This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – all other requests are blocked by the default-deny rules. The URL Firewall does not protect against common web attack techniques such as those below – this what WAFs protect against:

• Denial of Service (DoS)
  
  • Flooding, recursive & oversized payloads
• Injection & Malicious Code
  
  • XXC, SQLi, logic bombs, malformed content
• Confidentiality and Integrigy
  
  • Parameter tampering, schema poisoning
• Reconnaissance Attacks
  
  • Scanning and registry disclosure
• Privilege Escalation Attacks
  
  • Race condition, format string, buffer overflow

Additional protection is required to secure Internet facing Oracle E-Business Suite web services. Third party WAFs can certainly be deployed, but Oracle Corporation’s API Gateway offers a compelling advantage for Oracle E-Business Suite clients. The API Gateway is a separate license option and is placed in front of the SOA Server (also a separate license option) to defend against the common web attack techniques specific to web services as identified above.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Whitepaper
• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Webinar
• Oracle E-Business Suite Release 12.2 Configuration in a DMZ (Note 1375670.1)

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle Training Administration (OTA) web services.

To use OSN, you must configure the both the url_fw.conf and url_fw_ws.conf file to open traffic for the XML Gateway to consume OXTA web services. The OSN documentation in places confuses OTXA and OTA.  The risk is that in the url_fw_ws.conf there are services for both the Oracle Training Administration (OTA) module as well as for the OXTA. Unless both are being used, be careful to open only the correct services.

It should also be noted that while OSN uses web services, as of 12.2.5, OSN’s web services are NOT shown as deployed in the ISG repository.  This is because OSN’s functionality is built into the Oracle E-Business Suite’s core functionality.

It is very important to note that while using OSN with trading partners over the Internet requires opening the E-Business Suite to the Internet. Unfortunately, it is not clearly stated that a WAF, ideally the API Gateway, should be used to protect OSN. Even if OSN is the only web service being used, a WAF is still required to guard the attack surface.

Lastly, the passwords used for the various OSN accounts (defined within the OSN GUI forms) need to be complex and regularly rotated. Many clients forget about these accounts.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Whitepaper
• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Webinar
• Oracle E-Business Suite Release 12.2 Configuration in a DMZ (Note 1375670.1)

This is the tenth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Oracle Corporation has been building out Mobile and Smartphone applications for the Oracle E-Business Suite for a number of releases. Before release 12.2.5, this functionality was designed only for deployment through a corporate VPN, not through an Oracle E-Business Suite external node over the Internet (e.g. a server in DMZ).

With release, 12.2.5 external node deployment for Mobile applications is now an option. 12.2.5 bundles Oracle Mobile v4 and uses the E-Business Suite's WebLogic server.  Specifically, 12.2.5 deploys the Oracle Mobile v4 REST services through the OAFM WebLogic application.  In other words, with 12.2.5, Smartphone applications can now be Internet deployed without a need for a separate WebLogic Server; no need for a SOA Server or a separate WebLogic server.

Oracle Mobile Using Native EBS REST

To secure version 12.2.5 Oracle E-Business Suite Mobile applications, Oracle Mobile Security Services (OMSS) is used.  Check with your Oracle sales representative if OMSS is separately licensed or not. OMSS provides critical URL shortening as well as white/blacklisting and other functionality specific to deploying Oracle Mobile applications. OMSS must be properly configured and is placed in front of OAFM.

OMSS in-line before OAFM

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Whitepaper
• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Webinar
• Oracle E-Business Suite Release 12.2 Configuration in a DMZ (Note 1375670.1)

The evolution of the Oracle E-Business Suite since its inception in the late 1980s has gone through many significant changes. For example, I can personally remember in the late 1990s upgrading clients to release 10.5 of the E-Business Suite with the big change being the introduction of the APPS schema.

The introduction of the APPS schema greatly simplified the technical interdependencies of the then 40+ applications of Release 10.5 of the E-Business Suite. The most recent version of the Oracle E-Business Suite, Release 12.2, with 200+ modules, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based Redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or in other words; the APPS_NE is the APPS schema for the non-editioned APPS foundation database objects.  APPS_NE has similar elevated system privileges to APPS (e.g. SELECT ANY TABLE), but is not identical. The same password must be shared among APPLSYS, APPS, and APPS_NE. The default password for APPS_NE is 'APPS.'

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Integrigy Webinar New Security Features in Oracle E-Business Suite 12.2

• Steps to change the APPS, APPLSYS, and APPS_NE password using FNDCPASS or AFPASSWD for EBS 12.2 (Doc ID 1674462.1) https://support.oracle.com/rs?type=doc&id=1674462.1

• Developing and Deploying Customizations in Oracle E-Business Suite Release 12.2 (Doc ID 1577661.1) https://support.oracle.com/rs?type=doc&id=1577661.1

• Oracle E-Business Suite Security Guide Release 12.2 (Part Number E22952-15) https://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T659606.htm

This is the eleventh and final posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Deploying Internet-based Oracle E-Business Suite web services requires proper configuration of the URL Firewall, both the url_fw.conf and url_fw_ws.conf and the use of a WAF – ideally the Oracle API Gateway. This recommendation applies equally to all whose only use of web services is the Oracle Supplier Network (OSN). One opening of the attack surface exposed to the Internet exposes the entire Oracle E-Business Suite.

For Mobile and Smartphone applications, due to the overall complexity and additional license requirements, it is recommended to continue using VPN for deployment instead of using an External Node. 

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

Reference

The most recent version of the Oracle E-Business Suite, Release 12.2, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or in other words; the APPS_NEW is the APPS schema for the non-editioned database objects.  

There are several security implications with regard to APPS_NE:

• The same password must be shared among APPLSYS, APPS, and APPS_NE. The default password for APPS_NE is 'APPS.'
• APPS_NE has similar elevated system privileges to APPS (e.g. SELECT ANY TABLE), but is not identical. See the listing below for the 56 privileges granted to APPS_NE.
• APPS_NE must be logged, audited and monitored APPS_NE as you do APPS. APPS_NE needs to be added to your audit scripts and procedures as well as monitoring solutions

The following lists summarize the system privilege differences between APPS and APPS_NE

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Oracle E-Business Suite APPLSYS, APPS and APPS_NE
• Integrigy Webinar New Security Features in Oracle E-Business Suite 12.2

Last week’s unprecedented ransomware cyber attacks (http://preview.tinyurl.com/lhjfjgk) caught me working through some research on security automation. The cyber attacks evidently were attributed to an unpatched Windows XP vulnerability. When challenged with securing 1,000s of assets such as all the Windows desktops and Linux servers in an organization, automation quickly becomes a requirement.

Automation is increasingly coming up in our client conversations about how to secure the technology ‘stack’ supporting large ERP implementations such as the Oracle E-Business Suite, PeopleSoft, and SAP. For example, how do you from a security professional perspective, communicate an objective risk assessment comprehensive of both the secure baseline configuration (control adherence/violation) and security patch levels (patch/unpatched CVEs) for the Linux operating systems, virtualization software, web server, database and the ERP application itself? Without automation, it is not feasible to promptly produce risk-based assessments of the complete technology stack and to produce results that are readily expressed in a common risk measurement (e.g. CVE) not requiring deep subject matter expertise.

Automation, however, can only be considered after requirements have been defined. I have long used Security Technical Implementation Guides (STIGs) in both my research and work with clients to define security requirements. STIGs are secure configuration standards developed by the US Department of Defense for products such as the Oracle RDBMS and are freely available (http://iase.disa.mil/stigs/Pages/index.aspx). While most clients do not need their databases hardened to military specifications, STIGs are an invaluable source of security best practice thinking.

STIGs (security checklists) are only available in xml format – not PDF files. DISA does provide a utility to view and work with STIGs (http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx) which allows you to manually execute the checklist, record your findings and then export the results. See this YouTube (https://www.youtube.com/watch?v=-h_lj5sWo4A) posting for a great summary of the STIG Viewer and how to use it.

Security Content Automation Protocol (SCAP)

To answer the question of how do you automate STIG and/or security checklists, again the Department of Defense has thought through the challenges and has created the Security Content Automation Protocol (SCAP).

SCAP is a multi-purpose framework to automate the security scanning of configurations, vulnerabilities, patch checking and compliance. SCAP content is developed by the National Institute of Standards and Technologies (NIST) and the components are described in the table below. The key point is that SCAP security content (checklists) is free and that the SCAP content scanning tools are available both in open source and commercial options.

OpenSCAP

There are many tools, Integrigy’s AppSentry included (https://www.integrigy.com/products/appsentry), that will perform a STIG scan of an Oracle database. The question I was researching this week, is could I use a single SCAP tool to automate the scanning of both the Linux server and the database as well as possibly ERP configurations for PeopleSoft and/or the Oracle E-Business Suite – can could I possibly do this with open source software?

The first tool I considered was OpenSCAP (https://www.open-scap.org/). This open source tool is easy to install either on your laptop or Linux database server and has remote scanning capabilities. The example below shows the capabilities of the GUI tool ‘SCAP Workbench’ and the freely available content that is installed by default for scanning a Linux server.

This exercise quickly confirmed that there is a great deal of security automation available for Linux system security configurations. Here, though, is where I hit a wall: could OpenSCAP work with Oracle databases? While the SCAP standards clearly showed support for scanning SQL database configurations using OVAL’s SQL probes (e.g. sql_test, sql57_test etc…), I may be corrected, but the standard build of OpenSCAP do not appear to include the SQL probes.

example of scap-workbench on oel.jpeg

JOVAL

To obtain the SQL probes for SCAP scanning of database configurations, after some research, I obtained an evaluation copy of Joval Professional (http://jovalcm.com/). Joval describes themselves as allowing you to Scan anything from anywhere and to allow continuous configuration assessments for developers, enterprises, content authors and security professionals.

The installation of Joval Professional was quick and I was able to scan my laptop and remotely scan the remote Oracle Linux server without issues. The screen shot below shows the results of the remote scan of the Linux server running the Oracle RDBMS.

Joval oel6 patch scan.jpeg

With a bit of experimentation (and great customer service from Joval), I was able to quickly prove I could develop OVAL content for automated SCAP scanning of Oracle databases, either for standard database security checks or for Oracle E-Business and/or PeopleSoft configurations. One key concern with the proof-of-concept is that connection string hardcodes the user name and password. The hardcoding is certainly a security issue, but JOVAL (as well as OpenSCAP) offers python bindings. The screen shot below is a single OVAL scan that included two SQL checks as well as checks against content in the sqlnet.ora file using the OVAL probe: textfilecontent54_test. 

joval with sqlnet and sql tests.jpeg

My OVAL definition is referenced below. I am providing it as an example for others. The key points you will know is for the JOVAL connection string for Oracle:

Engine:  oracle
Version values: 11.2.0, 11.1.0, 10.2.0, 10.1.0, 9.2.0, 9.0.1
Connection string (do not use JDBC syntax): user=<username>;password=<password>;SID=<instance name>

If you want to replicate the proof-of-concept:

1. Download a trial version of Joval Professional.
2. Run a scan of your local laptop
3. Run a remote scan of Linux server running your Oracle RDBMS
4. Edit sample benchmark file (here) for your database
5. Upload the edited sample benchmark into Joval
6. Run the sample benchmark scan

What Next?

Having proven I can use OVAL to write Oracle and ERP audit checks, I will spend a bit more time expanding the POC. I am also interested in automation options for Joval and OpenSCAP exports to a NoSQL database such as MongoDB using the Asset Reporting Format (ARF) (https://scap.nist.gov/specifications/arf/). Both Joval and OpenScap have standard functionality to export results using ARF.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

Sample Oracle OVAL benchmark definition: SCAP OVAL Example Check for Oracle

SCAP

NIST SCAP site: https://scap.nist.gov/

SCAP content: https://nvd.nist.gov/ncp/repository?scap

Oracle Linux Security Guide – Using OpenSCAP: https://docs.oracle.com/cd/E37670_01/E36387/html/ol-scap-sec.html

Great summary of SCAP: https://energy.gov/sites/prod/files/cioprod/documents/Technical_Introduction_to_SCAP_-_Charles_Schmidt.pdf

OVAL

Writing OVAL content https://oval.mitre.org/documents/docs-07/Writing_an_OVAL_Definition.pdf

OVAL tutorial https://nvd.nist.gov/scap/docs/conference%20presentations/workshops/OVAL%20Tutorial%202%20-%20%20Definitions.pdf

The attached is a SCAP OVAL sql57_test example for the Oracle E-Business Suite - it will suffice for any Oracle database. To use the attached, rename the .txt extension to .xml and if you have questions and/or comments please direct them to: info@integrigy.com.

