platform.

    Oracle Critical Patch Update - April 2007 - E-Business Suite Impact

    Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous nine with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.1 patch.

    11i: Encrypted Password String Disclosure

    Integrigy has released an advisory regarding an undisclosed security vulnerability in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS).

    Pages