Going Without CPU Patches on Oracle E-Business Suite 11i?

Similar documents
mission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact

mission critical applications mission critical security Oracle Critical Patch Update July 2011 E-Business Suite Impact

Oracle E-Business Suite and Java Security What You Need to Know

mission critical applications mission critical security Oracle Critical Patch Update July 2011 Oracle Database Impact

mission critical applications mission critical security Oracle Critical Patch Update October 2011 Oracle Database Impact

New Security Features in Oracle E-Business Suite 12.2

Oracle Critical Patch Updates: Insight and Understanding. Stephen Kost Integrigy Corporation

New Oracle EBS Security Features You Can Use Now

Integrigy Consulting Overview

Oracle Database Logging and Auditing

PeopleSoft - Top 10 Security Risks

Hacking an Oracle Database and How to Prevent It

WebLogic Security Top Ten

PCI Compliance in Oracle E-Business Suite

Securing Oracle 12 Multitenant Pluggable Databases

Hidden Security Threats in Oracle E-Business Suite

Real World Database Auditing. Stephen Kost Integrigy Corporation Session # 602

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

McAfee Database Security

<Insert Picture Here> E-Business Suite Technology Stack Certification Roadmap

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

K12 Cybersecurity Roadmap

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Oracle E-Business Suite Certified with Oracle Database Vault Certification Overview

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Oracle Critical Patch Update - January 2007

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

epldt Web Builder Security March 2017

GOING WHERE NO WAFS HAVE GONE BEFORE

How were the Credit Card Numbers Published on the Web? February 19, 2004

Risk Intelligence. Quick Start Guide - Data Breach Risk

CoreMax Consulting s Cyber Security Roadmap

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Securing Apache Tomcat for your environment. Mark Thomas March 2009

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

WHITE PAPER. Automate Reconciliation of Ticket Numbers Using Client Id in Oracle Database Audit Streams

What s new in PI System Security?

Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Cassandra Database Security

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Certified Secure Web Application Engineer

What s new in PI System Security?

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

Web Security. Outline

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Product Versioning and Back Support Policy

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CSWAE Certified Secure Web Application Engineer

Cyber Security Audit & Roadmap Business Process and

Oracle Database Security Assessment Tool

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Access Manager 4.2 Service Pack 5 (4.2.5) supersedes Access Manager 4.2 Service Pack 4.

Oracle Database Vault and Applications Unlimited Certification Overview

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Virtualizing Oracle on VMware

Threat Centric Vulnerability Management

Jeff Offutt. SWE 432 Design and Implementation of Software for the Web. Web Applications

How to construct a sustainable vulnerability management program

Oracle Database Listener Security Guide. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Security Configuration Assessment (SCA)

Application security : going quicker

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Penetration Testing. James Walden Northern Kentucky University

Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

An Introduction to Runtime Application Self-Protection (RASP)

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Managed Application Security trends and best practices in application security

W H IT E P A P E R. Salesforce Security for the IT Executive

Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Roy Swonger Vice President Database Upgrades & Utilities Oracle Corporation

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

New! Checklist for HIPAA & HITECH Compliance Pabrai

Exploiting new default accounts in SAP systems

Qualys Cloud Platform (VM, PC) v8.x Release Notes

IT infrastructure layers requiring Privileged Identity Management

Hacking by Numbers OWASP. The OWASP Foundation

Art of Performing Risk Assessments

Transcription:

Going Without CPU Patches on E-Business Suite 11i? September 17, 2013 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation

About Integrigy ERP Applications E-Business Suite Databases and Microsoft SQL Server Products Services AppSentry ERP Application and Database Security Auditing Tool AppDefend Enterprise Application Firewall for the E-Business Suite Validates Security Protects EBS Verify Security Ensure Compliance Build Security Security Assessments ERP, Database, Sensitive Data, Pen Testing Compliance Assistance SOX, PCI, HIPAA Security Design Services Auditing, Encryption, DMZ You

Agenda 11i CPU Overview E-Business Suite Q&A 1 2 3 4 5 Database Application Server

Agenda 11i CPU Overview E-Business Suite Q&A 1 2 3 4 5 Database Application Server

Why are CPU Patches Not Applied? Critical Patch Updates (CPU) are not applied to many 11i environments due to support, testing, downtime, and application issues. Lack of IT Management and DBA prioritization of security patches and periodic technical upgrades Unsupported application or database versions Must be on the 11i minimum baseline Dropped Support or using third-party support CPU patches require current Support

E-Business Suite CPU Support 2008 2009 2010 2011 2012 2013 2014 11.5.7 11.5.8 11.5.9 11.5.10 11.5.10.2 RUP 5/6 RUP 6/7 11.5.10.2 Minimum Baseline (2) Extended Support (fees waived) Sustaining (1) (CPUs until Oct 14) (1) See My Support Doc ID 1495337.1-11i last CPU is October 2014 (2) See My Support Doc ID 883202.1

