The prior blog post (PeopleSoft Security Patches) reviewed PeopleSoft CPU patching. Worthy of its own post is the October 2014 CPU. A show of hands back in April at our PeopleSoft database security presentation at Collaborate 2016 (PeopleSoft Database Security) further confirmed Integrigy’s research that a surprising number of PeopleSoft installations have not applied this patch.
The PeopleTools October 2014 CPU (8.52.24, 8.53.17, 8.54.04) fixes a critical issue with the security of the database passwords for the Connect and Access Ids. This patch MUST be applied in order to safeguard the password for the Access Id (e.g. SYSADM) – regardless of how complex you have made it. The details of the specific vulnerability are best not given further explanation on the Internet.
This said if you have not already applied the October 2014 CPU or any CPU since (they are cumulative) and you have questions and/or concerns, please contact us at email@example.com
Michael A. Miller, CISSP-ISSMP, CCSPReferences
I will be teaching 5 days on my Oracle security classes in Paris from 20th June to 24th June with Oracle University at their offices and training suite. Details of the Oracle Security Event and how to register on Oracles....[Read More]
Posted by Pete On 06/06/16 At 09:59 AM
I will be at the Amis conference next Friday in Leiden not far from Amsterdam in Holland. The conference is held over two days, June 2nd and 3rd But I will be there just on the Friday due to other....[Read More]
Posted by Pete On 26/05/16 At 11:28 AM
I spoke yesterday about compartmentalising Oracle Security and one element that comes out of this is the need to consider what you are trying to achieve; secure actual data and also secure the platform. In general applying security patches will....[Read More]
Posted by Pete On 25/05/16 At 12:51 PM
I have been teaching security classes about Oracle Security for many years and they are very popular and I teach many classes per year around the world; mostly in the UK and EEC but I also venture to the Middle....[Read More]
Posted by Pete On 24/05/16 At 12:43 PM
I was asked by Delphix earlier this year to review their product with a particular focus on Oracle security of course. I wrote two papers; the first about Data Masking and Delphix and the second about securing data in non-production....[Read More]
Posted by Pete On 23/05/16 At 11:23 AM
I did a webinar with Delphix on 30th March 2016 on USA time. This was a very good session with some great questions at the end from the attendees. I did a talk on Oracle Security in general, securing non-production....[Read More]
Posted by Pete On 01/04/16 At 03:43 PM
I have just updated the public Oracle Security training dates on our Oracle Security training page to remove the public trainings that have already taken place this year and to add a new training in York for 2016. After the....[Read More]
Posted by Pete On 31/03/16 At 01:53 PM
My daily work is helping my customers secure their Oracle databases. I do this in many ways from performing detailed security audits of key databases to helping in design of secure lock down policies to creating audit trails to teaching....[Read More]
Posted by Pete On 14/03/16 At 08:45 AM
The process of applying security patches starts with identifying which patches to apply. For PeopleSoft, security patches need to be considered for both the application and the major technical components. The application of security patches, referred to by Oracle as Critical Patch Updates (CPUs), for one component DO NOT apply security patches for the other components.
For example, PeopleTools CPU patches DO NOT include database CPUs – applying one will not automatically apply nor include the other. The same holds for WebLogic and Tuxedo CPU patches.
CPUs for PeopleTools releases are provided for up to 24 months after the next minor release is generally available. The following table will assist in analyzing your PeopleTools CPU levels certification status with other key PeopleSoft technical components:
PT Generally Available Date
PT CPU Delivered through
- WebLogic 10.3.6.x is supported through December 2018
- WebLogic 126.96.36.199 is supported through 6/2016
- WebLogic 188.8.131.52 is supported through 12/2017 and will be the terminal release of 12.1.x
- Tuxedo support dates: 10.3 12/2016, 12.1.3 in 2020 all 1
- 1.x and 12.1.1 end in 2018
If you have questions, please contact us at firstname.lastname@example.org
Michael A. Miller, CISSP-ISSMP, CCSPREFERENCES
Throughout the summer, Integrigy will be releasing new research on PeopleSoft security. This research focuses on the secure configuration of PeopleSoft and includes both the application and the major technical components such as the database (Oracle RDBMS), WebLogic and Jolt/Tuxedo. Hopefully, these blog posts will be useful.
If you have questions, please contact us at email@example.com
Michael A. Miller, CISSP-ISSMP, CCSP
In my Oracle security training classes I use a couple of sample applications for various demonstrations. I teach people how to perform security audits of Oracle databases, secure coding in PL/SQL, designing audit trail solutions and locking down Oracle. We....[Read More]
Posted by Pete On 10/03/16 At 11:07 AM
I attended the UKOUG conference last week Monday to Wednesday in Birmingham. This is the first year for three years that it has been back at the ICC in the center of Birmingham. The last two years have seen the....[Read More]
Posted by Pete On 14/12/15 At 08:54 PM
We ran a five day Oracle Security training event in York, England from September 21st to September 25th at the Holiday Inn hotel. This proved to be very successful and good fun. The event included back to back teaching by....[Read More]
Posted by Pete On 22/10/15 At 08:49 PM
I wrote a presentation on designing and building practical audit trails back in 2012 and presented it once and then never again. By chance I did not post the pdf's of these slides at that time. I did though some....[Read More]
Posted by Pete On 01/10/15 At 05:16 PM
Oracle Application Express is a great rapid application development tool where you can write your applications functionality in PL/SQL and create the interface easily in the APEX UI using all of the tools available to create forms and reports and....[Read More]
Posted by Pete On 21/07/15 At 04:27 PM
No, Oracle security vulnerabilities didn’t just get a whole lot worse this quarter. Instead, Oracle updated the scoring metric used in the Critical Patch Updates (CPU) from CVSS v2 to CVSS v3.0 for the April 2016 CPU. The Common Vulnerability Score System (CVSS) is a generally accepted method for scoring and rating security vulnerabilities. CVSS is used by Oracle, Microsoft, Cisco, and other major software vendors.
As we have discussed previously, CVSS v2 did score Oracle security vulnerabilities for the database, middleware, and applications lower than operating system and network component vulnerabilities. Contrary to what many security researchers claim, the problem is with the CVSS standard, not manipulation of the scores by Oracle. CVSS v2 puts a premium on the ability to compromise the entire operating system (i.e., root account) or device. For most Oracle security vulnerabilities, across all products, it is very difficult to compromise the root operating system account by exploiting an Oracle Database, Fusion Middleware, or application (Oracle E-Business Suite, PeopleSoft, etc.) security bug. Although, there are some exceptions mostly limited to the Oracle Database running on Microsoft Windows Server, which allow compromise of the administrator account.
To account for this limitation in CVSS, Oracle included in the CPU advisory matrices for informational purposes only a “Partial+” to indicate where the entire database, middleware server, or application could be compromised. However, this was not reflected in the score since the CVSS standard says a “Complete” impact “… is total information disclosure, resulting in all system files being revealed.” As a result, Oracle CVSS v2 scores for critical or severe bugs tended to be 6.5 for the Oracle Database, 7.5 for Fusion Middleware, and 6.4 for applications like the Oracle E-Business Suite and PeopleSoft.
CVSS v3.0 changes the scoring to put more of an emphasis on the asset or component being protected (i.e., database or application). The key CVSS definition has changed from “system” to “impacted component.” The scoring algorithm also includes more granularity for privileges required to exploit and the scope of the exploit, such as can a database attack compromise the underlying operating system.
The Oracle CVSS v3.0 scores will be much higher now, especially for the Fusion Middleware and applications like Oracle E-Business Suite and PeopleSoft. Critical Fusion Middleware security bugs will rise from 7.5 to 9.8. Oracle E-Business Suite and PeopleSoft critical security bugs like unauthenticated SQL injection will jump from 6.4 to 9.8. As almost all Oracle Database security bugs require database authentication, the Oracle Database CVSS scores will go from 6.5 to 8.8 for easy to exploit SQL injection vulnerabilities in PUBLIC packages.
The critical risk associated with most Oracle security vulnerabilities is still critical. Now the CVSS score properly reflects the critical nature of many of these bugs.
Oracle E-Business Suite 11i is impacted by 8 security vulnerabilities in the April 2016 CPU, which includes the Oracle Configurator and Oracle Complex Maintenance, Repair, and Overhaul security bugs listed under the Oracle Supply Chain Products Suite.
Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11i security patches are only available for Oracle customers with Tier 1 Support contracts, previously referred to as Advanced Customer Support (ACS). Tier 1 Support must be purchased and is an additional fee on top of standard Oracle maintenance. Optional Tier 1 Support will include CPU security patches through October 2016.
CPU information for 11i has been moved from the standard quarterly CPU My Oracle Support (MOS) note for Oracle E-Business Suite to MOS Note ID 2126170.1 “Oracle E-Business Suite Release 11i Critical Patch Update Knowledge Document (For Oracle E-Business Suite 11i Tier 1 Support Customers).”
For more information on CPU support for 11i, please see MOS Note ID 1596629.1 “ANNOUNCEMENT: Additional Coverage Options for 11.5.10 E-Business Suite Sustaining Support.”
As an alternative to Oracle Tier 1 Support or as an additional layer of defense for Oracle E-Business Suite 11i, Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, provides virtual patching of Oracle E-Business Suite web security vulnerabilities, web application attack surface reduction, and protection from SQL injection and cross-site scripting (XSS) attacks.
How does Oracle Security and Electronic mix together? - Well I started my working life in 1979 as an apprentice electrician in a factory here in York, England where I live. The factory designed and built trains for the national....[Read More]
Posted by Pete On 09/07/15 At 11:24 AM
In the last few years I have not done as many conference speaking dates as I used to. This is simply because when offered they usually clashed with pre-booked work. I spoke for the UKOUG in Dublin last year and....[Read More]
Posted by Pete On 06/07/15 At 09:40 AM