Posted by Pete On 23/03/17 At 03:22 PM
Posted by Pete On 22/03/17 At 08:24 PM
Integrigy Collaborate17 Schedule – Nine Presentations on Oracle, E-Business Suite and PeopleSoft Security
Integrigy is presenting nine (9) papers this year at Collaborate17 (https://collaborate.oaug.org/) Below is our schedule. If you have questions, or would like to meet with us while at Collaborate17, please conact us at firstname.lastname@example.org.
Sunday Apr 02, 2017
1:45 PM 2:45 PM
Oracle E-Business Suite 12.2 Security Enhancements
Speaker: Stephen Kost
1:45 PM 2:45 PM
How to Control and Secure Your DBAs and Developers (more...)
This is a quick summary of Integrigy’s latest research on PeopleSoft. Was sending this to a client and decided it was a good posting:
If you have any questions, please contact us at email@example.com
This is the forth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
Physically deploying REST services with 12.2 is straightforward. REST is an architectural style and not a protocol and is best used to support lightweight and “chatty” interfaces such as Mobile applications. With 12.2, REST Web Application Description Language (WADL) interface definition files are generated within (more...)
Posted by Pete On 15/03/17 At 07:52 PM
Posted by Pete On 14/03/17 At 06:16 PM
This is the third posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
Web services are physically deployed differently depending on whether they are defined using Representational State Transfer (REST) or Simple Object Access Protocol (SOAP). Logically, however, both REST and SOAP web services are deployed from within the Integrated SOA Gateway (ISG). Refer to the E-Business Suite’s documentation for (more...)
This is the second posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.
Approximately 2,900 web services are created with an update to or installation of 12.2 and are defined in the table APPLSYS.FND_IREP_CLASSES. Within the Oracle E-Business Suite’s user interface, the Integrated SOA Gateway (ISG) module is used to deploy the web services defined in APPLSYS.FND_IREP_CLASSES. Key (more...)
Posted by Pete On 02/03/17 At 09:10 AM
Posted by Pete On 28/02/17 At 01:06 PM
Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors. To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect. This also makes the (more...)
Posted by Pete On 23/02/17 At 06:33 PM
With the upcoming on-premise release of Oracle Database 220.127.116.11, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 18.104.22.168 and 22.214.171.124. Currently (as of January 2017), only 126.96.36.199 and 188.8.131.52 are supported for CPUs.
The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0. (more...)
Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017. The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite. Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. Many of the 250 security vulnerabilities fixed are high risk vulnerabilities (more...)
As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers. Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts. See My Oracle Support Note ID 1596629.1 for more information.
Almost all security (more...)
I will be teaching two of my Oracle Security classes with Oracle University soon. The first is my class "Securing and Locking Down Oracle Databases". This class will be taught on the 24th January on-line via the Oracle LVC platform....[Read More]
Posted by Pete On 12/01/17 At 02:47 PM
For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of (more...)
Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts. As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i. October 2016 is the last CPU patch for Oracle E-Business Suite 11i. For 12.0, the last CPU patch was October 2015.
Even though there are no more (more...)
The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter. Starting with the October 2016 CPU, only 184.108.40.206 and 220.127.116.11 are supported. In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 18.104.22.168 or 22.214.171.124. As these are terminal database releases, the final CPU patch (more...)