Security Blogs

PFCLScan - A Security Scanner For Oracle Databases - New Website

Pete Finnigan - 14 hours 5 min ago
Our software product PFCLScan can be used to assess your Oracle databases for security issues that could make your data vulnerable to loss or attack. PFCLScan initially had its own website, PFCLScan.com but since the restyle and redesign of our....[Read More]

Posted by Pete On 22/03/17 At 08:24 PM

Categories: Security Blogs

Integrigy COLLABORATE 17 Sessions - Presentations on Oracle Database, Oracle E-Business Suite, and PeopleSoft Security

Integrigy is presenting nine papers this year at COLLABORATE 17 (https://collaborate.oaug.org/). The COLLABORATE 17 conference is a joint conference for the Oracle Applications User Group (OAUG), Independent Oracle Users Group (IOUG), and Quest International Users Group.

Here is our schedule. If you have questions or would like to meet with us while at COLLABORTE 17, please conact us at info@integrigy.com.

Sunday Apr 02, 2017

1:45 PM - 2:45 PM

Oracle E-Business Suite 12.2 Security Enhancements

https://app.attendcollaborate.com/event/member?item_id=5621519

Banyan E

Speaker: Stephen Kost

1:45 PM - 2:45 PM

How to Control and Secure Your DBAs and Developers in Oracle E- Business Suite

https://app.attendcollaborate.com/event/member?item_id=5740411

South Seas F

Speaker: Michael Miller

Monday Apr 03, 2017

9:45 AM - 10:45 AM

The Thrifty DBA Does Database Security

https://app.attendcollaborate.com/event/member?item_id=5660960

Jasmine D

Speaker: Stephen Kost

1:00 PM - 4:30 PM

Integrigy team available for meetings and discussions Contacts us at info@integrigy.com to arrange

 

 

Tuesday Apr 04, 2017

9:45 AM - 10:45 AM

Solving Application Security Challenges with Database Vault

https://app.attendcollaborate.com/event/member?item_id=5660961

Jasmine D

Speaker: Stephen Kost

1:00 PM - 4:30 PM

Integrigy team available for meetings and discussions Contacts us at info@integrigy.com to arrange

 

 

Wednesday Apr 05, 2017

9:45 AM - 10:45 AM

When You Can't Apply Database Security Patches

https://app.attendcollaborate.com/event/member?item_id=5660962

Jasmine D

Speaker: Stephen Kost

11:00 AM - 12:00 PM

Common Mistakes When Deploying Oracle E-Business Suite to the Internet

https://app.attendcollaborate.com/event/member?item_id=5621520

South Seas B

Speaker: Stephen Kost

1:30 PM - 2:30 PM

Securing Oracle 12c Multitenant Pluggable Databases

https://app.attendcollaborate.com/event/member?item_id=5660950

Palm A

 

Speaker: Michael Miller

2:45 PM - 3:45 PM

How to Control and Secure Your DBAs and Developers in PeopleSoft

https://app.attendcollaborate.com/event/member?item_id=5617942

Ballroom  J

Speaker: Michael Miller

Thursday Apr 06, 2017

8:30 AM - 9:30 AM

Oracle E-Business Suite Mobile and Web Services Security

https://app.attendcollaborate.com/event/member?item_id=5621407

South Seas B

Speaker: Michael Miller

 

You can download a complete listing of Integrigy's sessions at Integrigy COLLABORATE 17 Sessions.

Oracle Database, Oracle E-Business Suite, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Security

This is a quick summary of Integrigy’s latest research on PeopleSoft. Was sending this to a client and decided it was a good posting:

Guide to PeopleSoft Logging and Auditing

How to Control and Secure PeopleSoft DBAs and Developers

PeopleSoft Database Security

PeopleSoft Database Secure Baseline Configuration

PeopleSoft Security Quick Reference

If you have any questions, please contact us at info@integrigy.com

 

 
 
Oracle PeopleSoft, Whitepaper
Categories: APPS Blogs, Security Blogs

Deploying Oracle E-Business Suite 12.2 REST Web Services

This is the forth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying REST services with 12.2 is straightforward. REST is an architectural style and not a protocol and is best used to support lightweight and “chatty” interfaces such as Mobile applications.  With 12.2, REST Web Application Description Language (WADL) interface definition files are generated within the E-Business Suite's WebLogic server and run through the OAFM Application. The OAFM application created with the installation of the Oracle E-Business Suite.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 

 

     
     
     
     
     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Validating The Length Of An Oracle Database Hashed password?

