Security Blogs

Oracle Discoverer Security Alert - High impact to SOX Compliance and Financial Reporting

For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of reports are at risk.

Oracle's recommendation is that clients migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence Cloud Service, or Oracle Business Intelligence Applications. If you are still using Discoverer, Oracle recommends upgrading to Fusion Middleware 11g patch set 6 (11.1.1.7.0) and to apply the October 2016 Critical Patch Update Discoverer patch (24716502). Be sure to also apply the CPU patches to WebLogic (10.3.6 and higher) and the database supporting the WebLogic repository.

If you have any questions, please contact us at info@integrigy.com

For more information

October 2016 CPU Announcement: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Patch Set Update and Critical Patch Update October 2016 Availability Document (Doc ID 2171485.1)

ALERT: Premier Support Ends Dec 31 2011 for Oracle Fusion Middleware 10g 10.1.2 & 10.1.4 (Doc Id: 1290974.1)

Using Discoverer 11.1.1 with Oracle E-Business Suite Release 12 (Doc Id: 1074326.1)

Using Discoverer 11.1.1 with Oracle E-Business Suite Release 11i (Doc Id: 1073963.1)

Vulnerability, Sarbanes-Oxley (SOX), Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 11i - October 2016 is Last Critical Patch Update

Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts.  As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i.  October 2016 is the last CPU patch for Oracle E-Business Suite 11i.  For 12.0, the last CPU patch was October 2015.

Even though there are no more security patches, many, if not most, vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs which allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.

As there are no more security patches for 11i and 12.0, we strongly recommend all 11i and 12.0 customers who have not yet upgraded to 12.x take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

Reference: AppDefend for the Oracle E-Business Suite

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Database Critical Patch Update October 2016: 12.1.0.2 and 11.2.0.4 Only

The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter.  Starting with the October 2016 CPU, only 12.1.0.2 and 11.2.0.4 are supported.  In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 12.1.0.2 or 11.2.0.4.  As these are terminal database releases, the final CPU patch for 12.1.0.2 is July 2021 and for 11.2.0.4 is October 2020.  For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a large number of high priority fixes - Security Patch Updates (SPU) which include only security fixes are not available for 12c.

The October 2016 CPU fixes 12 security bugs in 7 database components.  Only the APEX (Application Express) security bug is remotely exploited without authentication – as with all APEX patches, this is a separate patch and upgrades APEX to 5.0.4.00.12.

This CPU should be considered HIGH risk due to the 5 security bugs that require only CREATE SESSION privilege in order to exploit.  These bugs can be exploited by any database user and can be used to compromise the entire database.

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

PeopleSoft Data Mover Security

The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.

When performing a PeopleSoft security audit Integrigy carefully reviews Data Mover scripts and activities. If you want to look today at your environment, locate where Data Mover scripts are being stored. The location should be secured to only those with privileges to use Data Mover. Ideally, a source code control tool should be used to store and secure Data Mover scripts.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Process Scheduler Security

When performing a PeopleSoft security audit Integrigy carefully reviews batch processing activity generated through the Process Scheduler. Of particular focus is who has access to administer the Process Scheduler and reviewing batch jobs to identify where jobs are being run with super user privileges.

To look today at your environment for who has access to manage the Process Scheduler, the following can be used:

SELECT A.ROLEUSER, A.ROLENAME, A.DYNAMIC_SW
FROM SYSADM.PSROLEUSER A
WHERE UPPER(A.ROLENAME) = 'PROCESSSCHEDULERADMIN';

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Data Loss

Pete Finnigan - Thu, 2016-09-01 01:26

Quite obviously (well its obvious to me!) one of the areas I am very interested in is data loss / data theft / data security and of course specifically Oracle security. We spend a lot of time looking at customers....[Read More]

Posted by Pete On 31/08/16 At 08:17 PM

Categories: Security Blogs

PeopleSoft User Security

When performing a PeopleSoft security audit, reconciling users should be one of the first tasks. This includes default accounts created through the installation of PeopleSoft as well as user accounts associated with staff, vendors and customers.

The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

  • Default accounts - PeopleSoft default application user accounts with superuser privileges where possible should be removed or have their password changed. Carefully consult your documentation but this is a key task.

