Stephen Kost's E-Business Suite Security Blog

Multiple significant security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-4104) have been disclosed and patched in the popular Java logging library Apache Log4j.  This library is installed in Oracle E-Business Suite (EBS) environments and these vulnerabilities may be exploitable in your environment depending on Oracle EBS version, Oracle EBS patches applied, and customizations or third-party products.

On December 15th, Oracle has changed the remediation with the disclosure of the most recent Log4j security vulnerability (CVE-2021-45046) as the initial recommended fix was not complete.

Integrigy has completed a detailed analysis on the impact of these Log4j security vulnerabilities on Oracle E-Business Suite and you can access this analysis here -

Integrigy Log4j Vulnerabilities Impact on Oracle E-Business Suite Analysis

Integrigy's products AppDefend and AppSentry does not use the Log4j library, therefore, are not vulnerable to this security bug.

Please let us know if you have any questions regarding this security vulnerability at info@integrigy.com.

Thursday, January 28, 2021 - 2:00 pm to 3:00 pm EST

Oracle Database 21c has been released and is the latest innovation release of the Oracle Database.  A number of new security features are included with this release and should be adopted when creating new databases or upgrading existing databases. This educational webinar will review the new security features and changes in security for this database release. Key new security features are blockchain table, gradual database password rollover, mandatory case sensitive passwords, and Unified Auditing enhancements.

>>> Register for this webinar <<< 

Oracle E-Business Suite Security for Auditors

Thursday, December 17, 2020 - 2:00 pm to 3:00 pm EST

Auditors are trained to understand the financial aspects and the end user functionality of Oracle E-Business Suite. However, most auditors have not been trained in the security features and technical aspects of Oracle E-Business Suite. This education webinar will dive into the key security features within Oracle E-Business Suite. Key configuration settings, protecting sensitive data, concerns and risks with user privileges, and compliance issues related to SOX will be discussed and how to audit these areas.

>>> Register for this webinar <<< 

Is Your Sensitive Data Playing Hide and Seek with You?

Thursday, December 12, 2019 - 2:00 pm EST

Your Oracle databases and ERP applications may contain sensitive personal data like Social Security numbers, credit card numbers, addresses, date of births, and salary information. Understanding in what tables and columns sensitive data resides is critical in protecting the data and ensure compliance with regulations like GDPR, PCI, and the new California Consumer Privacy Act (CCPA). However, sensitive data is like a weed and can spread quickly if not properly managed. The challenge is how to effectively and continuously find sensitive data, especially in extremely large databases and data warehouses.  This educational webinar will discuss methodologies and tools to find sensitive such as by searching column names, crawling the database table by table, and performing data qualification to eliminate false positives.  Other locations where sensitive data might reside such as trace files, dynamic views (e.g., V$SQL_BIND_DATA), and materialized views will be reviewed.

>>> Register for this webinar <<<

Two Oracle E-Business Suite security vulnerabilities (CVE-2019-2638, CVE-2019-2633) fixed in April 2019 Oracle Critical Patch Update (CPU) have been recently publicized. These vulnerabilities allow an attacker to execute arbitrary SQL statements in the Oracle E-Business Suite data that can result in complete compromise of the environment including fraudulent transactions, changing of bank accounts, and circumvention of application security controls. Integrigy’s AppDefend, the application firewall for Oracle E-Business Suite, is the only solution that provides virtual patching for and proactive defense against these vulnerabilities.

These two vulnerabilities are in the Oracle E-Business Suite (EBS) TCF Server, which provides services to the professional Forms interface for a limited set of Forms. TCF Server is implemented and enabled in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. It can not be disabled without a customization to Oracle EBS.

TCF Server is a servlet running as part of the standard Oracle EBS web application server and communicates using HTTP or HTTPS between the Forms Java client and the web application server. For R12, the servlet is available at the URL /OA_HTML/AppsTCFServer. It uses a proprietary application-level protocol to communicate between the Forms client and server.

The risk is that unlike most Oracle EBS SQL injection vulnerabilities that only allow for fragments of SQL statements to be appended to standard Oracle EBS SQL statements being executed, these security bugs allow execution of complete SQL statements as the Oracle EBS APPS database account. When evaluating the risk of these vulnerabilities in your environment, it is important to differentiate between external access to the Oracle EBS environment through the Internet when modules like iSupplier, iStore, and iRecruitment are being used and internal access from only your internal network. The risk from external access is critical and should be immediately addressed. The internal risk is still high and dependent on the security posture of your internal network. It is important to realize that non-Oracle EBS aware web application firewalls, database security tools, and other network security products will not provide any protection from successful exploitation of these vulnerabilities.

Integrigy AppDefend is the only solution that provides virtual patching for and proactive defense against these TCF Server vulnerabilities as well other Oracle EBS security vulnerabilities. Integrigy recognized the potential issues with TCF Server and even the first release of AppDefend for R12 in 2007 blocked external access to the TCF Server by default.

AppDefend provides multiple layers of protection against TCF Server vulnerabilities as follows -

1. Blocks all access to TCF Server externally (since 2007).
2. Enforces Oracle EBS access control for TCF Server allowing only authorized EBS users to access to the TCF Server (since 2018).
3. Whitelists the functions accessible through TCF Server (since 2018).
4. Blocks specific vulnerabilities in TCF Server (2018, 2019).
5. Advanced SQL injection protection optimized specifically for Oracle EBS will detect and block most of the SQL statements used in TCF Server and other 0-day attacks. (since 2007).

If you do not have AppDefend, applying the latest Oracle Critical Patch Update for Oracle EBS will remediate these specific vulnerabilities and for external sites it is critical that the Oracle EBS URL Firewall is implemented as documented in Appendix E of My Oracle Support Note ID 380490.1. However, these solutions will not protect you prior to applying the security patches or against future TCF Server vulnerabilities and other Oracle EBS 0-day attacks.

Please let us know if you have any questions regarding the latest Oracle EBS security vulnerabilities at info@integrigy.com.

Heading to COLLABORATE 19? For the 12th consecutive year, Integrigy will be presenting on Oracle E-Business security, Oracle Database security, and PeopleSoft security. If you will be attending, be sure to schedule in one or more of our presentations.

Oracle E-Business Suite Security

Top 10 Oracle E-Business Suite Security Risks Tuesday April 9 - 10:30 AM-11:30 AM - GH 4th FL Republic C

How to Close the Window between Oracle CPU Security Release and Deployment Tuesday April 9 - 4:30 PM-5:30 PM - GH 4th FL Republic C

GDPR Compliance and the Oracle E-Business Suite Revisited Thursday April 11 - 9:15 AM-10:15 AM - GH 4th FL Seguin B

Oracle Database Security

An Introduction to Oracle Database Security Wednesday April 10 - 8:00 AM-9:00 AM - CC 2nd FL 221A 

Hacking an Oracle Database and How to Prevent It Wednesday April 10 - 2:00 PM-3:00 PM - CC 2nd FL 205 

Oracle Database Multitenant Security Explained Thursday April 11 - 8:00 AM-9:00 AM - CC 2nd FL 206B

PeopleSoft Security

Top 10 Security Risks in a PeopleSoft Environment Monday April 8 - 4:30 PM-5:30 PM - GH 3rd FL Bonham D

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk for PeopleSoft applications.  Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.

For this quarter, there are 15 security vulnerabilities patches in PeopleSoft applications and PeopleTools --

10 - PeopleTools

2 - PeopleSoft Financials

2 - PeopleSoft HCM

1 - PeopleSoft Campus Solutions

11 of the 15 security vulnerabilities are remotely exploitable without authentication, therefore, an attacker can exploit the PeopleSoft without any credentials.  For this quarter, there are 7 cross-site scripting vulnerabilities, 3 vulnerabilities in third-party libraries used in PeopleSoft, and 5 other types of vulnerabilities.

10 cross-site scripting (XSS) vulnerabilities and 4 other types of vulnerabilities fixed.  Most important is that 13 of the 14 vulnerabilities are remotely exploitable without authentication.

For PeopleTools, only 8.55 and 8.56 are supported.  Previous versions of PeopleTools must be upgraded in order to apply the security patches.

Tuxedo

Another vulnerability for Tuxedo JOLT (CVE-2018-3007) is fixed in this CPU, therefore, Tuxedo must also be patched.  Configuration changes must be made to the Tuxedo server in order to limit connections to both JSH and WSH in order to reduce the risk of security vulnerabilities.

WebLogic

A number of vulnerabilities in WebLogic are fixed in this CPU including a vulnerability accessible via the T3 protocol.  In addition to applying the appropriate WebLogic security patch, the WebLogic should be configured to only allow access to the HTTPS protocol.

Oracle Database

For the July 2018 CPU, only 11.2.0.4 and 12.1.0.2 are supported for security patches.  For the database, there is a OJVM security patch, so either the combo patch must be applied or a separate OJVM patch must be applied to correct the vulnerability in the Java Virtual Machine (JVM) in the database which is used by PeopleSoft.

July 2018 Recommendations

As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk.  Corrective action should be taken immediately for all PeopleSoft environments. The most at risk implementations are Internet facing environments and Integrigy rates this CPU as high risk due to the large number of cross-site scripting (XSS) vulnerabilities that can be remotely exploited without authentication.   These implementations should apply the CPU as soon as possible or use a virtual patching solution such as AppDefend.

Most PeopleSoft environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrigy's AppDefend, an application firewall for the Oracle PeopleSoft.  AppDefend provides virtual patching and can effectively replace patching of PeopleSoft web security vulnerabilities.

CVEs referenced: CVE-2017-5645, CVE-2018-1275, CVE-2018-2990, CVE-2018-2977, CVE-2018-0739, CVE-2018-2951, CVE-2018-3068, CVE-2018-2929, CVE-2018-2919, CVE-2018-2985, CVE-2018-2986, CVE-2018-3016, CVE-2018-3072, CVE-2018-2970, CVE-2018-3076

Oracle has released an out-of-cycle security advisory (CVE-2017-10151) for a vulnerability affecting Oracle Identity Manager.  This vulnerability has a CVSS 3.0 base score of 10 out of 10.  Oracle Identity Manager is the identity governance component within the Oracle Identity Management solution.  All supported versions of Identity Manager are impacted from 11.1.1.7 to 12.2.1.3.0.  Most likely 11.1.1.1 through 11.1.1.6 are also vulnerable.  Previous Identity Manager versions (10g and 9.x) that are not based on Oracle WebLogic are probably not vulnerable.

The vulnerability is that the Oracle Identity Manager system user account (OIMINTERNAL) can be accessed using the default password through the Oracle WebLogic server.  As this is a highly privileged user, the entire Identity Manager environment can be completely compromised via an unauthenticated network attack.

The work-around is to change the OIMINTERNAL user password to a random string in the WebLogic administration console under Domain -> Security Realms.  A patch will be available in the future to automatically change the password.  See My Oracle Support Note "Oracle Security Alert CVE-2017-10151 Patch Availability Document for Oracle Identity Manager (Doc ID 2322316.1)" for more information.

As Oracle released an out-of-cycle security advisory, either detailed information regarding the vulnerability has been released or will soon be released, or Oracle has been informed the vulnerability is being actively exploited.