    Pete Finnigan - Thu, 2017-03-16 06:06
    Q: Can I validate the length of a password in the Oracle database from the password hash? I have been asked this question a number of times over the years. Even someone emailed me to confirm the answer to this....[Read More]

    Posted by Pete On 15/03/17 At 07:52 PM

    Categories: Security Blogs

    Default Password Hashes for 11g Oracle Database

    Pete Finnigan - Tue, 2017-03-14 17:26
    I often get Oracle Security related questions from people randomly sent to my inbox or occasionally on Social media and less on on this sites forum. I get questions on average probably 4 times per week in these ways. I....[Read More]

    Posted by Pete On 14/03/17 At 06:16 PM

    Categories: Security Blogs

    Deploying Oracle E-Business Suite Web Services

    This is the third posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

    Web services are physically deployed differently depending on whether they are defined using Representational State Transfer (REST) or Simple Object Access Protocol (SOAP).  Logically, however, both REST and SOAP web services are deployed from within the Integrated SOA Gateway (ISG). Refer to the E-Business Suite’s documentation for details, but from within the Integrated SOA Gateway, users can deploy web services by locating the particular web service and then clicking on the "Deploy" button.

    If you have any questions, please contact us at info@integrigy.com

    -Michael Miller, CISSP-ISSMP, CCSP, CCSK

    References
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 12.2 Mobile and Web Services Architecture

    This is the second posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

    Approximately 2,900 web services are created with an update to or installation of 12.2 and are defined in the table APPLSYS.FND_IREP_CLASSES. Within the Oracle E-Business Suite’s user interface, the Integrated SOA Gateway (ISG) module is used to deploy the web services defined in APPLSYS.FND_IREP_CLASSES. Key to understanding the 12.2 web services architecture is that ALL web services are defined in the Service Oriented Architecture (SOA) Gateway, this includes both Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) web services. 

    The E-Business Suite’s Mobile and smartphone applications are deployed internally as REST services and are likewise defined in the Integrated SOA Gateway and stored in the table APPLSYS.FND_IREP_CLASSES. The graphic below depicts the addition of web services and helps to visualize the increased attack surface that needs to be secured.

     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    12.2 is Available For Download For Linux And Solaris

    Pete Finnigan - Thu, 2017-03-02 11:06
    The Oracle database 12.2 has been available on the cloud for some time but it has not been available for download so that you can install it on your own servers or virtual Machines. You can download from OTN or....[Read More]

    Posted by Pete On 02/03/17 At 09:10 AM

    Categories: Security Blogs

    Delete from AUD$

    Pete Finnigan - Tue, 2017-02-28 22:26
    We have been working on a new audit trail toolkit / product for some time now which is called PFCLATK - The PFCL means "P"ete"F"innigan."C"om "L"imited so most of our tools products end up with a consistent name starting PFCL....[Read More]

    Posted by Pete On 28/02/17 At 01:06 PM

    Categories: Security Blogs

    Oracle E-Business Suite Mobile and Web Services Security - What You Need To Know

    Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors.  To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect.  This also makes the Oracle E-Business Suite, like other ERP platforms, vulnerable to automated attacks. Threat actors only need to compromise one publically facing URL or web service, which given the size and complexity of the Oracle E-Business Suite, makes securing it a somewhat daunting task.

    Starting with version 12.1 and continuing with 12.2, the Oracle E-Business Suite delivers a considerable amount of new web services and Mobile functionality as standard core functionality.  Much, if not most, of this new Mobile and web services functionality, replicates functionality previously only available through the traditional user interface forms and/or public interfaces and these new web services can be easily deployed on the Internet through a DMZ node.  The security implications of 12.2’s increased web services capabilities is that the Oracle E-Business Suite’s attack surface has increased and harder to defend. 

    This blog series summarize the new Mobile and web services functionality and review their security features before recommending best practices for using them securely.

    If you have any questions, please contact us at info@integrigy.com

    -Michael Miller, CISSP-ISSMP, CCSP, CCSK

    REFERENCES

     
     
     
     
     
    Web Services
    Categories: APPS Blogs, Security Blogs

    Fourteenth Anniversary For PeteFinnigan.com Limited And New Website

    Pete Finnigan - Thu, 2017-02-23 14:26
    Wow, has it really been fourteen years since I started PeteFinnigan.com Limited? - Time has gone so fast and business is getting better and better. We have great customers, great Oracle Security trainings and consulting projects meeting new people and....[Read More]

    Posted by Pete On 23/02/17 At 06:33 PM

    Categories: Security Blogs

    Oracle Database 11.2.0.4 and 12.1.0.2 New CPU End Dates

    With the upcoming on-premise release of Oracle Database 12.2.0.1, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 11.2.0.4 and 12.1.0.2.  Currently (as of January 2017), only 11.2.0.4 and 12.1.0.2 are supported for CPUs.

    The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0.4 and July 2021 for 12.1.0.2.  The first year of extended support for both versions is free until December 2018 for 11.2.0.4 and July 2019 for 12.1.0.2.

    All Oracle databases should be updated to either 11.2.0.4 or 12.1.0.2, which provides at least three years of CPU support.  To ensure database security and minimize Oracle support costs, organizations should plan to upgrade 11.2.0.4 and 12.1.0.2 databases in 2018 and move to 12.2 at that time.  All new databases should be 12.1.0.2 and look to begin production use of 12.2 in late 2017 or with the release of 12.2.0.2 in eary 2018.

