Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors. To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect. This also makes the (more...)
Posted by Pete On 23/02/17 At 06:33 PM
With the upcoming on-premise release of Oracle Database 22.214.171.124, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 126.96.36.199 and 188.8.131.52. Currently (as of January 2017), only 184.108.40.206 and 220.127.116.11 are supported for CPUs.
The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0. (more...)
Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017. The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite. Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. Many of the 250 security vulnerabilities fixed are high risk vulnerabilities (more...)
As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers. Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts. See My Oracle Support Note ID 1596629.1 for more information.
Almost all security (more...)
I will be teaching two of my Oracle Security classes with Oracle University soon. The first is my class "Securing and Locking Down Oracle Databases". This class will be taught on the 24th January on-line via the Oracle LVC platform....[Read More]
Posted by Pete On 12/01/17 At 02:47 PM
I want to wish all readers of my site and this blog a very happy Christmas and a very prosperous New Year!! It has been some time since my last blog post; that's because we have been incredibly busy on....[Read More]
Posted by Pete On 16/12/16 At 08:54 PM
For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of (more...)
Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts. As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i. October 2016 is the last CPU patch for Oracle E-Business Suite 11i. For 12.0, the last CPU patch was October 2015.
Even though there are no more (more...)
The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter. Starting with the October 2016 CPU, only 18.104.22.168 and 22.214.171.124 are supported. In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 126.96.36.199 or 188.8.131.52. As these are terminal database releases, the final CPU patch (more...)
The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.
When performing a PeopleSoft security audit Integrigy carefully reviews Data Mover scripts and activities. If you want to look today (more...)
Quite obviously (well its obvious to me!) one of the areas I am very interested in is data loss / data theft / data security and of course specifically Oracle security. We spend a lot of time looking at customers....[Read More]
Posted by Pete On 31/08/16 At 08:17 PM
When performing a PeopleSoft security audit, reconciling users should be one of the first tasks. This includes default accounts created through the installation of PeopleSoft as well as user accounts associated with staff, vendors and customers.
The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:
- Default accounts - PeopleSoft default application user accounts with superuser privileges where possible should be (more...)
We provide expert Oracle Security training classes world wide to many customers privately and also at public events; either as in person classes where the instructor travels to you or via webex where the instructor teaches the classes remotely. We....[Read More]
Posted by Pete On 22/08/16 At 03:52 PM
Jolt along with Tuxedo supports PeopleSoft web requests. Specifically, Jolt is the layer between the application server and the web server. It is also described as a Java-enabled version of Tuxedo.
When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Jot security settings to ensure they are set per best practice recommendations. To do this yourself, use the table below to review your settings. These settings should also be regularly reviewed (more...)
When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Web Portal security settings to ensure they are set per best practice recommendations. To do this yourself, use the table below to review your settings.
These settings should also be regularly reviewed to ensure against configuration drift.
Allow Public Access
User sign on bypassed when direct link to a page are used – PUBLIC user access.
I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website....[Read More]
Posted by Pete On 10/08/16 At 10:23 AM
Kamil Stawiarski who runs Database Whisperers sp. z o. o. sp. k., an Oracle specialist consulting company in Poland and whose company is also a reseller for our Oracle database security scanner PFCLScan in Poland has invited me to speak....[Read More]
Posted by Pete On 08/08/16 At 12:48 PM
Protection of sensitive data while at-rest, in-motion or in-use all need to be addressed as part of a holistic security strategy. This includes both Personally Identifiable Information (PII) as well as sensitive PeopleSoft system configurations.
When performing a PeopleSoft security audit, Integrigy reviews the use and implementation of encryption within all components of the PeopleSoft technology stack. This includes the following, all which are critical. Review yours today and contact Integrigy with any questions.
- Implementation (more...)
PeopleSoft Public users are not required to authenticate (sign on). These are generic accounts created for specific purposes, for example informational pages and/or company directories. Public users are also not subject to timeouts (session inactivity). Because no authentication is required, no sensitive data should be accessible to these users. It also goes without saying, that if you don’t need Public accounts, don’t use them.
When performing a PeopleSoft security audit, Integrigy identifies Public users and (more...)