Oracle Database Listener Security Guide – Rewritten For Oracle 12.2

In October 2002 Integrigy first posted a guide to securing the Oracle Listener. Since then this whitepaper has been our most popular download. This month we rewrote the whitepaper for Oracle 12c, inclusive of 12.2

Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. This whitepaper is an overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are (more...)

Is SQL Injection A WebSite Problem?

I saw a post on RobLockards Facebook page this week where he said some people have suggested that his SQL Injection talk only shows calling a procedure from SQLCl and not a web page and he suggests that he may....[Read More]

Posted by Pete On 31/03/17 At 03:38 PM

Oracle E-Business Suite Mobile and Web Services Security Explained – Starting with URL Firewall

This is the sixth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

How are web services secured in Oracle 12.2? To start at the beginning, the “front door” of the Oracle E-Business Suite is its web server, the Apache server deployed within the WebLogic server that is installed with release 12.2. To secure an Apache web server largely (more...)

Creditcard and Bank Account Decryption No Longer Possible in Oracle E-Business Suite

In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance

With Release 12 of the Oracle E-Business Suite, Oracle consolidated into the new Payments module, new functionality to encrypt credit cards and external bank accounts. Integrigy’s recommendation in January 2014 was that if encryption was enabled, that (more...)

Deploying Oracle E-Business Suite 12.2 SOAP Web Services

This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying SOAP-based web services for the Oracle E-Business Suite is more complicated than for REST. SOAP interfaces are best used to support heavy-duty solutions such as Business-to-Business (B2B) interfaces. To deploy SOAP services for the Oracle E-Business Suite, the Oracle SOA Suite must be licensed and configured. (more...)

Integrigy Collaborate17 Schedule – Nine Presentations on Oracle, E-Business Suite and PeopleSoft Security

Integrigy is presenting nine (9) papers this year at Collaborate17 (https://collaborate.oaug.org/) Below is our schedule. If you have questions, or would like to meet with us while at Collaborate17, please conact us at info@integrigy.com.

Sunday Apr 02, 2017

1:45 PM     2:45 PM

Oracle E-Business Suite 12.2 Security Enhancements

https://app.attendcollaborate.com/event/member?item_id=5621519

Banyan E

Speaker: Stephen Kost

1:45 PM     2:45 PM

How to Control and Secure Your DBAs and Developers (more...)

PeopleSoft Security

This is a quick summary of Integrigy’s latest research on PeopleSoft. Was sending this to a client and decided it was a good posting:

Guide to PeopleSoft Logging and Auditing

How to Control and Secure PeopleSoft DBAs and Developers

PeopleSoft Database Security

PeopleSoft Database Security Webinar

PeopleSoft Database Secure Baseline Configuration

PeopleSoft Security Quick Reference

If you have any questions, please contact us at info@integrigy.com

 

 
Oracle PeopleSoft, Whitepaper

Deploying Oracle E-Business Suite 12.2 REST Web Services

This is the forth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying REST services with 12.2 is straightforward. REST is an architectural style and not a protocol and is best used to support lightweight and “chatty” interfaces such as Mobile applications.  With 12.2, REST Web Application Description Language (WADL) interface definition files are generated within (more...)

Deploying Oracle E-Business Suite Web Services

This is the third posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web services are physically deployed differently depending on whether they are defined using Representational State Transfer (REST) or Simple Object Access Protocol (SOAP).  Logically, however, both REST and SOAP web services are deployed from within the Integrated SOA Gateway (ISG). Refer to the E-Business Suite’s documentation for (more...)

Oracle E-Business Suite 12.2 Mobile and Web Services Architecture

This is the second posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Approximately 2,900 web services are created with an update to or installation of 12.2 and are defined in the table APPLSYS.FND_IREP_CLASSES. Within the Oracle E-Business Suite’s user interface, the Integrated SOA Gateway (ISG) module is used to deploy the web services defined in APPLSYS.FND_IREP_CLASSES. Key (more...)

Oracle E-Business Suite Mobile and Web Services Security – What You Need To Know

Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors.  To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect.  This also makes the (more...)

Oracle Database 11.2.0.4 and 12.1.0.2 New CPU End Dates

With the upcoming on-premise release of Oracle Database 12.2.0.1, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 11.2.0.4 and 12.1.0.2.  Currently (as of January 2017), only 11.2.0.4 and 12.1.0.2 are supported for CPUs.

The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0. (more...)

Oracle E-Business Suite: 250 Security Vulnerabilities Fixed in the Last Year

Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017.  The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite.  Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2.  Many of the 250 security vulnerabilities fixed are high risk vulnerabilities (more...)

Oracle E-Business Suite 11i – Critical Patch Updates Extended for Tier 1 Support

As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers.  Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts.  See My Oracle Support Note ID 1596629.1 for more information.

Almost all security (more...)

Oracle Discoverer Security Alert – High impact to SOX Compliance and Financial Reporting

For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of (more...)

Oracle E-Business Suite 11i – October 2016 is Last Critical Patch Update

Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts.  As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i.  October 2016 is the last CPU patch for Oracle E-Business Suite 11i.  For 12.0, the last CPU patch was October 2015.

Even though there are no more (more...)

Oracle Database Critical Patch Update October 2016: 12.1.0.2 and 11.2.0.4 Only

The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter.  Starting with the October 2016 CPU, only 12.1.0.2 and 11.2.0.4 are supported.  In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 12.1.0.2 or 11.2.0.4.  As these are terminal database releases, the final CPU patch (more...)

PeopleSoft Data Mover Security

The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.

When performing a PeopleSoft security audit Integrigy carefully reviews Data Mover scripts and activities. If you want to look today (more...)

PeopleSoft User Security

When performing a PeopleSoft security audit, reconciling users should be one of the first tasks. This includes default accounts created through the installation of PeopleSoft as well as user accounts associated with staff, vendors and customers.

The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

  • Default accounts - PeopleSoft default application user accounts with superuser privileges where possible should be (more...)

DOAG 2015: Best of Oracle Security 2015

Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.

One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper (more...)