Stephen Kost's E-Business Suite Security Blog

Subscribe to Stephen Kost's E-Business Suite Security Blog feed
Integrigy's Oracle Security Blog with information on security for the Oracle Database, Oracle E-Business Suite and other Oracle products.
Updated: 13 hours 17 min ago

PeopleSoft Guest User Security

Mon, 2016-07-25 06:00

Being hospitable and welcoming to guests is usually considered good manners.  That said, being a gracious host does not mean you should be careless with your security.

With regard to PeopleSoft application security, the user GUEST is a default account created with the installation of PeopleSoft.  When performing a PeopleSoft security audit, several attributes of the GUEST user are reviewed, including the following -  take a look today at your settings:

For the GUEST user:

  • Change the default password
  • Ensure does not have access to sensitive menus and/or roles, including not having access to the following:
  • The role ‘PeopleSoft User’
  • Any role that includes the permission list PTPT1000
  • The role ‘PAPP_USER’
  • Any role that includes the permission list PAPP0002

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Security User Authorization Audits

Mon, 2016-07-18 06:00

When performing a PeopleSoft security audit, reviewing what rights and privileges individual users have been granted for system and application security privileges (authorization) is one of the key deliverables. The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

Review users with access to

  • PeopleTools
  • The SQR folder
  • Process scheduler
  • Security and other sensitive administration menus
  • Security and other sensitive administration roles
  • Web profiles
  • PeopleSoft Administrator Role
  • Correction mode

To check access to PeopleTools, use the following. If you need assistance with the other topics, let us know –

-- Access to PeopleTools

SELECT UNIQUE  A.OPRID, A.OPRDEFNDESC, A.ACCTLOCK, B.ROLENAME
FROM SYSADM.PSOPRDEFN A, SYSADM.PSROLEUSER B
WHERE A.OPRID = B.ROLEUSER
AND upper(B.ROLENAME) ='PEOPLETOOLS'
ORDER BY A.OPRID,B.ROLENAME;

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Integration Broker (IB) Security

Mon, 2016-07-11 06:00

Securing the PeopleSoft Integration Broker (IB) ensures the security of messaging both within PeopleSoft applications and among third-party systems. The following are several of the key tasks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your settings:

  • Ensure all inbound requests are required to use Secure Socket Layer security/Transport Layer Security (SSL/TLS)
  • Ensure that the default the PSKEY  password has been changed - The PSKEY is keystore contains all root and node certificates used by the Integration Gateway and PIA. Using the default or weak password is not best practice.
  • Ensure the IB node ANONYMOUS is appropriately privileged.  If IB connections do not specify a node name and credentials, IB will try to use the ANONYMOUS node and the “default user ID” tied to that node. This default user must not be a highly privileged user and should be granted the least number of privilege possible.
  • Review all other nodes for permissions appropriate for the business services supported by the node. Best practice is to use a unique UserID for each node that only has appropriate permissions to only to the required objects or related sets of operations.

The following attributes are also reviewed that govern IB activity :

Integration Broker Profile Values

Field

Description

Recommendation

IB_PROFILESTATUS

IB Profile Status. If enabled, IB will show performance information.

For production or Internet facing set to off.

IB_ENABLELOG

Enables logging

 

For production or Internet facing set to off.

IB_LOGLEVEL

Log Level  (if logging is enabled)

1= Standard gateway exception errors.

  1. 2 = All errors and warnings (Default.)
  • 3 = Errors, warnings and important information.
  • 4 = Errors, warnings, important and standard information.
  • 5= Errors, warnings important, standard and low importance information

Default: 2

IB_DEPTHLIMIT

Checks for recursion within messages (number of levels) to ensure that messages do not reference themselves.

Value between 3 and 50

Default: 20

IB_MASTER_OVERRIDE

Determines if Master processing returns statistics in the Output Information section after a Post.

For production or Internet facing set to off.

IB_PRE_848

Pre-848 Tools Release

Default is N

IB_MULTIACT_DOMAIN

By default, only one domain may be active in the Integration Broker system. However, PeopleSoft provides the option to enable the activation of multiple domains.

Off unless required.

IB_USEIPADDRESS

Determines if the application server URL for a synchronous slave template uses the application server IP address:  e.g. URL format from <machine name>:<jolt port> to IP address

On

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Logging and Auditing

Tue, 2016-07-05 06:00

Logging and auditing are one of the pillars of PeopleSoft Security.  Both application and database auditing is required. Logging and auditing support a trust-but-verify approach which is often deemed required to secure the activities of privileged system and database administrators.

While both the application and database offer sophisticated auditing solutions, one key feature Integrigy always recommends is to ensure that EnableDBMononitoring is enabled within the psappssrv.cfg file. This is set by default but we at times find it disabled.

When enabled EnableDBMononitoring allows PeopleSoft application auditing to bridge or flow into database auditing. This is done by populating the Oracle Client_Info variable with the PeopleSoft User Id, IP address and program name. With Oracle RDBMS auditing enabled, anything written to Client_Info is also written into the database audit logs.

In other words, with both database and EnableDBMononitoring enabled, you can report on which user updated what and when – not just that the PeopleSoft application or ‘Access ID’ issued an update statement.

The graphics below we commonly use to help review Integrigy’s approach to PeopleSoft logging and auditing.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft, Auditor
Categories: APPS Blogs, Security Blogs

PeopleSoft Database Secure Baseline Configuration

Mon, 2016-06-27 06:00

PeopleSoft, similar to other major ERP applications, while depending on a database to store information, arguably does not secure the supporting database. The security of the database is the client’s responsibility.

In order to give a few examples of what we are talking about when we refer to database security, the following are several of the 200+ database security checks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your database for a few quick checks:

  • Limit direct database access whenever possible. This is always our number one recommendation – how isolated is your database?
  • Database CPU patching – have you applied the latest database CPU patches?
  • Logging and auditing – do you have auditing enabled? How much? What monitoring tools and processes do you have?
  • Database passwords – especially key accounts such as the Connect Id, Access Id, IB and PS – are they set to weak or default passwords? Are you using profiles?
  • Permissions and authorizations – when was the last time you reviewed them? How many users have SELECT ANY TABLE privileges?
  • Ensure the Default tablespace should never be ‘SYSTEM’ or PSDEFAULT for named users. These should be reserved for the Oracle RDBMS and application respectively
  • Do not use SYSADM for day-to-day support. Use named accounts instead, are you?

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Oracle Database, Oracle PeopleSoft, Auditor
Categories: APPS Blogs, Security Blogs

PeopleTools October 2014 CPU Security Patch

Mon, 2016-06-20 06:00

The prior blog post (PeopleSoft Security Patches) reviewed PeopleSoft CPU patching. Worthy of its own post is the October 2014 CPU. A show of hands back in April at our PeopleSoft database security presentation at Collaborate 2016 (PeopleSoft Database Security) further confirmed Integrigy’s research that a surprising number of PeopleSoft installations have not applied this patch.

The PeopleTools October 2014 CPU (8.52.24, 8.53.17, 8.54.04) fixes a critical issue with the security of the database passwords for the Connect and Access Ids. This patch MUST be applied in order to safeguard the password for the Access Id (e.g. SYSADM) – regardless of how complex you have made it. The details of the specific vulnerability are best not given further explanation on the Internet.

This said if you have not already applied the October 2014 CPU or any CPU since (they are cumulative) and you have questions and/or concerns, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Oracle PeopleSoft, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

PeopleSoft Security Patches

Mon, 2016-06-13 06:00

The process of applying security patches starts with identifying which patches to apply. For PeopleSoft, security patches need to be considered for both the application and the major technical components. The application of security patches, referred to by Oracle as Critical Patch Updates (CPUs), for one component DO NOT apply security patches for the other components.

For example, PeopleTools CPU patches DO NOT include database CPUs – applying one will not automatically apply nor include the other. The same holds for WebLogic and Tuxedo CPU patches.

CPUs for PeopleTools releases are provided for up to 24 months after the next minor release is generally available. The following table will assist in analyzing your PeopleTools CPU levels certification status with other key PeopleSoft technical components:

PeopleTools

(PT)

PT Generally Available Date

PT CPU Delivered through

Database

Certifications

WebLogic

Certifications

Tuxedo

Certification

PT8.51

9/10/10

Jan 2014

11.2.0.4

10.3.6.0

10.3.0.0

PT8.52

10/28/11

Jan 2015

11.2.0.4

10.3.6.0

10.3.0.0

PT8.53

2/1/13

7/19/16

11.2.0.4

12.1.0.2

10.3.6.0

11.1.3.0

11.1.1.2

PT8.54

7/11/14

12/4/17

11.2.0.4

12.1.0.2

12.1.3.0

12.1.2.0

12.1.1.0

PT8.55

12/4/15

TBD

11.2.0.4

12.1.0.2

12.1.3.0

12.1.1.0

12.1.3.0

  • WebLogic 10.3.6.x is supported through December 2018
  • WebLogic 12.1.2.0 is supported through 6/2016
  • WebLogic 12.1.3.0 is supported through 12/2017 and will be the terminal release of 12.1.x
  • Tuxedo support dates: 10.3 12/2016, 12.1.3 in 2020 all 1
  • 1.x and 12.1.1 end in 2018

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

REFERENCES

PeopleSoft Database Security

PeopleSoft Security Quick Reference

 

Oracle PeopleSoft, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

PeopleSoft Security

Mon, 2016-06-06 06:00

Throughout the summer, Integrigy will be releasing new research on PeopleSoft security. This research focuses on the secure configuration of PeopleSoft and includes both the application and the major technical components such as the database (Oracle RDBMS), WebLogic and Jolt/Tuxedo. Hopefully, these blog posts will be useful.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle Security Vulnerability Scoring Metric Change (CVSS)

Wed, 2016-04-20 09:50

No, Oracle security vulnerabilities didn’t just get a whole lot worse this quarter.  Instead, Oracle updated the scoring metric used in the Critical Patch Updates (CPU) from CVSS v2 to CVSS v3.0 for the April 2016 CPU.  The Common Vulnerability Score System (CVSS) is a generally accepted method for scoring and rating security vulnerabilities.  CVSS is used by Oracle, Microsoft, Cisco, and other major software vendors.