Default Oracle PeopleSoft Users

BELHR

JCADMIN1

PSJPN

CAN

NLDHR

PSPOR

CFR

PS

TIME

CNHR

PSCFR

UKHR

ESP

PSDUT

UKNI

FRA

PSESP

USA

FRHR

PSFRA

HSHR

GER

PSGER

WEBGUEST

GRHR

PSINE

WEBMODEL

 

  • Stale users – users that have not logged on in months or years should be identified and removed. Use the following SQL to locate stale users:
SELECT * FROM SYSADM.PSPTLOGINAUDIT;

To manage accounts, the following navigation can assist. As it cannot be mentioned enough, BEFORE you disable or delete any user TEST in non-production first.

User management:

  1. Select PeopleTools, Security, User Profiles, User Profiles
  2. Select user to disable or delete
  3. If disabling, check Account Locked Out check box


 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle Security Training

Pete Finnigan - Mon, 2016-08-22 21:46

We provide expert Oracle Security training classes world wide to many customers privately and also at public events; either as in person classes where the instructor travels to you or via webex where the instructor teaches the classes remotely. We....[Read More]

Posted by Pete On 22/08/16 At 03:52 PM

Categories: Security Blogs

PeopleSoft Jolt Security

Jolt along with Tuxedo supports PeopleSoft web requests. Specifically, Jolt is the layer between the application server and the web server. It is also described as a Java-enabled version of Tuxedo.

When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Jot security settings to ensure they are set per best practice recommendations.  To do this yourself, use the table below to review your settings. These settings should also be regularly reviewed to ensure against configuration drift.

Field

Description

Recommended Value

Disconnect Timeout

Seconds to wait before disconnecting Oracle Jolt connection. Zero (0) means no limit.

0

Send Timeout

Maximum number of seconds servlet allowed to send a request.

50

Receive Timeout

Maximum number of seconds servlet will wait for a response.

600

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Web Portal Security

When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Web Portal security settings to ensure they are set per best practice recommendations.  To do this yourself, use the table below to review your settings.

These settings should also be regularly reviewed to ensure against configuration drift.

Field

Description

Recommended Value

Allow Public Access

User sign on bypassed when direct link to a page are used – PUBLIC user access.

NULL/Disabled

Days to Autofill User ID

Convenience for users. Caches user Id for x days.

7

View File Time to Live

Number of seconds to wait after sending a file attachment to a user's browser before removing that file from the web server.

Default is 0. Set to 0 (zero) for public area/kiosk

PIA use HTTP Same Server

Use the HTTP protocol instead of HTTPS for requests that are issued by the portal for content hosted on same server.

N

Allow Unregistered Content

Whether both registered and unregistered content is served. Turning this option off will prevent explicitly registered content references from being displayed in the portal.

Y

SSL Secured Access Only

Forces use of SSL. Prevents users from using non-SSL protocols to access any link within this website or application.

Y

Secure Cookie with SSL

Prevents single signon token from traveling over an insecure network. If selected the system sets the secure attribute of the single signon cookie (PS_TOKEN) to True.

Y

Inactivity Warning

Number of seconds that the portal waits before warning users that browser sessions will expire. 

1080

HTTP Session Inactivity

Number of seconds of inactivity after which the HTTP session times out for authenticated users. 

1200

Inactivity Logout

Number of seconds of the inactivity timeout interval that applies to PeopleSoft applications to which a user is signed in. 

1200

Show Connection Information

Generates system information page when a user presses Ctrl+J. Shows:

browser, OS, PeopleTools release, application release, service pack, page definition name, component definition name, menu definition name, user ID, database name, database type, and application server address

Off/Null

Show Trace Link at Signon

Displays URL link at sign-in for setting trace parameters.

FALSE

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Categories: APPS Blogs, Security Blogs

Data Exposure, leakage and Reporting

Pete Finnigan - Wed, 2016-08-10 16:46

I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website....[Read More]

Posted by Pete On 10/08/16 At 10:23 AM

Categories: Security Blogs

Oracle Security Talks, Training and Conferences

Pete Finnigan - Mon, 2016-08-08 09:46

Kamil Stawiarski who runs Database Whisperers sp. z o. o. sp. k., an Oracle specialist consulting company in Poland and whose company is also a reseller for our Oracle database security scanner PFCLScan in Poland has invited me to speak....[Read More]

Posted by Pete On 08/08/16 At 12:48 PM

Categories: Security Blogs

PeopleSoft Encryption

Protection of sensitive data while at-rest, in-motion or in-use all need to be addressed as part of a holistic security strategy. This includes both Personally Identifiable Information (PII) as well as sensitive PeopleSoft system configurations.

When performing a PeopleSoft security audit, Integrigy reviews the use and implementation of encryption within all components of the PeopleSoft technology stack. This includes the following, all which are critical. Review yours today and contact Integrigy with any questions.

  • Implementation of Oracle Advanced Security Option (ASO) for Transparent Data Encryption (TDE), Oracle Wallets and encryption key management for database encryption
  • Configuration of SQL-NET encryption between database server, application and web servers
  • PeopleSoft Pluggable Encryption Technology (PET)
  • PeopleSoft client and web services connections. Specifically, we look to ensure that both internal and external network traffic is encrypted using TLS not SSL to encrypt network traffic. TLS is the successor to SSL and is considered more secure.
  • Encryption of Tuxedo configurations using the PSADMIN utility
  • Encryption of PeopleSoft web server configurations by generating or implementing a new PSCipher key to encrypt values in the web server configuration files.
  • Encryption of the Template file. The Template file is used to share configurations among multiple environments (Test, Dev Prod etc...) and passwords stored in the file MUST be encrypted and should not be stored in clear text.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Encryption, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft PUBLIC User Security

PeopleSoft Public users are not required to authenticate (sign on). These are generic accounts created for specific purposes, for example informational pages and/or company directories. Public users are also not subject to timeouts (session inactivity). Because no authentication is required, no sensitive data should be accessible to these users. It also goes without saying, that if you don’t need Public accounts, don’t use them.

When performing a PeopleSoft security audit, Integrigy identifies Public users and analyzes their authorization privileges. To do this yourself, use the SQL below to list your public users and then query the application or database to look at their authorization privileges.

--List the public users
SELECT O.OPRID, O.OPRDEFNDESC, O.ACCTLOCK, O.LASTPSWDCHANGE, O.FAILEDLOGINS,O.ENCRYPTED, O.EMPLID
FROM SYSADM.PSWEBPROFILE P, SYSADM.PSOPRDEFN O
WHERE P.BYPASSSIGNON = 'Y'
AND P.DEFAULTUSERID = O.OPRID;

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.1 and 12.2 Support for TLS 1.2 Added

Oracle has released support for TLS 1.2 in Oracle E-Business Suite 12.1 and 12.2.  Previously, Oracle E-Business Suite only supported SSLv3 and TLS 1.0, which are no longer approved for use with Federal systems and are not PCI-DSS compliant as of June 2014.  For TLS 1.2 support, new My Oracle Support (MOS) documents are available:

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

Enabling TLS in Oracle E-Business Suite Release 12.1 (Doc ID 376700.1)

Oracle E-Business Suite 11.5 and 12.0 are desupported, therefore, these versions will continue to only support SSLv3 and TLS 1.0.

Integrigy recommends all Oracle E-Business Suite implementations use an external SSL/TLS termination point, such as an F5 BIG-IP load balancer, rather than the Oracle E-Business Suite TLS implementation in order to provide a more robust TLS implementation and allow for faster patching of the SSL technology stack.  In addition, an external TLS termination point is usually maintained by network and/or security staff for multiple applications, thus off-loading this responsibility from the Oracle DBAs who often have only limited experience with the complexity of network encryption and certificates.  Although, the one disadvantage is that the network traffic between the load balancer and Oracle E-Business Suite application server is unencrypted, however, this is normally limited to VLANs within the data center.

Encryption, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

PeopleSoft Guest User Security

Being hospitable and welcoming to guests is usually considered good manners.  That said, being a gracious host does not mean you should be careless with your security.

With regard to PeopleSoft application security, the user GUEST is a default account created with the installation of PeopleSoft.  When performing a PeopleSoft security audit, several attributes of the GUEST user are reviewed, including the following -  take a look today at your settings:

For the GUEST user:

  • Change the default password
  • Ensure does not have access to sensitive menus and/or roles, including not having access to the following:
  • The role ‘PeopleSoft User’
  • Any role that includes the permission list PTPT1000
  • The role ‘PAPP_USER’
  • Any role that includes the permission list PAPP0002

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Security User Authorization Audits

When performing a PeopleSoft security audit, reviewing what rights and privileges individual users have been granted for system and application security privileges (authorization) is one of the key deliverables. The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

Review users with access to

  • PeopleTools
  • The SQR folder
  • Process scheduler
  • Security and other sensitive administration menus
  • Security and other sensitive administration roles
  • Web profiles
  • PeopleSoft Administrator Role
  • Correction mode

