Oracle apps password security decryption issue

on Tuesday, 01 January 2013. Posted in Oracle and Security, Blog

Most Oracle Applications 11i implementations are vulnerable to a significant security weakness in the encryption of passwords within the application where an insider may be able to circumvent all application controls by accessing any application account or obtain the APPS database account password. This issue is really a "perfect storm" with the convergence of (1) an inherent architectural weakness in the application, (2) generally accepted insecure operational procedures for ad-hoc query access and cloning, and (3) multiple examples of effective, easy to execute exploit code for decrypting application passwords.

The file attached explains the issue in more detail and provide some tips how to avoid these type of issues. 


Copyright 2015 All rights reserved.