As we have discussed previously, CVSS v2 did score Oracle security vulnerabilities for the database, middleware, and applications lower than operating system and network component vulnerabilities.  Contrary to what many security researchers claim, the problem is with the CVSS standard, not manipulation of the scores by Oracle.  CVSS v2 puts a premium on the ability to compromise the entire operating system (i.e., root account) or device.  For most Oracle security vulnerabilities, across all products, it is very difficult to compromise the root operating system account by exploiting an Oracle Database, Fusion Middleware, or application (Oracle E-Business Suite, PeopleSoft, etc.) security bug.  Although, there are some exceptions mostly limited to the Oracle Database running on Microsoft Windows Server, which allow compromise of the administrator account.

To account for this limitation in CVSS, Oracle included in the CPU advisory matrices for informational purposes only a “Partial+” to indicate where the entire database, middleware server, or application could be compromised.  However, this was not reflected in the score since the CVSS standard says a “Complete” impact “… is total information disclosure, resulting in all system files being revealed.”  As a result, Oracle CVSS v2 scores for critical or severe bugs tended to be 6.5 for the Oracle Database, 7.5 for Fusion Middleware, and 6.4 for applications like the Oracle E-Business Suite and PeopleSoft.

CVSS v3.0 changes the scoring to put more of an emphasis on the asset or component being protected (i.e., database or application).  The key CVSS definition has changed from “system” to “impacted component.”  The scoring algorithm also includes more granularity for privileges required to exploit and the scope of the exploit, such as can a database attack compromise the underlying operating system.

The Oracle CVSS v3.0 scores will be much higher now, especially for the Fusion Middleware and applications like Oracle E-Business Suite and PeopleSoft.  Critical Fusion Middleware security bugs will rise from 7.5 to 9.8.  Oracle E-Business Suite and PeopleSoft critical security bugs like unauthenticated SQL injection will jump from 6.4 to 9.8.  As almost all Oracle Database security bugs require database authentication, the Oracle Database CVSS scores will go from 6.5 to 8.8 for easy to exploit SQL injection vulnerabilities in PUBLIC packages.

The critical risk associated with most Oracle security vulnerabilities is still critical.  Now the CVSS score properly reflects the critical nature of many of these bugs.

Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 11i CPU Security Patches Only Available for Tier 1 Support Customers

Wed, 2016-04-20 08:49

Oracle E-Business Suite 11i is impacted by 8 security vulnerabilities in the April 2016 CPU, which includes the Oracle Configurator and Oracle Complex Maintenance, Repair, and Overhaul security bugs listed under the Oracle Supply Chain Products Suite.

Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11i security patches are only available for Oracle customers with Tier 1 Support contracts, previously referred to as Advanced Customer Support (ACS).  Tier 1 Support must be purchased and is an additional fee on top of standard Oracle maintenance.  Optional Tier 1 Support will include CPU security patches through October 2016.

CPU information for 11i has been moved from the standard quarterly CPU My Oracle Support (MOS) note for Oracle E-Business Suite to MOS Note ID 2126170.1 “Oracle E-Business Suite Release 11i Critical Patch Update Knowledge Document (For Oracle E-Business Suite 11i Tier 1 Support Customers).”

For more information on CPU support for 11i, please see MOS Note ID 1596629.1 “ANNOUNCEMENT: Additional Coverage Options for 11.5.10 E-Business Suite Sustaining Support.”

As an alternative to Oracle Tier 1 Support or as an additional layer of defense for Oracle E-Business Suite 11i, Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, provides virtual patching of Oracle E-Business Suite web security vulnerabilities, web application attack surface reduction, and protection from SQL injection and cross-site scripting (XSS) attacks.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Critical Patch Update January 2016 E-Business Suite Analysis

Wed, 2016-01-20 16:55

To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk

First, this CPU with 78 EBS security fixes has 10x the number of EBS security fixes than an average CPU.  For the previous 44 CPUs released since 2005, an average of 7.5 security bugs are fixed per quarter for EBS.  Second, there are a significant number of SQL injection and other high risk bugs, such as the ability to read arbitrary files from the EBS applications servers.  Third, the security bugs are in a wide-range of over 30 technical and functional modules, therefore, every EBS implementation is at significant risk.  Even if you don't have the module installed, configured, or licensed, in almost all cases the vulnerability can still be exploited. Finally, at least 10 security vulnerabilities can be readily exploited in EBS Interface-facing self-service modules.

Integrigy is credited with discovering 40 of the security bugs fixed this quarter.  We have additional security bugs open with Oracle which we except to be resolved in the next few quarters.

Due to the high number of vulnerabilities affecting Oracle E-Business Suite 11.5.10, Oracle changed the stated 11.5.10 support policy for the January 2016 CPU from requiring an Advanced Support Contract (ACS) to being available for all customers with valid support contracts.  For the April 2016 through October 2016 CPUs, Oracle E-Business Suite 11.5.10 CPU patches will only be available for customers with an Advanced Support Contract (ACS).  After October 2016, there will be no more CPUs for 11.5.10.

Vulnerability Breakdown

An analysis of the security vulnerabilities shows the 78 security fixes resolve 35 SQL injection bugs, 17 unauthorized access issues, 9 cross-site scripting (XSS) bugs, 5 XML External Entity (XXE) bugs, and various other security issues and weaknesses.  The most critical are the SQL injection bugs as these may permit unauthenticated web application users to execute SQL as the application database account (APPS).  Many of these SQL injection bugs allow access to sensitive data or the ability to perform privileged functions such as changing application or database passwords, granting of privileges, etc.

Also, several of the bugs allow an attacker with unauthenticated web application access to retrieve arbitrary files from the application server.  With some knowledge of EBS, it may be possible to download files with the APPS database password.

EBS Version Breakdown

23 vulnerabilities are found in all versions of Oracle E-Business Suite.  The remainder are mostly specific to the different web architectures found in each version.  The following is the breakdown of the 78 vulnerabilities by EBS version --

11.5.10 12.0.x 12.1.x 12.2.x 66 38 40 22

For 11.5.10, there are 22 vulnerabilities in web pages implemented using mod_plsql.  mod_plsql is an Oracle specific web architecture where the web application is implemented using database PL/SQL packages.  mod_plsql was removed from EBS starting with 12.0.  For information on mitigating some of the mod_plsql vulnerabilities, see the section below "EBS 11i mod_plsql Mitigation."

Many of the R12 (12.0, 12.1, 12.2) specific vulnerabilities are in Java Server Pages (JSP) and Java servlets, which are not found in 11i.

I have included 12.0.x in the listing of versions to show even though this version is not supported for the January 2016 CPU, a significant number of the security bugs affect this version.

January 2016 Recommendations

As with all Critical Patch Updates, the most effective method to resolve the vulnerabilities is to apply the patches in a timely manner. 

The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication.   These implementations should (1) apply the CPU as soon as possible and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

If the CPU can not be applied in a timely manner, Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite, should be implemented.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

EBS 11i mod_plsql Mitigation

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7 or the January 2016 CPU.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Database Critical Patch Update (CPU) Planning for 2016

Tue, 2016-01-19 11:45

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle Database.  The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

CPU Supported Database Versions

As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  The final CPU for 12.1.0.1 will be July 2016.  11.2.0.4 will be supported until October 2020 and 12.1.0.2 will be supported until July 2021.

11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015. 

Database CPU Recommendations
  1. When possible, all Oracle databases should be upgraded to 11.2.0.4 or 12.1.0.2.  This will ensure CPUs can be applied through at least October 2020.
     
  2. [12.1.0.1] New databases or application/database upgrade projects currently testing 12.1.0.1 should immediately look to implement 12.1.0.2 instead of 12.1.0.1, even if this will require additional effort or testing.  With the final CPU for 12.1.0.1 being July 2016, unless a project is implementing in January or February 2016, we believe it is imperative to move to 12.1.0.2 to ensure long-term CPU support.
     
  3. [11.2.0.3 and prior] If a database can not be upgraded, the only effective mitigating control for many database security vulnerabilities is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using valid node checking, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.  Direct database access is required to exploit database security vulnerabilities and most often a valid database session is required.
     

Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all Oracle databases. 

 

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite Critical Patch Update (CPU) Planning for 2016

Tue, 2016-01-19 08:58

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack.  The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

For 2016, CPUs for Oracle E-Business Suite will become a significant focus as a large number of security vulnerabilities for the Oracle E-Business Suite will be fixed.  The January 2016 CPU for the Oracle E-Business Suite (EBS) will include 78 security fixes for a wide range of security bugs with many being high risk such as SQL injection in web facing self-service modules.  Integrigy anticipates the next few quarters will have an above average number of EBS security fixes (average is 7 per CPU since 2005).  This large number of security bugs puts Oracle EBS environments at significant risk as many of these bugs will be high risk and well publicized.