To check access to PeopleTools, use the following. If you need assistance with the other topics, let us know –

-- Access to PeopleTools

SELECT UNIQUE  A.OPRID, A.OPRDEFNDESC, A.ACCTLOCK, B.ROLENAME
FROM SYSADM.PSOPRDEFN A, SYSADM.PSROLEUSER B
WHERE A.OPRID = B.ROLEUSER
AND upper(B.ROLENAME) ='PEOPLETOOLS'
ORDER BY A.OPRID,B.ROLENAME;

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Integration Broker (IB) Security

Securing the PeopleSoft Integration Broker (IB) ensures the security of messaging both within PeopleSoft applications and among third-party systems. The following are several of the key tasks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your settings:

  • Ensure all inbound requests are required to use Secure Socket Layer security/Transport Layer Security (SSL/TLS)
  • Ensure that the default the PSKEY  password has been changed - The PSKEY is keystore contains all root and node certificates used by the Integration Gateway and PIA. Using the default or weak password is not best practice.
  • Ensure the IB node ANONYMOUS is appropriately privileged.  If IB connections do not specify a node name and credentials, IB will try to use the ANONYMOUS node and the “default user ID” tied to that node. This default user must not be a highly privileged user and should be granted the least number of privilege possible.
  • Review all other nodes for permissions appropriate for the business services supported by the node. Best practice is to use a unique UserID for each node that only has appropriate permissions to only to the required objects or related sets of operations.

The following attributes are also reviewed that govern IB activity :

Integration Broker Profile Values

Field

Description

Recommendation

IB_PROFILESTATUS

IB Profile Status. If enabled, IB will show performance information.

For production or Internet facing set to off.

IB_ENABLELOG

Enables logging

 

For production or Internet facing set to off.

IB_LOGLEVEL

Log Level  (if logging is enabled)

1= Standard gateway exception errors.

  1. 2 = All errors and warnings (Default.)
  • 3 = Errors, warnings and important information.
  • 4 = Errors, warnings, important and standard information.
  • 5= Errors, warnings important, standard and low importance information

Default: 2

IB_DEPTHLIMIT

Checks for recursion within messages (number of levels) to ensure that messages do not reference themselves.

Value between 3 and 50

Default: 20

IB_MASTER_OVERRIDE

Determines if Master processing returns statistics in the Output Information section after a Post.

For production or Internet facing set to off.

IB_PRE_848

Pre-848 Tools Release

Default is N

IB_MULTIACT_DOMAIN

By default, only one domain may be active in the Integration Broker system. However, PeopleSoft provides the option to enable the activation of multiple domains.

Off unless required.

IB_USEIPADDRESS

Determines if the application server URL for a synchronous slave template uses the application server IP address:  e.g. URL format from <machine name>:<jolt port> to IP address

On

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle Security Expert Seminar

Pete Finnigan - Fri, 2016-07-08 21:46

I am happy to announce that I will be teaching a five day Oracle Security expert seminar class with Oracle University at Oracle offices in Reading, UK from September 26th to September 30th 2016. This is a 5 days expert....[Read More]

Posted by Pete On 08/07/16 At 02:45 PM

Categories: Security Blogs

PeopleSoft Logging and Auditing

Logging and auditing are one of the pillars of PeopleSoft Security.  Both application and database auditing is required. Logging and auditing support a trust-but-verify approach which is often deemed required to secure the activities of privileged system and database administrators.

While both the application and database offer sophisticated auditing solutions, one key feature Integrigy always recommends is to ensure that EnableDBMononitoring is enabled within the psappssrv.cfg file. This is set by default but we at times find it disabled.

When enabled EnableDBMononitoring allows PeopleSoft application auditing to bridge or flow into database auditing. This is done by populating the Oracle Client_Info variable with the PeopleSoft User Id, IP address and program name. With Oracle RDBMS auditing enabled, anything written to Client_Info is also written into the database audit logs.

In other words, with both database and EnableDBMononitoring enabled, you can report on which user updated what and when – not just that the PeopleSoft application or ‘Access ID’ issued an update statement.

The graphics below we commonly use to help review Integrigy’s approach to PeopleSoft logging and auditing.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft, Auditor
Categories: APPS Blogs, Security Blogs

Pages

Subscribe to Oracle FAQ aggregator - Security Blogs