The key points you will know is for the JOVAL connection string for Oracle:

Engine:  oracle

Version values: 11.2.0, 11.1.0, 10.2.0, 10.1.0, 9.2.0, 9.0.1

Connection string (do not use JDBC syntax): user=your_username;password=your_password;SID=your_instance

Last week I posted a blog introducing SCAP and OVAL. Here is a quick follow-up with a link to a sql57_test example using the Oracle E-Business Suite - it will suffice for any Oracle database.

A great book to read first on SCAP titled ‘Security Automation Essentials’ for $15 on Amazon is a must read:  https://www.amazon.com/Security-Automation-Essentials-Streamlined-Communication/dp/0071772510. I would highly recommend this book to anyone interested in SCAP and much thanks to Witte, Cook, Kerr and Shaffer for writing it.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

An important first step is to determine if the Oracle E-Business Suite application is within the scope of GDPR.  Any application or database than contains personal information on EU citizens or residents is within the scope of GDPR, including but not limited to customers, employees, contingent works, and suppliers.  The following SQL queries will help to determine if the Oracle E-Business Suite environment contains GDPR in-scope data.  These queries are not definitive but provide at least a starting point in the GDRP scoping process.

HR - Employee, Contingent Workers, Applicants

SELECT a.country, t.user_person_type, COUNT(*)FROM hr.per_all_people_f pLEFT OUTER JOIN hr.per_person_types tON p.person_type_id = t.person_type_idLEFT OUTER JOIN hr.per_addresses aON p.person_id = a.person_idWHERE UPPER(a.country) IN('AUSTRIA','AT','BELGIUM','BE','BULGARIA','BG','CROATIA','HR','CYPRUS','CY','CZECH REPUBLIC','CZ','DENMARK','DK','ESTONIA','EE','FINLAND','FI','FRANCE','FR','GERMANY','DE','GREECE','GR','HUNGARY','HU','IRELAND','IE','ITALY','IT','LATVIA','LV','LITHUANIA','LT','LUXEMBOURG','LU','MALTA','MT','NETHERLANDS','NL','POLAND','PL','PORTUGAL','PT','ROMANIA','RO','SLOVAKIA','SK','SLOVENIA','SI','SPAIN','ES','SWEDEN','SE','UNITED KINGDOM','GB')GROUP BY a.country, t.user_person_typeORDER BY 1,2;

TCA Parties - Customers, Organizations, Persons, Groups

SELECT country, party_type, count(*)FROM (SELECT p.party_type,casewhen p.country in ('AT','BE','BG''HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB') then p.country || ' (PARTY)'when c.country_code in ('AT','BE','BG''HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB') then c.country_code || ' (CITIZENSHIP)'when l.country in ('AT','BE','BG''HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB') then l.country || ' (LOCATION)'else null end countryFROM ar.hz_parties pLEFT OUTER JOIN ar.hz_party_sites sON p.party_id = s.party_idLEFT OUTER JOIN ar.hz_locations lON s.location_id = l.location_idLEFT OUTER JOIN ar.hz_citizenship cON p.party_id = c.party_idWHERE p.country IN('AT','BE','BG''HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB')OR c.country_code IN('AT','BE','BG''HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB')OR l.country IN('AT','BE','BG''HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE','GB'))GROUP BY country, party_typeORDER BY 1,2;

Suppliers

SELECT s.country, COUNT(*) FROM ap.ap_supplier_sites_all sWHERE UPPER(s.country) IN('AUSTRIA','AT','BELGIUM','BE','BULGARIA','BG','CROATIA','HR','CYPRUS','CY','CZECH REPUBLIC','CZ','DENMARK','DK','ESTONIA','EE','FINLAND','FI','FRANCE','FR','GERMANY','DE','GREECE','GR','HUNGARY','HU','IRELAND','IE','ITALY','IT','LATVIA','LV','LITHUANIA','LT','LUXEMBOURG','LU','MALTA','MT','NETHERLANDS','NL','POLAND','PL','PORTUGAL','PT','ROMANIA','RO','SLOVAKIA','SK','SLOVENIA','SI','SPAIN','ES','SWEDEN','SE','UNITED KINGDOM','GB')GROUP BY s.countryORDER by 1;

Oracle E-Business Suite 12.2 introduced a number of new security features, enhancements, and changes. With each successive release of 12.2, new security features have been added and key improvements have been made to a number of these new features. Some of the most important new security features have been back-ported to previous Oracle E-Business Suite version even including 11i. This Webinar will examine the new security features that you should be implementing and leveraging immediately in order to secure your Oracle E-Business Suite environment.

Video

Enforcement of the European Union’s General Data Protection Regulation (GDPR) began on May 25, 2018, and this extensive new privacy law impacts all Oracle E-Business Suite environments that contain any personal information of EU residents. GDPR mandates good IT security practices and there are significant fines in the case of a breach or misuse of personal information. This educational webinar will review the current state of GDPR in context of an Oracle E-Business Suite environment and provide recommendations for securing the application in order to comply with the GDPR requirements based on lessons learned from the past year.

"Java is the biggest vulnerability for US computers" states CSO Magazine. The Oracle E-Business Suite (EBS) runs on Java - both the server and professional forms interface. There are multiple Java installations as part of the Oracle EBS implementation on the server as well as distributed to end-users. Often these Java installations are not upgraded or sometimes cannot be upgraded to the most recent Java version. Typically, between 5 to 20 Java security vulnerabilities are patched each quarter by the Oracle Critical Patch Update to fix security bugs such as Java deserialization. This educational webinar reviews the usage of Java within Oracle EBS, discusses how Java security vulnerabilities can used to exploit the different EBS tiers, and provides strategies on how to protect your environment from attackers exploiting unpatched Java security bugs.

Heading to COLLABORATE 19? For the 12th consecutive year, Integrigy will be presenting on Oracle E-Business security, Oracle Database security, and PeopleSoft security. If you will be attending, be sure to schedule in one or more of our presentations.

Oracle E-Business Suite Security

Top 10 Oracle E-Business Suite Security Risks Tuesday April 9 - 10:30 AM-11:30 AM - GH 4th FL Republic C

How to Close the Window between Oracle CPU Security Release and Deployment Tuesday April 9 - 4:30 PM-5:30 PM - GH 4th FL Republic C

GDPR Compliance and the Oracle E-Business Suite Revisited Thursday April 11 - 9:15 AM-10:15 AM - GH 4th FL Seguin B

Oracle Database Security

An Introduction to Oracle Database Security Wednesday April 10 - 8:00 AM-9:00 AM - CC 2nd FL 221A 

Hacking an Oracle Database and How to Prevent It Wednesday April 10 - 2:00 PM-3:00 PM - CC 2nd FL 205 

Oracle Database Multitenant Security Explained Thursday April 11 - 8:00 AM-9:00 AM - CC 2nd FL 206B

PeopleSoft Security

Top 10 Security Risks in a PeopleSoft Environment Monday April 8 - 4:30 PM-5:30 PM - GH 3rd FL Bonham D

The Oracle E-Business Suite is a complex application with multiple tiers and technologies, which makes properly securing an Oracle EBS environment challenging. This educational session focuses on the top ten security risks and how to solve them in the Oracle E-Business Suite and the technology stack including the Oracle Database and application server. When hardening the application, it is important to prioritize the highest security risks and remediate those risks first. Each risk will be reviewed to highlight the risk and recommended remediation.

The auditing and logging capabilities within the Oracle E-Business Suite and Oracle Database are sophisticated and able to satisfy most organizations' security and compliance requirements.  However, the auditing and logging setup and usage of the data can be complex and error-prone. This educational webinar outlines the auditing and logging capabilities available at different layers of the application and provides recommendations on how to configure auditing and logging to capture critical application and security events. A framework and architecture for centralizing the audit data in Splunk for alerting reporting is presented.

Oracle 19c database is now certified with the E-Business Suite. Oracle 19c delivers several new important security features that will be of value to E-Business Suite professionals needing to meet security and compliance requirements. New Oracle 19c security features are reviewed including Active Directory integration, privilege analysis, auditing of top-level SQL statements, and how to leverage these features in the Cloud. Oracle 19c database security changes including the desupport of UTL_FILE_DIR and the mandatory migration to container database are discussed.  

Two Oracle E-Business Suite security vulnerabilities (CVE-2019-2638, CVE-2019-2633) fixed in April 2019 Oracle Critical Patch Update (CPU) have been recently publicized. These vulnerabilities allow an attacker to execute arbitrary SQL statements in the Oracle E-Business Suite data that can result in complete compromise of the environment including fraudulent transactions, changing of bank accounts, and circumvention of application security controls. Integrigy’s AppDefend, the application firewall for Oracle E-Business Suite, is the only solution that provides virtual patching for and proactive defense against these vulnerabilities.

These two vulnerabilities are in the Oracle E-Business Suite (EBS) TCF Server, which provides services to the professional Forms interface for a limited set of Forms. TCF Server is implemented and enabled in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. It can not be disabled without a customization to Oracle EBS.

TCF Server is a servlet running as part of the standard Oracle EBS web application server and communicates using HTTP or HTTPS between the Forms Java client and the web application server. For R12, the servlet is available at the URL /OA_HTML/AppsTCFServer. It uses a proprietary application-level protocol to communicate between the Forms client and server.

The risk is that unlike most Oracle EBS SQL injection vulnerabilities that only allow for fragments of SQL statements to be appended to standard Oracle EBS SQL statements being executed, these security bugs allow execution of complete SQL statements as the Oracle EBS APPS database account. When evaluating the risk of these vulnerabilities in your environment, it is important to differentiate between external access to the Oracle EBS environment through the Internet when modules like iSupplier, iStore, and iRecruitment are being used and internal access from only your internal network. The risk from external access is critical and should be immediately addressed. The internal risk is still high and dependent on the security posture of your internal network. It is important to realize that non-Oracle EBS aware web application firewalls, database security tools, and other network security products will not provide any protection from successful exploitation of these vulnerabilities.

Integrigy AppDefend is the only solution that provides virtual patching for and proactive defense against these TCF Server vulnerabilities as well other Oracle EBS security vulnerabilities. Integrigy recognized the potential issues with TCF Server and even the first release of AppDefend for R12 in 2007 blocked external access to the TCF Server by default.

AppDefend provides multiple layers of protection against TCF Server vulnerabilities as follows -

1. Blocks all access to TCF Server externally (since 2007).
2. Enforces Oracle EBS access control for TCF Server allowing only authorized EBS users to access to the TCF Server (since 2018).
3. Whitelists the functions accessible through TCF Server (since 2018).
4. Blocks specific vulnerabilities in TCF Server (2018, 2019).
5. Advanced SQL injection protection optimized specifically for Oracle EBS will detect and block most of the SQL statements used in TCF Server and other 0-day attacks. (since 2007).

If you do not have AppDefend, applying the latest Oracle Critical Patch Update for Oracle EBS will remediate these specific vulnerabilities and for external sites it is critical that the Oracle EBS URL Firewall is implemented as documented in Appendix E of My Oracle Support Note ID 380490.1. However, these solutions will not protect you prior to applying the security patches or against future TCF Server vulnerabilities and other Oracle EBS 0-day attacks.

Please let us know if you have any questions regarding the latest Oracle EBS security vulnerabilities at info@integrigy.com.

How does Oracle E-Business Suite security change when you move to the Cloud? Running Oracle E-Business Suite at Oracle Cloud Infrastructure or Amazon Web Services provides both security advantages and disadvantages. However, you still own your data and are still responsible for making sure that data is secure. This educational webinar will first discuss the key security differences between running Oracle E-Business Suite in the Cloud vs. on-premise. Security advantages and disadvantages of running Oracle E-Business Suite in the Cloud will be reviewed related to architecture, provisioning, separation of duties, patching, encryption, and privilege management.