Oracle E-Business Suite APPS_NE Security Risks

January 27, 2023

The most recent version of the Oracle E-Business Suite, Release 12.2, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or in other words; the APPS_NEW is the APPS schema for the non-editioned database objects.

There are several security implications with regard to APPS_NE:

The same password must be shared among APPLSYS, APPS, and APPS_NE. The default password for APPS_NE is 'APPS.'
APPS_NE has similar elevated system privileges to APPS (e.g. SELECT ANY TABLE), but is not identical. See the listing below for the 56 privileges granted to APPS_NE.
APPS_NE must be logged, audited and monitored APPS_NE as you do APPS. APPS_NE needs to be added to your audit scripts and procedures as well as monitoring solutions

The following lists summarize the system privilege differences between APPS and APPS_NE

-- APPS_NE has 3 privileges APPS does not

CREATE MATERIALIZED VIEW

CREATE SEQUENCE

DROP ANY TYPE

-- APPS has 18 privileges that APPS_NE does not

ALTER ANY PROCEDURE

ALTER DATABASE

ANALYZE ANY DICTIONARY

CHANGE NOTIFICATION

CREATE ANY DIRECTORY

CREATE ANY EDITION

CREATE ANY PROCEDURE

CREATE EXTERNAL JOB

CREATE JOB

CREATE PUBLIC DATABASE LINK

CREATE PUBLIC SYNONYM

DEQUEUE ANY QUEUE

DROP ANY EDITION

DROP ANY PROCEDURE

DROP PUBLIC SYNONYM

ENQUEUE ANY QUEUE

EXECUTE ANY TYPE

MANAGE ANY QUEUE

-- APPS_NE has 56 system privileges

ALTER ANY CLUSTER

ALTER ANY INDEX

ALTER ANY MATERIALIZED VIEW

ALTER ANY OUTLINE

ALTER ANY ROLE

ALTER ANY SEQUENCE

ALTER ANY TABLE

ALTER ANY TRIGGER

ALTER ANY TYPE

ALTER SESSION

ALTER SYSTEM

ANALYZE ANY

COMMENT ANY TABLE

CREATE ANY CLUSTER

CREATE ANY CONTEXT

CREATE ANY INDEX

CREATE ANY MATERIALIZED VIEW

CREATE ANY OUTLINE

CREATE ANY SEQUENCE

CREATE ANY SYNONYM

CREATE ANY TABLE

CREATE ANY TRIGGER

CREATE ANY TYPE

CREATE ANY VIEW

CREATE DATABASE LINK

CREATE MATERIALIZED VIEW

CREATE PROCEDURE

CREATE ROLE

CREATE SEQUENCE

CREATE SESSION

CREATE SYNONYM

CREATE TRIGGER

CREATE TYPE

CREATE VIEW

DELETE ANY TABLE

DROP ANY CLUSTER

DROP ANY CONTEXT

DROP ANY INDEX

DROP ANY MATERIALIZED VIEW

DROP ANY OUTLINE

DROP ANY ROLE

DROP ANY SEQUENCE

DROP ANY SYNONYM

DROP ANY TABLE

DROP ANY TRIGGER

DROP ANY TYPE

DROP ANY VIEW

EXECUTE ANY PROCEDURE

GLOBAL QUERY REWRITE

GRANT ANY ROLE

INSERT ANY TABLE

LOCK ANY TABLE

SELECT ANY SEQUENCE

SELECT ANY TABLE

UNLIMITED TABLESPACE

UPDATE ANY TABLE

If you have any questions, please contact us at info@integrigy.com

References

Oracle E-Business Suite APPLSYS, APPS and APPS_NE
Integrigy Webinar New Security Features in Oracle E-Business Suite 12.2

Oracle E-Business Suite APPS_NE Security Risks

References

Products & Services

Security Resources

About Integrigy

Sales Inquiries

General Questions

Subscribe to the Integrigy's Newsletter