Supported Oracle E-Business Suite Versions

Starting with the April 2016 CPU, only 12.1 and 12.2 will be fully supported for CPUs moving forward.  11.5.10 CPU patches for April 2016, July 2016, and October 2016 will only be available to customers with an Advanced Customer Support (ACS) contract.  There will be no 11.5.10 CPU patches after October 2016.  CPU support for 12.0 ended as of October 2015.

11.5.10 Recommendations
  1. When possible, the recommendation is to upgrade to12.1 or 12.2.
  2. Obtaining an Advanced Customer Support (ACS) contract is a short term (until October 2016) solution, but is an expensive option.
  3. An alternative to applying CPU patches is to use Integrigy's AppDefend, an application firewall for Oracle EBS, in proxy mode which blocks EBS web security vulnerabilities.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

12.0 Recommendations
  1. As no security patches are available for 12.0, the recommendation is to upgrade to 12.1 or 12.2 when possible.
  2. If upgrading is not feasible, Integrigy's AppDefend, an application firewall for Oracle EBS, provides virtual patching for EBS web security vulnerabilities as well as blocks common web vulnerabilities such as SQL injection and cross-site scripting (XSS).  AppDefend is a simple to implement and cost-effective solution when upgrading EBS is not feasible.
12.1 Recommendations
  1. 12.1 is supported for CPUs through October 2019 for implementations where the minimum baseline is maintained.  The current minimum baseline is the 12.1.3 Application Technology Stack (R12.ATG_PF.B.delta.3).  This minimum baseline should remain consistent until October 2019, unless a large number of functional module specific (i.e., GL, AR, AP, etc.) security vulnerabilities are discovered.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
12.2 Recommendations
  1. 12.2 is supported for CPUs through July 2021 as there will be no extended support for 12.2.  The current minimum baseline is 12.2.3 plus roll-up patches R12.AD.C.Delta.7 and R12.TXK.C.Delta.7.  Integrigy anticipates the minimum baseline will creep up as new RUPs (12.2.x) are released for 12.2.  Your planning should anticipate the minimum baseline will be 12.2.4 in 2017 and 12.2.5 in 2019 with the releases of 12.2.6 and 12.2.7.  With the potential release of 12.3, a minimum baseline of 12.2.7 may be required in the future.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
EBS Database Recommendations
  1. As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015.  The final CPU for 12.1.0.1 will be July 2016.
  2. When possible, all EBS environments should be upgraded to 11.2.0.4 or 12.1.0.2, which are supported for all EBS versions including 11.5.10.2.
  3. If database security patches (SPU or PSU) can not be applied in a timely manner, the only effective mitigating control is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using the EBS feature Managed SQLNet Access, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.
  4. Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all EBS databases.
Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Basic OBIEE Enumeration Checklist

Mon, 2015-11-09 08:39

Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:

  1. If possible ask for the following:
    1. System diagram
    2. All URLs – WebLogic, Enterprise Manager and OBIEE
    3. Ask about load balancer and reverse proxy
    4. WebLogic accounts and passwords for both /EM and /Console
    5. TNSNAMES info and DB accounts and passwords for WebLogic repository database
    6. Ideally O/S accounts and passwords for server supporting WebLogic – will need for WLST scripts
    7. Request copy of config.xml file for each environment. If o/s accounts are surrendered these can be easily obtained.
  2. Network probe
    1. NMAP scan for WebLogic and OBIEE ports 7001, 9701 and 9703. Suggest scanning 9700 – 9710. Also NMAP scan for Oracle networking 1521 (default).  Suggest scanning 1520-1530
    2. Check WebLogic and OBIEE specific URLs. For public facing, use Google. For internal construct URLs using information gathered from NMAP:

Tool

URL

Administration Server Console

http://host:port/console

Enterprise Manager Console

http://host:port/em

Enterprise Manager Agent

http://host:port/emd/main

Oracle Portal

http://host:port/portal/pls/portal

Oracle Forms

http://host:port/forms/frmservlet

Oracle Reports

http://host:port/reports/rwservlet

Oracle Discoverer Viewer

http://host:port/discoverer/viewer

WebLogic

If external Google: intitle:"WebLogic Server" intitle:"Console Login" inurl:console –site:targetdomain.com

OBIEE

Look for: analytics/saw.dll

e.g. if external Google: Inurl: analytics/saw.dll –site:targetdomain.com

 

  1. Inventory the databases associated with WebLogic. Issue the following from the repository databases:
    1. SELECT * FROM SYSTEM.SCHEMA_VERSION_REGISTRY$;
    2. SELECT * FROM PRODUCT_COMPONENT_VERSION;
  2. Read and analyze the primary WebLogic configurations. The primary config file is the /domains/DOMAIN_NAME/config/config.xml 
  3. Get server information, suggest running WLST scripts for – Google several good examples: ‘wlst script list servers and information’
  4. Get WebLogic user information, suggest running WLST scripts for – Google several good examples: ‘wlst script list users’
  5. For OBIEE authentication will first be done by WebLogic. WebLogic will determine who can access OBIEE. WebLogic groups may or may not then drive authorization. Older OBIEE solutions also might internally authenticate within the repository (RDP).  Overall security authorization within OBIEE can be at control at various levels; Catalog/Presentation, RPD and within the data sources or a combination of everything. There can also be no security/authorization e.g. authentication by WebLogic to use OBIEE and then handoff to a PUBLIC / generic OBIEE report.
Oracle Fusion Middleware, Oracle Business Intelligence (OBIEE)
Categories: APPS Blogs, Security Blogs

DAM tools, IBM Guardium, Oracle E-Business Suite, PeopleSoft and SAP

Wed, 2015-09-30 13:57

A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.

There are many advantages to deploying a DAM solution to protect your ERP platform, the first being additional defense-in-depth for one of your most critical assets. You can read more here ( Integrigy Guide to Auditing and Logging in Oracle E-Business Suite)  about Integrigy’s recommendations for database security programs. DAM solutions allow for complex reporting as well as 24x7 monitoring and easy relaying of alerts to your SIEM (e.g. Splunk or ArcSight).

Deploying DAM solutions to protect your SAP, PeopleSoft or E-Business Suite is a not-plug-and-play exercise. IBM Guardium’s out-of-the-box policies for the E-Business Suite require configuration to be of any value – see figure three below. The out-of-the-box DAM policies are a good starting point and Integrigy rarely sees them implemented as is. Integrigy also highly recommends, if at all possible, to complete a sensitive data discovery project prior to designing your initial DAM policies. Such projects greatly help to define requirements as well as offer opportunities for data clean up.

Overall, to design and implement an initial set of Guardium policies for the E-Business Suite (or any other ERP package) is usually a few weeks of effort depending on your size and complexity.

If you have any questions, please contact us at info@integrigy.com

Figure 1- Seeded Guardium Policies for EBS and SAP

Figure 2- Guardium E-Business Suite PCI Policy

Figure 3- Example of Blank Configuration

 

 

 

Auditing, Oracle E-Business Suite, IBM Guardium
Categories: APPS Blogs, Security Blogs

Come See Integrigy at Collaborate 2015

Fri, 2015-04-10 09:39

Come see Integrigy's session at Collaborate 2015 in Las Vegas (http://collaborate.ioug.org/). Integrigy is presenting the following paper:

IOUG #763
Detecting and Stopping Cyber Attacks against Oracle Databases
Monday, April 13th, 9:15 - 11:30 am
North Convention, South Pacific J

If you are going to Collaborate 2015, we would also be more than happy to talk with you about your Oracle security or questions. If you would like to talk with us while at Collaborate, please contact us at info@integrigy.com.

Conference
Categories: APPS Blogs, Security Blogs

Fine Grained Auditing (FGA) and Protecting Oracle E-Business PII Data for Executives

Fri, 2015-02-13 06:00

With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.

The following Fine-Grained-Auditing (FGA) policy started the discussion. The policy below will conditionally log direct connections to the Oracle E-Business Suite database when the PII data of corporate executives is accessed. For example, it will ignore E-Business Suite end-user connections to the database, but will catch people directly connecting to the database from their laptop. However, it will only do so if PII data for executives is accessed:

BEGIN

DBMS_FGA.ADD_POLICY (
   object_schema     =>  'HR',
   object_name       =>  'PER_ALL_PEOPLE_F',
   policy_name       =>  'FGA_PPF_NOT_GUI_AND_OFFICER',
   audit_condition   =>  ' PER_ALL_PEOPLE_F.PERSON_ID IN (
         SELECT PAX.PERSON_ID
         FROM PER_ASSIGNMENTS_X PAX, PER_JOBS J, PER_JOB_DEFINITIONS JD
         WHERE PAX.JOB_ID = J.JOB_ID
         AND J.JOB_DEFINITION_ID = JD.JOB_DEFINITION_ID
         AND UPPER(JD.SEGMENT6) LIKE UPPER(''%EXECUTIVE%''))
         AND NOT (SYS_CONTEXT (''USERENV'',''IP_ADDRESS') IN
         (''IP of your DB server’’, ‘’IP of your cm server’’, 
           ‘’IP of your application server’’) 
        AND SYS_CONTEXT (''USERENV'',''CURRENT_USER'') = ''APPS'' ) ',
   audit_column      =>   NULL,
   handler_schema    =>   NULL,
   handler_module    =>   NULL,
   enable            =>   TRUE,
   statement_types   =>  'SELECT',
   audit_trail       =>   DBMS_FGA.DB,
   audit_column_opts =>   DBMS_FGA.ANY_COLUMNS);

END;

Here is an explanation of the policy above:

  • Audits only direct database activity and ignores database connections from the E-Business Suite user interface, the database server, the web and application servers, as well as the concurrent manager.
  • Audits SELECT activity against PER_ALL_PEOPLE_F or any view based on the table PER_ALL_PEPOPLE_F. PII data exists outside of PER_ALL_PEOPLE_F but this table is the central table within the E-Business Suite that defines a person and thus contains critical PII data such as name, birthdate and National Identifier.
  • Audits ALL columns in the table but could easily be restricted to only specific columns.
  • Audits ONLY those result sets that includes current or ex-employee whose job title has ‘%Executive%' in the Job Title. Note this policy was demonstrated using the Vision demo database. Your Job Key Flexfield definition will be different.
  • FGA comes standard with the Enterprise license of the Oracle database. If you own the Oracle E-Business Suite, you don't need an additional license to use FGA.

The policy above would certainly strengthen an overall database security posture, but it does have several immediate drawbacks:

  • While it does address risks with direct database activity, including the use of the APPS account from a laptop, it will not guard against privileged database users such as DBAs.
  • Spoofing of USRENV attributes is possible which precludes using any USERENV attribute other than the IP address and DB username.
  • Audit data needs security stored and regularly purged. Privileged users may have access to FGA data and policies. Audit data also needs to be retained and purged per corporate policies.
  • Lastly, the performance impact of the policy above would need to be carefully measured. If the policy above were to be implemented, it would need to be seriously tested, especially if modules are to be used such as Oracle Advanced Benefits and/or Payroll.

As part of a database security program, Integrigy recommends that all clients implement defense in depth. No one tool or security feature will protect your data. Oracle Traditional Auditing (TA) as well as FGA policies similar to the above should be implemented, but the both TA and FGA have limitations and trade-offs.

Integrigy recommends that both Oracle TA and FGA be used with database security solutions such as the Oracle Audit Vault and Database Firewall (AVDF), Splunk, Imperva, and IBM Guardium.  Database monitoring and alerting needs to be automated and should done using a commercial tool. You also need to secure and monitor privileged users such as DBAs and database security cannot come at the cost of overall application performance.

Our client conversation about the FGA policy above concluded that while the policy could work, given the variety of different database connections, a better solution would be to utilize a variation of the policy above along with Splunk, which they already own.

If you have questions about the sample FGA policy above or about database security, please contact us at: mailto:info@integrigy.com

References

Auditing, Sensitive Data, HIPAA, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Integrigy Database Log and Audit Framework with the Oracle Audit Vault

Fri, 2015-02-06 06:00

Most clients do not fully take advantage of their database auditing and logging features. These features are sophisticated and are able to satisfy most organization’s compliance and security requirements. 

The Integrigy Framework for database logging and auditing is a direct result of Integrigy’s consulting experience and will be equally useful to both those wanting to improve their capabilities as well as those just starting to implement logging and auditing.  Our goal is to provide a clear explanation of the native auditing and logging features available, present an approach and strategy for using these features and a straight-forward configuration steps to implement the approach.

Integrigy’s Framework is also specifically designed to help clients meet compliance and security standards such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI), FISMA, and HIPAA.  The foundation of the Framework is PCI DSS requirement 10.2.

Integrigy’s Log and Audit Framework can be easily implemented using the Oracle Audit Vault.  The high-level summary is a follows –

Level 1

Enable database auditing as directed by the Integrigy Framework Level 1 requirements. 

Level 2
  1. Install the Oracle Audit Vault.  If already installed, it is highly recommended to perform a health check as described in Audit Vault Server Configuration Report and Health Check Script (Doc ID 1360138.1).
  2. Configure Oracle database to use Syslog per Integrigy Framework Level 2 requirements.  Set the database initialization parameter AUDIT_TRAIL parameter to equal ‘OS’ and AUDIT_FILE_DEST parameter to desired file in the directory specification.  Last set the initialization parameter AUDIT_SYSLOG_LEVEL to ‘LOCAL1.WARNING’ to generate Syslog formatted log files.
  3. Install and activate the Oracle Audit Vault collector agent OSAUD for operating system files.  Collect Syslog formatted logs located by the AUDIT_FILE_DEST parameter.
Level 3

Protect application log and audit tables by creating standard database audit policies and adding these new policies the Audit Vault Collectors.  Create database alerts based on correlations between standard database events and application audit logs.

Oracle E-Business Suite Example

To use the Oracle Audit Vault with the Oracle E-Business Suite, no additional patches required either for the E-Business Suite or the Oracle database.  This is because the Oracle Audit Vault uses only standard Oracle database functionality. 

There are two steps for Level 3.  The first is to protect the Oracle E-Business Suite audit tables, the second is to build alerts and reports that correlate application and database log information.  To protect the E-Business Log and Audit tables, enable standard auditing on them.  The second step is to define the Audit Vault alerts and reports.

Below is an example of event E12 - Protect Application Audit Data

The sign-on audit tables log user logon and navigation activity for the professional forms user interface.  This data needs to be protected.

Steps
  1. Enable Standard Auditing
  2. Create Audit Vault Alert
  3. Forward to Alert to Syslog (This feature is available as of Oracle AVDF version 12.1.2)

To enable standard auditing:

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGINS BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESPONSIBILITIES BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESP_FORMS BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_UNSUCCESSFUL_LOGINS BY ACCESS;

 

To create an alert in Audit Vault:

Audit Vault -> Auditor -> Policy -> Alerts -> Create Alert

 

Name: E12 - Modify audit and logging

Condition:

 :TARGET_OWNER='APPLSYS' AND :EVENT_NAME in ('UPDATE','DELETE') AND :TARGET_OBJECT in ('FND_LOGINS','FND_LOGIN_RESPONSIBILITIES','FND_LOGIN_RESP_FORMS','FND_UNSUCCESSFUL_LOGINS')

Example:

 

                             

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Oracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle Audit Vault - Oracle Client Identifier and Last Login

Fri, 2015-01-30 06:00

Several standard features of the Oracle database should be kept in mind when considering what alerts and correlations are possible when combining Oracle database and application log and audit data.

Client Identifier

Default Oracle database auditing stores the database username but not the application username.  In order to pull the application username into the audit logs, the CLIENT IDENTIFIER attribute needs to be set for the application session which is connecting to the database.  The CLIENT_IDENTIFIER is a predefined attribute of the built-in application context namespace, USERENV, and can be used to capture the application user name for use with global application context, or it can be used independently. 

CLIENT IDENTIFIER is set using the DBMS_SESSION.SET_IDENTIFIER procedure to store the application username.  The CLIENT IDENTIFIER attribute is one the same as V$SESSION.CLIENT_IDENTIFIER.  Once set you can query V$SESSION or select sys_context('userenv','client_identifier') from dual.

The table below offers several examples of how CLIENT_IDENTIFIER is used.  For each example, for Level 3 alerts, consider how the value of CLIENT_IDENTIFIER could be used along with network usernames, enterprise applications usernames as well as security and electronic door system activity logs.

Oracle CLIENT_IDENTIFIER

Application

Example of how used

E-Business Suite

As of Release 12, the Oracle E-Business Suite automatically sets and updates client_identifier to the FND_USER.USERNAME of the user logged on.  Prior to Release 12, follow Support Note How to add DBMS_SESSION.SET_IDENTIFIER(FND_GLOBAL.USER_NAME) to FND_GLOBAL.APPS_INITIALIZE procedure (Doc ID 1130254.1)

PeopleSoft

Starting with PeopleTools 8.50, the PSOPRID is now additionally set in the Oracle database CLIENT_IDENTIFIER attribute. 

SAP

With SAP version 7.10 above, the SAP user name is stored in the CLIENT_IDENTIFIER.

Oracle Business Intelligence Enterprise Edition(OBIEE)

When querying an Oracle database using OBIEE the connection pool username is passed to the database.  To also pass the middle-tier username, set the user identifier on the session.  To do this in OBIEE, open the RPD, edit the connection pool settings and create a new connection script to run at connect time.  Add the following line to the connect script:

 

CALL DBMS_SESSION.SET_IDENTIFIER('VALUEOF(NQ_SESSION.USER)')

 

Last Login

Tracking when database users last logged in is a common compliance requirement.  This is required in order to reconcile users and cull stale users.  New with Oracle12c, Oracle provides this information for database users.  The system table SYS.DBA_USERS has a column, last_login. 

Example:

select username, account_status, common, last_login

from sys.dba_users

order by last_login asc;

Username

Account_Status

Common

Last_Login

C##INTEGRIGY

OPEN

YES

05-AUG-14 12.46.52.000000000 PM AMERICA/NEW_YORK

C##INTEGRIGY_TEST_2

OPEN

YES

02-SEP-14 12.29.04.000000000 PM AMERICA/NEW_YORK

XS$NULL

EXPIRED & LOCKED

YES

02-SEP-14 12.35.56.000000000 PM AMERICA/NEW_YORK

SYSTEM

OPEN

YES

04-SEP-14 05.03.53.000000000 PM AMERICA/NEW_YORK

 

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Oracle Audit Vault, Oracle Database
Categories: APPS Blogs, Security Blogs

UPDATED: Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)

Sun, 2015-01-25 20:59

Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU).

On January 24, Oracle published additional information regarding this security issue in My Oracle Support Note 1964164.1.  Revoking of these privileges may cause “subtle timestamp corruptions” in the database unless database patch 19393542 is applied.

Integrigy has updated the information we provided on how to validate if this security flaw exists in your environment and how to remediate the issue based on the additional information provided by Oracle.  The remediation can be done without applying the January 2015 CPU, but requires the database patch to be applied first.

For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.

Vulnerability, Oracle E-Business Suite, Security Analysis, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Pages