Oracle Security Blog

The process of applying security patches starts with identifying which patches to apply. For PeopleSoft, security patches need to be considered for both the application and the major technical components. The application of security patches, referred to by Oracle as Critical Patch Updates (CPUs), for one component DO NOT apply security patches for the other components.

For example, PeopleTools CPU patches DO NOT include database CPUs – applying one will not automatically apply nor include the other. The same holds for WebLogic and Tuxedo CPU patches.

Throughout the summer, Integrigy will be releasing new research on PeopleSoft security. This research focuses on the secure configuration of PeopleSoft and includes both the application and the major technical components such as the database (Oracle RDBMS), WebLogic and Jolt/Tuxedo. Hopefully, these blog posts will be useful.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

No, Oracle security vulnerabilities didn’t just get a whole lot worse this quarter.  Instead, Oracle updated the scoring metric used in the Critical Patch Updates (CPU) from CVSS v2 to CVSS v3.0 for the April 2016 CPU.  The Common Vulnerability Score System (CVSS) is a generally accepted method for scoring and rating security vulnerabilities.  CVSS is used by Oracle, Microsoft, Cisco, and other major software vendors.

Oracle E-Business Suite 11i is impacted by 8 security vulnerabilities in the April 2016 CPU, which includes the Oracle Configurator and Oracle Complex Maintenance, Repair, and Overhaul security bugs listed under the Oracle Supply Chain Products Suite.

To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk. 

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle Database.  The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely man

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack.  The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may

Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:

A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.

Come see Integrigy's session at Collaborate 2015 in Las Vegas (http://collaborate.ioug.org/). Integrigy is presenting the following paper:

IOUG #763
Detecting and Stopping Cyber Attacks against Oracle Databases
Monday, April 13th, 9:15 - 11:30 am
North Convention, South Pacific J

With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.

Most clients do not fully take advantage of their database auditing and logging features. These features are sophisticated and are able to satisfy most organization’s compliance and security requirements. 

Several standard features of the Oracle database should be kept in mind when considering what alerts and correlations are possible when combining Oracle database and application log and audit data.

Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU).

On January 24, Oracle published additional information regarding this security issue in My Oracle Support Note 1964164.1.  Revoking of these privileges may cause “subtle timestamp corruptions” in the database unless database patch 19393542 is applied.

Oracle Audit Vault 12c includes a standard interface for BMC Remedy ticketing systems.  You can configure the Oracle Audit Vault to connect to BMC Remedy Action Request (AR) System Server 7.x.  This connection enables the Oracle Audit Vault to raise trouble tickets in response to Audit Vault alerts.