Attached files are an information leakage risk for the Oracle E-Business Suite. There are two sources, and the second is not commonly recognized.
The first source is straight forward. Users of the E-Business Suite are free to upload and attach files with content at their discretion. There is nothing to prevent users from attaching files with confidential information such as credit card and/or social security numbers other than business policies supported by security awareness training. Because of this, the risk of information leakage with attached files is best mitigated by purging attached files on a regular basis.
The second source is less obvious and stems from the fact that, besides attachments, the Oracle E-Business Suite also retains file exports in the same table with attachments. There is a risk of information leakage with these file exports. For example, if your Human Resources department regularly exports to Excel from Forms, it is likely you will have a large number of export files. Due to the nature of Human Resources data, this probably means that you have sensitive information stored in these files.
By design the Oracle E-Business Suite needs to purge attached files. It is through the purge process for attached files that file-exports files are removed. However, many organizations do not regularly purge attachments. Integrigy’s security assessment services can assist with scanning your attached files for sensitive data.
If you have any questions about this or Oracle E-Business Security, please contact us at email@example.com
-Michael Miller, CISSP-ISSMPReferences
- Questions on Purge Obsolete Generic File Manager Data (MOS Doc ID 1165208.1)
- Purging Strategy for eBusiness Suite 11i (MOS Doc ID 732713.1)
It is rare to find customers who are not using Diagnostics to support their Oracle E-Business Suite. However, Diagnostics is commonly overlooked as a source of information leakage. By design, Diagnostics should not be enabled in production, or if it is, it should be enabled only at the user level and for a limited period of time. If your non-production instances have DMZ nodes, then the same advice applies.
Setting the profile option ‘FND: Diagnostics’ from its default of ‘No’ to ‘Yes’ causes a Diagnostics global button to be rendered on every page. As well, enabling this profile option renders the ‘About This Page’ link at the bottom of every OA Framework page. With Diagnostics enabled, and access to About This Page, configuration data, diagnostic, and other log messages is displayed to anyone who clicks on the button or link. This information should only be displayed to appropriately privileged and trusted personnel. Making diagnostics globally available to all users, including external DMZ users such as for iStore and iRecruitment, is not a best practice.
What is not commonly understood is that the Diagnostics profile option setting changes the behavior of several purpose-built diagnostic and monitoring pages shipped with the E-Business Suite. These pages provide large amounts of information on critical configurations and system performance and are intended only to be used by system and database administrators. While arguably these monitoring and diagnostics pages should be protected by the Oracle EBS URL Firewall (if enabled and properly configured), and may be obscure, they may be known to somebody attempting to attack you from the outside or an insider with nefarious purposes. These pages should not be accessible by general users and certainly not by anonymous Internet users. Turning Diagnostics off greatly reduces, if not completely disables, access to these diagnostics pages. This is another reason that best practice is to set Diagnostics off and only enable at the user level as needed.How do you know if Diagnostics is enabled?
- Check your system profile option ‘FND: Diagnostics’. It should be set to ‘No’ at the Site level.
If you have questions, please contact us.References
- Hidden Security Threats in Oracle E-Business Suite - Integrigy
- Secure Configuration of Oracle E-Business Suite Profiles (Doc ID 946372.1)
The Oracle E-Business Suite provides a large number of diagnostic and monitoring solutions. While these solutions offer comprehensive and in-depth information about your implementation, they can also be the source of serious information leakages. Especially if you have Internet facing applications such iStore, iSupplier or iRecruitment, you need to take steps to secure your implementation against accidental information leakage and provide as little information as possible to anyone who might want to attack you.URL Firewall
If you are running the E-Business Suite with a DMZ, such as for iStore or iSupplier, you must use the URL firewall. If you don’t, you will be exposing your implementation to serious security risks and leaking large amounts of information.
The Oracle E-Business Suite automatically installs all 250+ modules and all related web pages. Even though many of these modules are not selected to be installed, licensed, or configured, the web pages are nevertheless installed and accessible. In order to block these 15,000+ web pages when deploying Oracle E-Business Suite in a DMZ, Oracle developed the URL firewall. The URL firewall is a whitelist of permitted web pages and is enabled through autoconfig.How to know if your URL Firewall is running
- Review your autoconfig settings for the variable: s_enable_urlfirewall. If you see a ‘#’, the URL firewall is off. Integrigy also recommends reviewing the Apache httpd.conf files on each server in your DMZ to ensure that the url firewall is being called.
Integrigy's AppDefend, our Web Application Firewall optimized for Oracle E-Business Suite, provides another layer of security to block unused modules like the URL Firewall, but also provides real-time protection from web application vulnerabilities like SQL injection and cross-site scripting (XSS) and blocks Oracle Critical Patch Update vulnerabilities.
If you have questions, please contact us.
- Into the Fire - Deploying Oracle EBS to the Internet - Integrigy
- Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet - Integrigy
- Oracle E-Business Suite R12 Configuration in a DMZ (MOS Doc ID 380490.1)
As of December 1, 2013, Oracle E-Business Suite 11.5.10 moved into Sustaining Support. Normally, Oracle Sustaining Support does not include security fixes in the form of Critical Patch Updates. However, for 11.5.10, there is an exception until December 2015 and Severity 1 fixes, payroll/1099 updates, and Critical Patch Updates will be available.
Oracle E-Business Suite Critical Patch Updates (CPU) will be available for 11.5.10 up to and including the October 2015 CPU. No Oracle E-Business Suite CPUs or security fixes will be released after the October 2015 CPU. In order to continue applying security patches after October 2015, you will need to upgrade to at least Oracle E-Business Suite 12.1. CPU support for 12.0 will end January 2015 with the end of Extended Support.
CPUs for the Oracle E-Business Suite database will be dependent on the version being used and currently CPUs are only available for 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199. For the application server, which is very old and is basically on life support, was last patched in the October 2012 CPU.Tags: Oracle E-Business SuiteOracle Critical Patch Updates