Attached files are an information leakage risk for the Oracle E-Business Suite. There are two sources, and the second is not commonly recognized.
The first source is straight forward. Users of the E-Business Suite are free to upload and attach files with content at their discretion. There is nothing to prevent users from attaching files with confidential information such as credit card and/or social security numbers other than business policies supported by security awareness training. Because of this, the risk of information leakage with attached files is best mitigated by purging attached files on a regular basis.
The second source is less obvious and stems from the fact that, besides attachments, the Oracle E-Business Suite also retains file exports in the same table with attachments. There is a risk of information leakage with these file exports. For example, if your Human Resources department regularly exports to Excel from Forms, it is likely you will have a large number of export files. Due to the nature of Human Resources data, this probably means that you have sensitive information stored in these files.
By design the Oracle E-Business Suite needs to purge attached files. It is through the purge process for attached files that file-exports files are removed. However, many organizations do not regularly purge attachments. Integrigy’s security assessment services can assist with scanning your attached files for sensitive data.
If you have any questions about this or Oracle E-Business Security, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP
- Questions on Purge Obsolete Generic File Manager Data (MOS Doc ID 1165208.1)
- Purging Strategy for eBusiness Suite 11i (MOS Doc ID 732713.1)