No, Oracle security vulnerabilities didn’t just get a whole lot worse this quarter. Instead, Oracle updated the scoring metric used in the Critical Patch Updates (CPU) from CVSS v2 to CVSS v3.0 for the April 2016 CPU. The Common Vulnerability Score System (CVSS) is a generally accepted method for scoring and rating security vulnerabilities. CVSS is used by Oracle, Microsoft, Cisco, and other major software vendors.
Oracle E-Business Suite 11i is impacted by 8 security vulnerabilities in the April 2016 CPU, which includes the Oracle Configurator and Oracle Complex Maintenance, Repair, and Overhaul security bugs listed under the Oracle Supply Chain Products Suite.
To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk.
With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016. Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October). These patches include important fixes for security vulnerabilities in the Oracle Database. The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely man
With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016. Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October). These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack. The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may
Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:
A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.
Come see Integrigy's session at Collaborate 2015 in Las Vegas (http://collaborate.ioug.org/). Integrigy is presenting the following paper:
IOUG #763
Detecting and Stopping Cyber Attacks against Oracle Databases
Monday, April 13th, 9:15 - 11:30 am
North Convention, South Pacific J
With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.
Most clients do not fully take advantage of their database auditing and logging features. These features are sophisticated and are able to satisfy most organization’s compliance and security requirements.
Several standard features of the Oracle database should be kept in mind when considering what alerts and correlations are possible when combining Oracle database and application log and audit data.
Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC. This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU).
On January 24, Oracle published additional information regarding this security issue in My Oracle Support Note 1964164.1. Revoking of these privileges may cause “subtle timestamp corruptions” in the database unless database patch 19393542 is applied.
Oracle Audit Vault 12c includes a standard interface for BMC Remedy ticketing systems. You can configure the Oracle Audit Vault to connect to BMC Remedy Action Request (AR) System Server 7.x. This connection enables the Oracle Audit Vault to raise trouble tickets in response to Audit Vault alerts.
Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC. This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU) and has been assigned the CVE tracking identifier CVE-2015-0393. The problem may impact all Oracle E-Business Suite versions including 11.5, 12.0, 12.1, and 12.2. Recent press reports have labeled this vulnerability as a “major misconfiguration flaw.” The security issue is actually broader than just the INDEX privilege that is being reported in the pres
The Oracle Audit Vault has seeded reports for the following compliance and legislative requirements – no additional license is required.
For each compliance statue, following table lists the included reports available –
Add us to your favorite news reader.
Get the latest updates.