It all started in January 2005 with Critical Patch Updates (CPU). Then Patch Set Updates (PSU) were added as cumulative patches that included priority fixes as well as security fixes. As of the October 2012 Critical Patch Update, Oracle has changed the terminology to better differentiate between patch types. This terminology will be used for the Oracle Database, Enterprise Manager, Fusion Middleware, and WebLogic.
Critical Patch Update (CPU) now refers to the overall release of security fixes each quarter rather than the cumulative database security patch for the quarter. Think of the CPU as the overarching quarterly release and not (more...)
Upcoming Webinar: Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Thursday, August 16, 2:00pm - 3:00pm EDT
Credit card data breaches are headline news, thus organizations must properly protect credit card data or risk being tomorrow's headline. Oracle E-Business Suite implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) security standards regardless of size or transaction volume. PCI is focused on securely handling cardholder data, but also has a significant emphasis on general IT security. The difficultly with (more...)
Upcoming Webinar: Securing 1,000 Oracle Databases - Challenges and Solutions
Thursday, July 26, 2:00pm - 3:00pm EDT
For those of you that missed this session at the recent Collaborate12 conference, please read on.
Oracle Database security checklists and standards are focused on one database, not 1,000 databases. The significant challenge is when you have 100, 500, 1,000, or even 10,000 Oracle Databases in your organization to protect. In order to protect and securely maintain a thousand Oracle Databases requires an enterprise database security framework and database security program. This session will describe how to implement a database security program with (more...)
Upcoming Webinar: The Manager's Guide to Securing the Oracle E-Business Suite
The Manager's Guide to Securing the Oracle E-Business Suite
Wednesday, June 20, 2:00pm - 3:00pm EDT
For those of you that missed this session at the recent Collaborate12 conference, please read on.
The Oracle E-Business Suite is usually an organization’s most important application and the consequences of having it compromised could be catastrophic. However, often CIOs, project managers, and technical managers have little understanding of Oracle E-Business Suite security and compliance risks and issues. This session will provide a managerial level overview of how to properly secure the application (more...)
I see an Oracle Waveset Identity Manager (previously Sun Identity Manager) Migration project as a cooking challenge where you need to recreate a given dish in a particular time frame. You are going to be using different tools and techniques in your reconstruction but it has to resemble the taste and look-and-feel of the original dish. I could guarantee that almost everyone knows how to approach the challenge. First you carefully observe the original dish by tasting and feeling its texture, then identify the individual ingredients, and finally design a recipe by choosing the right tools and applying appropriate techniques.
(more...)
I just uploaded 2 presentations I gave at the Cebit 2012.
Out of the Fire - Adding Layers of Protection when Deploying Oracle E-Business Suite to the Internet
Thursday, March 8, 2:00pm - 3:00pm EST
When you externally deploy Oracle E-Business Suite Internet enabled modules such as iSupplier, iRecruitment, or iStore, you have potentially opened your entire environment to the Internet including all your financial and HR data. There are specific risks and inherent weaknesses in an Oracle E-Business Suite external deployment that must be properly addressed to prevent data loss or malicious use.
This education webinar follows our previous webinar "Into the Fire" (available upon request) and will discuss additional (more...)
InfoWorld magazine today published detailed information regarding Oracle Database security bug CVE-2012-0082, which has associated fixes in the Oracle's January 2012 Critical Patch Update. This security vulnerability specifically relates to the Oracle System Change Number (SCN) and ways to increase the SCN beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN) in order to stop processing of database transactions.
Where this vulnerability gets interesting is that the SCN is synchronized to the highest SCN when two databases are connected via a database link. Therefore, it is possible to increase a database to the near maximum SCN (more...)
I just uploaded my DOAG 2011 presentation ”Best of Oracle Security 2011“.
Oracle October 2011 CPU - Oracle Database Impact
Thursday, November 3, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly educational session will focus on the October 2011 CPU and the impact on the Oracle Database. The topics will include:
- A review of the security vulnerabilities fixed in this CPU,
- An analysis of the required CPU patches,
- A discussion of patching including CPUs vs. PSUs.
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the (more...)
Oracle October 2011 CPU - Oracle E-Business Suite Impact
Thursday, October 27, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security bugs in all the Oracle products including the
• Oracle Database,
• Oracle Application Server,
• Oracle E-Business Suite.
These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites.
This quarterly eLearning session will focus on the October 2011 CPU and the impact on E-Business Suite environments.
Topics will include;
• a (more...)
Oracle released the Pre-Release Announcement for the Oracle CPU October 2011. The upcoming CPU will fix 4 issues in the Oracle database:
- Application Express
- Core RDBMS
- Database Vault
- Oracle Text
The highest CVSS value is 6.5 (normally a SQL Injection vulnerability). None of the issues is remote exploitable.
Integrigy is pleased to announce our new YouTube Channel. We will be posting videos of our webinars and short topics regarding database and application security.
The following videos are available from Integrigy Webinars -
- Upgrade +1 - Improving your Security During Your Upgrade to R12
- Oracle April 2011 Critical Patch Update E-Business Suite Impact
- Internal Auditor Primer: Oracle E-Business Suite Security Risks
- Protecting Your Sensitive Data in the Oracle E-Business Suite
- Upgrade Security in Your Oracle R12 Upgrade
- Oracle July 2011 Critical Patch Update Oracle Database Impact
Link: http://www.youtube.com/Integrigy
Integrigy's CTO, Stephen Kost, will be presenting a series of webinars on Oracle's Critical Patch Update for July 2011.
Oracle July 2011 CPU - Oracle E-Business Suite Impact
Thursday, July 28, 2:00pm - 3:00pm EDT
This quarterly eLearning session will focus on the July 2011 CPU and the impact on E-Business Suite environments.
Topics will include;
- a review of the security vulnerabilities fixed in the CPU,
- an analysis of the required CPU patches,
- a discussion of a high-level patch strategy.
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
(more...)
Here is a brief analysis of the pre-release announcement for the upcoming July 2011 Oracle Critical Patch Update (CPU) -
- Overall, 55 Oracle security vulnerabilities (non-Solaris bugs) are fixed in this CPU, which is an above average number but well within the range of previous CPUs (Apr-11=47, Jan-11=43, Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
- The Oracle product and vulnerability mix appears to be similar to previous CPUs, with the only exception being (more...)
The OAUG and NCOAUG Connection Point Release 12.1 conference is being held July 12-13, 2011 in Chicago. This event is solely focused on Oracle E-Business Suite R12 and organizations planning on implementing R12 or have already upgraded. Integrigy will be presenting on how to secure R12 and an approach to maximize the security of your R12 implementation while minimizing effort and cost.
Upgrade Security in Your Oracle R12 Upgrade
Stephen Kost, Integrigy, CTO
Tuesday, July 12, 2011
9:45am - 10:45am
Grand Ballroom III
If you are attending and would like to chat with one of our security (more...)
Doraemon - you’ve seen him even if you don’t know his name, the cutest robotic cat from the future! He was my favorite cartoon character when growing up and he's going to help us today.
When attempting to visualize this (magic) migration tool from Oracle Waveset/Sun Identity Manager to Oracle Identity Manager 11g, (see previous blog entry
"Grown Kittens Need a New Home"), I can’t help but to think of Doraemon. He has a 4-dimensional pocket from which he produces gadgets and tools from the future. The Take-copter (a propeller which can be attached to anything to enable flight)
(more...)
When Oracle announced that “Oracle Identity Manager will be the strategic Identity Administration and Provisioning product moving forward" and with Oracle Waveset going into ‘sustain and converge’ mode, I was ready to offer all of my Waveset knowledge for adoption. Having delivered Sun Identity Manager projects all the way from when it was “Waveset Lighthouse” (Sun acquired Waveset in 2003), I am personally attached to everything I engineered on top of Waveset throughout the years. For the time I spent getting to know my Waveset customers, taking care of their needs and trying to build/customize the best home possible for
(more...)
Improve Security in Your Oracle R12 Upgrade
Thursday, May 12, 2010 2:00 PM - 3:00 PM EDT
The upgrade from Oracle E-Business Suite (EBS) 11i to R12 is a unique opportunity to improve the security of your implementation by resolving existing security issues, configuring R12 securely, and taking advantage of new security features in R12. This one hour education session will highlight R12 security changes and discuss a framework for a security focused R12 upgrade project.
Topics will include:
- 11i and R12 differences and changes that impact security
- R12 security enhancements and new features
- Improving security throughout the R12 upgrade (more...)
RSS