    For databases that are not currently upgraded to 11.2.0.4 or 12.1.0.2, you must mitigate the risk of not applying security patches as there are at least 27 moderate to high risk unpatched security vulnerabilities in unsupported versions.  A number of these vulnerabilities allow any user, even with only CREATE SESSION, to compromise the entire database.  At a minimum, you must harden the database, limit network access as much as possible, review access and privileges, and enable auditing and monitoring in order to potentially identify attacks and compromises.

    See MOS Support Note 742060.1 for more information on Oracle Database version support.

    Oracle Database, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite: 250 Security Vulnerabilities Fixed in the Last Year

    Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017.  The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite.  Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2.  Many of the 250 security vulnerabilities fixed are high risk vulnerabilities such as SQL injection, cross-site scripting (XSS), XML external entity attacks, and privilege escalation.

    Unless your organization is applying the CPU patches immediately and have hardened the application, the Oracle E-Business Suite is extremely vulnerable and easily exploitable.  Significant defensive measures are required to protect Oracle E-Business Suite especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.   A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

    Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 11i - Critical Patch Updates Extended for Tier 1 Support

    As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers.  Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts.  See My Oracle Support Note ID 1596629.1 for more information.

    Almost all security vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.  In the past year, Oracle has fixed 250 security vulnerabilities in Oracle E-Business Suite 11i and R12.

    Oracle E-Business Suite 11i customers without Tier 1 support, as well as 12.0 customers, should take immediate take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

    Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Two New Oracle Security Public Class Dates

    Pete Finnigan - Thu, 2017-01-12 15:26

    I will be teaching two of my Oracle Security classes with Oracle University soon. The first is my class "Securing and Locking Down Oracle Databases". This class will be taught on the 24th January on-line via the Oracle LVC platform....[Read More]

    Posted by Pete On 12/01/17 At 02:47 PM

    Categories: Security Blogs

    Oracle Security And Merry Xmas And A Happy New Year

    Pete Finnigan - Fri, 2016-12-16 21:46

    I want to wish all readers of my site and this blog a very happy Christmas and a very prosperous New Year!! It has been some time since my last blog post; that's because we have been incredibly busy on....[Read More]

    Posted by Pete On 16/12/16 At 08:54 PM

    Categories: Security Blogs

    Oracle Discoverer Security Alert - High impact to SOX Compliance and Financial Reporting

    For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of reports are at risk.

    Oracle's recommendation is that clients migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence Cloud Service, or Oracle Business Intelligence Applications. If you are still using Discoverer, Oracle recommends upgrading to Fusion Middleware 11g patch set 6 (11.1.1.7.0) and to apply the October 2016 Critical Patch Update Discoverer patch (24716502). Be sure to also apply the CPU patches to WebLogic (10.3.6 and higher) and the database supporting the WebLogic repository.

    If you have any questions, please contact us at info@integrigy.com

    For more information

    October 2016 CPU Announcement: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

    Patch Set Update and Critical Patch Update October 2016 Availability Document (Doc ID 2171485.1)

    ALERT: Premier Support Ends Dec 31 2011 for Oracle Fusion Middleware 10g 10.1.2 & 10.1.4 (Doc Id: 1290974.1)

    Using Discoverer 11.1.1 with Oracle E-Business Suite Release 12 (Doc Id: 1074326.1)

    Using Discoverer 11.1.1 with Oracle E-Business Suite Release 11i (Doc Id: 1073963.1)

    Vulnerability, Sarbanes-Oxley (SOX), Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 11i - October 2016 is Last Critical Patch Update

    Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts.  As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i.  October 2016 is the last CPU patch for Oracle E-Business Suite 11i.  For 12.0, the last CPU patch was October 2015.

    Even though there are no more security patches, many, if not most, vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs which allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.

    As there are no more security patches for 11i and 12.0, we strongly recommend all 11i and 12.0 customers who have not yet upgraded to 12.x take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

    Reference: AppDefend for the Oracle E-Business Suite

    Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle Database Critical Patch Update October 2016: 12.1.0.2 and 11.2.0.4 Only

    The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter.  Starting with the October 2016 CPU, only 12.1.0.2 and 11.2.0.4 are supported.  In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 12.1.0.2 or 11.2.0.4.  As these are terminal database releases, the final CPU patch for 12.1.0.2 is July 2021 and for 11.2.0.4 is October 2020.  For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a large number of high priority fixes - Security Patch Updates (SPU) which include only security fixes are not available for 12c.

    The October 2016 CPU fixes 12 security bugs in 7 database components.  Only the APEX (Application Express) security bug is remotely exploited without authentication – as with all APEX patches, this is a separate patch and upgrades APEX to 5.0.4.00.12.

    This CPU should be considered HIGH risk due to the 5 security bugs that require only CREATE SESSION privilege in order to exploit.  These bugs can be exploited by any database user and can be used to compromise the entire database.

    Oracle Database, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Pages

    Subscribe to Oracle FAQ aggregator - Security Blogs