It is rare to find customers who are not using Diagnostics to support their Oracle E-Business Suite. However, Diagnostics is commonly overlooked as a source of information leakage. By design, Diagnostics should not be enabled in production, or if it is, it should be enabled only at the user level and for a limited period of time. If your non-production instances have DMZ nodes, then the same advice applies.
Setting the profile option ‘FND: Diagnostics’ from its default of ‘No’ to ‘Yes’ causes a Diagnostics global button to be rendered on every page. As well, enabling this profile option renders the ‘About This Page’ link at the bottom of every OA Framework page. With Diagnostics enabled, and access to About This Page, configuration data, diagnostic, and other log messages is displayed to anyone who clicks on the button or link. This information should only be displayed to appropriately privileged and trusted personnel. Making diagnostics globally available to all users, including external DMZ users such as for iStore and iRecruitment, is not a best practice.
What is not commonly understood is that the Diagnostics profile option setting changes the behavior of several purpose-built diagnostic and monitoring pages shipped with the E-Business Suite. These pages provide large amounts of information on critical configurations and system performance and are intended only to be used by system and database administrators. While arguably these monitoring and diagnostics pages should be protected by the Oracle EBS URL Firewall (if enabled and properly configured), and may be obscure, they may be known to somebody attempting to attack you from the outside or an insider with nefarious purposes. These pages should not be accessible by general users and certainly not by anonymous Internet users. Turning Diagnostics off greatly reduces, if not completely disables, access to these diagnostics pages. This is another reason that best practice is to set Diagnostics off and only enable at the user level as needed.
How do you know if Diagnostics is enabled?
- Check your system profile option ‘FND: Diagnostics’. It should be set to ‘No’ at the Site level.
If you have questions, please contact us.
- Hidden Security Threats in Oracle E-Business Suite - Integrigy
- Secure Configuration of Oracle E-Business Suite Profiles (Doc ID 946372.1)