Oracle and Security


Oracle apps password security decryption issue

on Tuesday, 01 January 2013. Posted in Oracle and Security, Blog

Most Oracle Applications 11i implementations are vulnerable to a significant security weakness in the encryption of passwords within the application where an insider may be able to circumvent all application controls by accessing any application account or obtain the APPS database account password. This issue is really a "perfect storm" with the convergence of (1) an inherent architectural weakness in the application, (2) generally accepted insecure operational procedures for ad-hoc query access and cloning, and (3) multiple examples of effective, easy to execute exploit code for decrypting application passwords.

The file attached explains the issue in more detail and provide some tips how to avoid these type of issues. 

Apps_password 

Bank Account Security Model

on Tuesday, 01 January 2013. Posted in Oracle and Security, Blog

 

In Release 12, banks and bank branches are created as Trading Community Architecture parties. The bank accounts are associated with Bank Branches but reside within the Cash Management application. During the bank account creation, you will be able to define in which applications this bank account can be used.The new model reduces the number of access points to manage bank accounts by providing a centralized user interface where all internal bank accounts can be set up. Bank account access in the new model can be granted to multiple operating units, thus eliminating the redundant duplicate bank account setup under different operating units in case these operating units share the same bank account. This simplifies the reconciliation process since now one bank account is the system corresponds to one bank account at the bank.

EBS Patching Tips

on Tuesday, 01 January 2013. Posted in Oracle and Security, Blog

As of 2011 to be eligible for Extended Support on Release 11.5.10 system you must meet defined minimum baseline patch requirements both for its core components such as the database and for the applications products in use.

All EBS Customers managing an 11i production instance should be familiar with the following support note. Patch Requirements for Extended Support of Oracle E-Business Suite Release 11.5.10 [ID 883202.1]

Oracle has made it mandatory to follow the guidelines in the above mentioned support document.

Most of us wait for something to break before patching any environments; in some case it makes sense since internal resources work on higher priorities, the patch installation process requires changes and that always implies Technical and Functional analysis and risk.

We are all facing the ongoing challenge of keeping up with the pace of required business changes. To make things even worse, the underlying IT infrastructure, which supports vital business functions within the company, is most often composed of heterogeneous components; a rule of thumb companies need to establish the reflex of having a patch strategy at all the layers below and to be pro-active. layers 

As part of your process, make sure you look at the below tools that can improve your current patching process.

One way to keep track of the Family Packs and Mini packs that Oracle releases is with the free utility patchset.sh (I think it should be run quarterly to pro-actively manage your environment)

I think the most mis-understood part of the patching process is the use of the free Oracle Wizard Patch Tool. Oracle updates the PIB (Patch Information Bundle) file on a nightly basis with all high- priority and critical patch fixes required for your environment. I don’t think people are aware of the PIB file that gets updated by Oracle on a nightly basis.

Two other ways to further mitigate risk.   

Analyze the possibility of using Oracle Integrated Stack Testing (OIST) product.  www.oracle.com/us/corporate/features/oracle-integrated-stack-173395.pdf and always make sure you’re testing environment, mimics the production environment as closely as possible, with functional, peak load, and stress testing, to verify specific configurations with 3rd party products and company home grown applications.  

 

Copyright 2015 Appsconsultant.com. All rights reserved.