Database CPU Support 2008 2009 2010 2011 2012 2013 2014 9.2.0.8 Extended Support 10.1.0.5 Extended Support 10.2.0.4 (11.5.10.2 only) 10.2.0.5 (11.5.10.2 only) Extended Support 11.1.0.7 (11.5.10.2 only) Extended Support 11.2.0.x (11.5.10.2 only)

Jan-05 Apr-05 Jul-05 Oct-05 Jan-06 Apr-06 Jul-06 Oct-06 Jan-07 Apr-07 Jul-07 Oct-07 Jan-08 Apr-08 Jul-08 Oct-08 Jan-09 Apr-09 Jul-09 Oct-09 Jan-10 Apr-10 Jul-10 Oct-10 Jan-11 Apr-11 Jul-11 Oct-11 Jan-12 Apr-12 Jul-12 Oct-12 Jan-13 Apr-13 Jul-13 Security Bug Count Maximum CVSS 2.0 Score Security Vulnerabilities per Quarter 75 10 9 8 50 7 6 5 25 4 3 2 1 0 0 Critical Patch Update Database Bugs E-Business Suite Bugs Database CVSS 2.0 E-Business Suite CVSS 2.0

Agenda 11i CPU Overview E-Business Suite Q&A 1 2 3 4 5 Database Application Server

Critical Patch Updates Database Baselines Database Version Upgrade Patch Included CPU 10.2.0.4 April 2008 10.2.0.5 October 2010 11.1.0.6 October 2007 11.1.0.7 January 2009 11.2.0.1 January 2010 11.2.0.2 January 2011 At time of release, the latest available CPU is included. 11.2.0.3 July 2011

CPU Baselines and Terminal Patches Database Version Upgrade Patch Included CPU Terminal CPU 10.2.0.4 April 2008 July 2011 10.2.0.5 October 2010 July 2013 (ES) 11.1.0.6 October 2007 July 2009 11.1.0.7 January 2009 July 2015 11.2.0.1 January 2010 July 2011 11.2.0.2 January 2011 October 2013 11.2.0.3 July 2011 TBD ES = Extended Support TBD = Date not yet announced

Database CPU Risks and Threats The risk of database security vulnerabilities depends if an attacker has a database account or can obtain a database account. Type of User Unauthenticated user Database Account No Description Can connect to database listener if IP address, port, SID is known Low privileged user Yes Only PUBLIC privileges Moderate privileged user Yes Some privileges High privileged user Yes DBA like privileges

Jan-05 Apr-05 Jul-05 Oct-05 Jan-06 Apr-06 Jul-06 Oct-06 Jan-07 Apr-07 Jul-07 Oct-07 Jan-08 Apr-08 Jul-08 Oct-08 Jan-09 Apr-09 Jul-09 Oct-09 Jan-10 Apr-10 Jul-10 Oct-10 Jan-11 Apr-11 Jul-11 Oct-11 Jan-12 Apr-12 Jul-12 Oct-12 Jan-13 Apr-13 Jul-13 Cumulative Vulnerabilities per DB Version 250 9.2.0.8 Extended Support Oct 2007 10.1.0.5 Extended Support Apr 2009 10.2.0.4 Extended Support Oct 2011 223 200 150 136 100 9.2.0.8 10.1.0.5 10.2.0.4 50 33 0 Cumulative maximum count of open security vulnerabilities assuming no Critical Patches have been applied since the start of Extended Support

11.2.0.2 CPU Risk Mapping Type of User Unauthenticated user No database account Low privileged user Create session system privilege only Moderate privileged user Create table, procedure, index, etc. High privileged user DBA s, local OS access, etc. Number of Security Bugs 9 7 6 7 Notes 1 O5LOGON Authentication 7 Denial of service (DoS) Averages one per CPU Requires only PUBLIC privileges (APPLSYSPUB!!!) Usually requires CREATE PROCEDURE system privilege 2 SYSDBA privileges 3 Advanced privileges 2 Local OS access

Solutions by Risk for No CPUs Type of User Solutions if CPUs not applied Unauthenticated user No database account Low privileged user Create session system privilege only #1 Limit direct access to the database #2 Use only named accounts #3 No generic read-only accounts #4 Change APPLSYSPUB password #5 Check for default passwords Moderate privileged user Create table, procedure, index, etc. High privileged user DBA, SYSDBA, local OS access, etc. #6 Limit privileges in production #7 Use Database Vault #8 External database auditing solution #9 Limit OS access for prod to DBAs

#1 Limit Database Access 1. Enterprise firewall and VPN solutions At least block all direct database access outside of the data center 2. SQL*Net Valid Node Checking Included with database Block access by IP address 3. Connection Manager SQL*Net proxy server, included with database Block access by IP address or range 4. Database Vault Add-on database security product

Agenda 11i CPU Overview E-Business Suite Q&A 1 2 3 4 5 Database Application Server

Critical Patch Updates EBS 11i Baselines EBS Version Included CPU 11.5.9 CPUs were not available yet 11.5.10 April 2005 11.5.10.2 July 2005 12.0.6 October 2008 12.1.3 July 2010 At time of release, the latest available CPU is included.

Cumulative Vulnerabilities per 11i Version 120 11.5.9 No Support 11.5.10 RUP 6 Required 11.5.10.2 Minimum Baseline Required 107 100 80 76 60 54 40 20 11.5.9 11.5.10 11.5.10.2 0

EBS CPU Risks and Threats The risk of E-Business Suite security vulnerabilities depends if the application is externally accessible and if the attacker has a valid application session. Type of User Application Session Description External unauthenticated user No Access external URL External authenticated user Yes Any responsibility Internal unauthenticated user No Access internal URL Internal authenticated user Yes Any responsibility

11.5.10.2 CPU Risk Mapping Type of User Number of Security Bugs Notes External unauthenticated user 21 (1) 17 of 21 are high risk External authenticated user 6 (1) 3 of 6 are exploited with only a valid application session Internal unauthenticated user 17 Many are high risk Internal authenticated user 10 Most require access to specific module in order to exploit (1) Assumes URL firewall is enabled and count is for all external i modules (isupplier, istore, etc.).

Solutions by Risk for No CPUs Type of User Solutions if CPUs not applied External unauthenticated user External authenticated user Internal unauthenticated user Internal authenticated user #1 Enable EBS URL firewall #2 Implement Integrigy s AppDefend #3 Enable EBS external responsibilities #4 Implement Integrigy s AppDefend #5 Limit access to privileged responsibilities

EBS DMZ MOS Notes Deploying E-Business Suite in a DMZ requires a specific and detailed configuration of the application and application server. All steps in the provided MOS Note must be followed. 287176.1 DMZ Configuration with E-Business Suite 11i 380490.1 E-Business Suite R12 Configuration in a DMZ MOS = My Support

URL Firewall EBS DMZ Configuration 11i Application Server Client Browser https Apache OC4J Java Server Pages (JSP) 8,000 JSP pages 90 OA Framework (OA/RF.jsp) 11,600 pages 250 3 Core Servlets 30 servlet classes Node Trust Level 2 APPS Database Web Services Servlets 70 servlet classes 1 Forms 4,000 forms Proper DMZ configuration reduces accessible pages and responsibilities to only those required for external access. Reducing the application surface area eliminates possible exploiting of vulnerabilities in non-external modules.

Integrigy AppDefend for EBS AppDefend is an enterprise application firewall designed and optimized for the E-Business Suite. Prevents Web Attacks Detects and reacts to SQL Injection, XSS, and known EBS vulnerabilities Limits EBS Modules More flexibility and capabilities than URL firewall to identify EBS modules Application Logging Enhanced application logging for compliance requirements like PCI-DSS 10.2 Protects Web Services Detects and reacts to attacks against native EBS web services (SOA, SOAP, REST)

Agenda 11i CPU Overview E-Business Suite Q&A 1 2 3 4 5 Database Application Server

Web Listener (Apache) 11.5.10.2 Application Server Apache 1.3.19 released Feb 2001 Application Server Version circa 1999 Apache 1.3 de-supported Feb 2010 JServ JSP BC4J modplsql Reports Removed in R12 9iAS 1.0.2.2.2 de-supported for non-ebs use in 2005 Forms 9iAS 1.0.2.2.2 8.0.6.3 Home

App Server CPU Risks and Threats The risk of EBS application server is mostly related to unpatched security vulnerabilities in the Apache and other web components. Risk Unpatched Known Apache 1.3 Vulnerabilities Unpatched Unknown Apache 1.3 Vulnerabilities Unpatched Forms and Reports Vulnerabilities Description Limited set of patched Apache 1.3 security vulnerabilities. Apache 1.3 is un-supported and security vulnerabilities are not researched or patched. Discovered vulnerabilities in other Apache versions may be exploitable in Apache 1.3. Limited set of patched Forms and Reports vulnerabilities with low impact to EBS.

EBS 11i Application Server Patches 2007 2008 2009 2010 2011 2012 2013 CVE-2006-3747 CVE-2006-3918 CVE-2011-3368 undisclosed ias 1.0.2.2.2 5700129 14510576 Forms/ Reports 6i (requires P19) 5687261/ 5686997 REP01 CVE-2008-2619 Reports 6859224 CVE-2012-0073 Forms 13384700

Solutions by Risk for No CPUs Risk Solutions if No CPUs Applied Unpatched Known Apache 1.3 Vulnerabilities Unpatched Unknown Apache 1.3 Vulnerabilities #1 Implement Integrigy s AppDefend #2 Implement Web Application Firewall Unpatched Forms and Reports Vulnerabilities #3 Limit access to privileged responsibilities

Agenda 11i CPU Overview E-Business Suite Q&A 1 2 3 4 5 Database Application Server

Contact Information Stephen Kost Chief Technology Officer Integrigy Corporation web: www.integrigy.com e-mail: info@integrigy.com blog: integrigy.com/oracle-security-blog youtube: youtube.com/integrigy Copyright 2013 Integrigy Corporation. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback