Oracle and Symantec Threat Report: Bad Counting?

Usually, I am not in the position to defend Oracle on the number of vulnerabilities fixed, but the recent Symantec Internet Security Threat Report inflated the vulnerability count for Oracle by comparing apples and oranges.   This version of the Threat Report contains a comparison of the number of vulnerabilities found in five leading relational databases (Oracle, IBM DB2, Microsoft SQL Server, MySQL, and PostgreSQL).  Oracle looks really bad with 168 vulnerabilities published during the second h

Hashing Credit Card Numbers: Unsafe Application Practices

Cryptographic hash functions seem to be an ideal method for protecting and securely storing credit card numbers in ecommerce and payment applications. A hash function generates a secure, one-way digital fingerprint that is irreversible and meets frequent business requirements for searching and matching of card numbers.

R12: Updated Security Best Practices Document

Oracle has updated the "Best Practices for Securing Oracle E-Business Suite" for Release 12.  The new Metalink Note ID is 403537.1.  Overall, there are very few changes to the document and mostly the changes are only to reflect the new R12 documentation.

The most significant changes to security for R12 are

11i: Expire All User Passwords

Occasionally, there is a need to expire all application user passwords in Oracle Applications 11i.  Oracle now provides a script to expire all users passwords in 11i.ATG_PF.H RUP4.  The script is located in $FND_TOP/patch/115/sql/AFCPEXPIRE.sql.  It can be executed using SQL*Plus or as the concurrent program "CP SQL*Plus Expire FND_USER Passwords".

AFCPEXPIRE.sql is a very simple script and is a single update statement that sets the PASSWORD_DATE column to null in FND_USER.

Oracle Applications 11i and PCI Compliance

The recent OAUG "Automating Compliance Survey" (OAUG login required) showed 7% of the organizations surveyed responded as being compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), while 19% were in the process of planning or implementing and 71% were either not planning or not sure about PCI compliance.  Having 71% of the organizations respond "not planning/not sure" seems a little high to me since

Oracle Critical Patch Update - January 2007 - E-Business Suite Impact

We have released our quarterly Oracle E-Business Suite Impact analysis for the Oracle Critical Patch Update (CPU) January 2007.  This analysis looks at the CPU from an Oracle E-Business Suite perspective and provides additional details on the fixed vulnerabilities and a patching strategy for the Oracle Database, Oracle Application Server, Oracle Developer 6i, Oracle JInitiator, and Oracle Applications 11i.

Oracle January 2007 CPU Initial Thoughts

Oracle has released the January 2007 Critical Patch Update (CPU).  A major change for this quarter's CPU was the release of a pre-announcement on January 11th giving an overview of the products patches and a summary of the vulnerabilities.  On the surface, the pre-announcement looked pretty bad with the highest CVSS base score being 7.0 for the database, Enterprise Manager, and E-Business Suite.  However, the worst database vulnerabilities are exclusively in the Oracle HTTP Server, which is an optional component for the database.

OAUG eLearning: January 2007 Critical Patch Update E-Business Suite Impact

For those of you who are OAUG members, I will be presenting an OAUG eLearning session on the Oracle Critical Patch Update January 2007 and the impact on the E-Business Suite.  This session will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy.  Depending the vulnerabilities fixed in the CPU, there may even be some demonstrations of the actual vulnerabilities.

Oracle Applications 11i User Password Weakness - Follow-up

Due to the number of client inquiries regarding my recent posting on the Oracle Applications 11i password decryption issue, we have written a whitepaper on the subject to provide more details and additional recommendations.  This issue is really a "perfect storm" with the convergence of (1) an inherent architectural weakness in the application, (2) generally accepted insec

October 2006 CPU and - Patches Finally Available

If you haven't noticed due to the holidays, Oracle has finally released the October 2006 Critical Patch Update (CPU) for on Unix/Linux and Windows.  These patches were released 75 days after the CPU and at least 45 days after the initial projected date.

The Database patch should be applied for all Oracle E-Business Suite databases running, even though the patch is not listed in the CPU documentation for the E-Business Suite.