Attached files are an information leakage risk for the Oracle E-Business Suite. There are two sources, and the second is not commonly recognized.
It is rare to find customers who are not using Diagnostics to support their Oracle E-Business Suite. However, Diagnostics is commonly overlooked as a source of information leakage. By design, Diagnostics should not be enabled in production, or if it is, it should be enabled only at the user level and for a limited period of time. If your non-production instances have DMZ nodes, then the same advice applies.
The Oracle E-Business Suite provides a large number of diagnostic and monitoring solutions. While these solutions offer comprehensive and in-depth information about your implementation, they can also be the source of serious information leakages. Especially if you have Internet facing applications such iStore, iSupplier or iRecruitment, you need to take steps to secure your implementation against accidental information leakage and provide as little information as possible to anyone who might want to attack you.
As of December 1, 2013, Oracle E-Business Suite 11.5.10 moved into Sustaining Support. Normally, Oracle Sustaining Support does not include security fixes in the form of Critical Patch Updates. However, for 11.5.10, there is an exception until December 2015 and Severity 1 fixes, payroll/1099 updates, and Critical Patch Updates will be available.
It all started in January 2005 with Critical Patch Updates (CPU). Then Patch Set Updates (PSU) were added as cumulative patches that included priority fixes as well as security fixes. As of the October 2012 Critical Patch Update, Oracle has changed the terminology to better differentiate between patch types. This terminology will be used for the Oracle Database, Enterprise Manager, Fusion Middleware, and WebLogic.
Upcoming Webinar: Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Thursday, August 16, 2:00pm - 3:00pm EDT
Upcoming Webinar: The Manager's Guide to Securing the Oracle E-Business Suite
The Manager's Guide to Securing the Oracle E-Business Suite
Wednesday, June 20, 2:00pm - 3:00pm EDT
For those of you that missed this session at the recent Collaborate12 conference, please read on.
InfoWorld magazine today published detailed information regarding Oracle Database security bug CVE-2012-0082, which has associated fixes in the Oracle's January 2012 Critical Patch Update. This security vulnerability specifically relates to the Oracle System Change Number (SCN) and ways to increase the SCN beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN) in order to stop processing
Oracle October 2011 CPU - Oracle Database Impact
Thursday, November 3, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly educational session will focus on the October 2011 CPU and the impact on the Oracle Database. The topics will include: