Risk of Information Leakage from the Oracle E-Business Suite
The Oracle E-Business Suite provides a large number of diagnostic and monitoring solutions. While these solutions offer comprehensive and in-depth information about your implementation, they can also be the source of serious information leakages. Especially if you have Internet facing applications such iStore, iSupplier or iRecruitment, you need to take steps to secure your implementation against accidental information leakage and provide as little information as possible to anyone who might want to attack you.
URL Firewall
If you are running the E-Business Suite with a DMZ, such as for iStore or iSupplier, you must use the URL firewall. If you don’t, you will be exposing your implementation to serious security risks and leaking large amounts of information.
The Oracle E-Business Suite automatically installs all 250+ modules and all related web pages. Even though many of these modules are not selected to be installed, licensed, or configured, the web pages are nevertheless installed and accessible. In order to block these 15,000+ web pages when deploying Oracle E-Business Suite in a DMZ, Oracle developed the URL firewall. The URL firewall is a whitelist of permitted web pages and is enabled through autoconfig.
How to know if your URL Firewall is running
- Review your autoconfig settings for the variable: s_enable_urlfirewall. If you see a ‘#’, the URL firewall is off. Integrigy also recommends reviewing the Apache httpd.conf files on each server in your DMZ to ensure that the url firewall is being called.
Integrigy's AppDefend, our Web Application Firewall optimized for Oracle E-Business Suite, provides another layer of security to block unused modules like the URL Firewall, but also provides real-time protection from web application vulnerabilities like SQL injection and cross-site scripting (XSS) and blocks Oracle Critical Patch Update vulnerabilities.
If you have questions, please contact us.
References
- Into the Fire - Deploying Oracle EBS to the Internet - Integrigy
- Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet - Integrigy
- Oracle E-Business Suite R12 Configuration in a DMZ (MOS Doc ID 380490.1)
