Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Deploying Oracle EBS To The Internet

Download as pdf or txt
Download as pdf or txt
You are on page 1of 37

Common Mistakes When Deploying

Oracle E-Business Suite to the Internet

February 9, 2017

Stephen Kost Phil Reimann


Chief Technology Officer Director of Business Development
Integrigy Corporation Integrigy Corporation
About Integrigy

ERP Applications Databases


Oracle E-Business Suite, Oracle, Microsoft SQL Server,
PeopleSoft, Oracle Retail DB2, Sybase, MySQL

Products Services

Verify Security Assessments


AppSentry Validates
Security ERP, Database, Sensitive Data, Pen Testing
ERP Application and Database Security
Security Auditing Tool

Ensure Compliance Assistance


Compliance SOX, PCI, HIPAA, GLBA

AppDefend Protects
Enterprise Application Firewall Oracle EBS
for the Oracle E-Business Suite
Build Security Design Services
Security Auditing, Encryption, DMZ

Integrigy Research Team


ERP Application and Database Security Research
Agenda

EBS Critical
Overview Patch Updates Q&A

1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Agenda

EBS Critical
Overview Patch Updates Q&A

1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS 12.0/12.1 DMZ Configuration

Oracle EBS Application Server


Java Server Pages (JSP)
8,100 JSP pages

OA Framework (OA/RF.jsp)
12,200 pages
http/
https SQL*Net
Client Apache
Core Servlets Database
Browser
OC4J
81 servlet classes APPS

Web Services Servlets


9 servlet classes

Oracle Forms
4,000 forms

All Oracle E-Business Suite environments include ALL modules (250+) and ALL web
pages (20,000+) even if modules are not installed, licensed, or configured. Many
security vulnerabilities exist in unused modules.
Oracle EBS 12.2 DMZ Configuration

Oracle EBS Application Server


Java Server Pages (JSP)
7,800 JSP pages

OA Framework (OA/RF.jsp)
11,600 pages
http/
https SQL*Net
Client Apache
Core Servlets Database
Browser
WebLogic
84 servlet classes APPS

Web Services Servlets


8 servlet classes

Oracle Forms
3,300 forms

All Oracle E-Business Suite environments include ALL modules (250+) and ALL web
pages (20,000+) even if modules are not installed, licensed, or configured. Many
security vulnerabilities exist in unused modules.
Oracle EBS 11i DMZ Configuration

Oracle Application Server (2001)


Java Server Pages (JSP)
15,400 JSP pages

OA Framework (OA/RF.jsp)
5,800 pages
http/ Apache
https SQL*Net
Client (2001)
Modplsql Pages Database
Browser
Jserv
700 packages APPS
(2000)
Servlets
301 servlet classes

Oracle Forms
4,400 forms

All Oracle E-Business Suite environments include ALL modules (250+) and ALL web
pages (20,000+) even if modules are not installed, licensed, or configured. Many
security vulnerabilities exist in unused modules.
Oracle EBS 11i Web Components

Non-EBS
Component 11i Version Release Date
Desupport1

Oracle
1.0.2.2.2 Dec 2001 June 2004
Application Server3

Apache3 1.3.9 Feb 2001 Feb 2010

Jserv 1.1.2 June 2000 June 2006

mod_security 1.8.4 July 2004 May 2006

0.9.5a Sept 2000 March 2004


OpenSSL
0.9.8zh2 Dec 2015 Dec 2016

1. Oracle EBS 11i web components are desupported but had support exceptions for 11i environments through
January 2016. As of January 2016, all support for 11i and associated technology stack components has ended.
2. OpenSSL updated from 0.9.5a to 0.9.8zh with July 2015 Critical Patch Update for OAS 1.0.2.2.2.
3. Security vulnerabilities are patched but version is not upgraded.
Agenda

EBS Critical
Overview Patch Updates Q&A

1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS DMZ MOS Notes

Deploying Oracle E-Business Suite in a de-militarized zone


(DMZ) requires a specific and detailed configuration of the
application and application server. All steps must be
followed in the Oracle provided My Oracle Support Note.

12.2 1375670.1
“Oracle EBS
Configuration 12.1/12.0 380490.1
in a DMZ”
11i 287176.1
Oracle EBS R12 DMZ Configuration

Oracle Application Server


Java Server Pages (JSP)

90 8,100 JSP pages

OA Framework (OA/RF.jsp)Node
Trust
12,200 pages
250 Level

URL Firewall
https
Client Apache
3 84Core Servlets Database
Browser
OC4J
servlet classes APPS

Web Services Servlets


8 servlet classes

Oracle Forms
4,000 forms

 Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules. (See MOS Note ID 380490.1)
Oracle EBS DMZ Certified Modules (R12)

Oracle only certifies a limited set of modules for use in a DMZ

 Meets DMZ architectural requirements (i.e., no forms)

 URL Firewall rules provided for the module

iSupplier Portal (POS) Oracle Transportation (FTE)


Oracle Sourcing (PON) Oracle Contracts Core (OKC)
Oracle Receivables (OIR) Oracle Service Contracts (OKS)
iRecruitment (IRC) Oracle Collaborative Planning (SCE)
Oracle Time and Labor (OTL) Oracle User Management (UMX)
Oracle Learning Management (OTA) Order Information Portal (ONT)
Self Service Benefits (BEN) Oracle Sales for Handhelds (ASP)
Self Service Human Resources (SSHR) Oracle Internet Expenses (OIE)
Oracle iSupport (IBU) Oracle Performance Management (OPM)
Oracle iStore (IBE) Compensation Workbench (CWB)
Oracle Marketing (AMS) Oracle Payroll (PAY)
Oracle Partner Relationship Mgmt (PRM) Oracle Quoting (QOT)
Oracle Survey (IES) Oracle Field Service 3rd Party Portal (FSE)
EBS DMZ Architecture

Firewall Firewall Firewall Internal


(existing) (optional) (existing)
Users
C C C
8000
B

https://supplier.example.com

EBS EBS
SSL EBS
443 Reverse 8000 External 1521 1521 Internal
HTTP Database
A Proxy App App
SSL SQL*Net SQL*Net
Server
Server Server

External
Users
(supplier)

A
 HTTPS/SSL should always be used otherwise passwords and data are sent in the clear.

B
 A reverse proxy server should be implemented such as Apache, Blue Coat, or F5 BIG-IP.
 Firewall between layers block access between layers except for explicitly defined ports.
C
DMZ Step Appendix E – URL Firewall

Oracle R12 Application Server


Java Server Pages (JSP)

90 8,000 JSP pages

OA Framework (OA/RF.jsp)
11,600 pages

URL Firewall
https sqlnet
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS

Web Services Servlets


70 servlet classes

Oracle Forms
4,000 forms

 URL Firewall in Appendix E is absolutely mandatory. Configure using url_fw.conf.


 A whitelist of allowed JSP pages and servlets. Allows all OA Framework pages.
DMZ Steps 5.2 & 5.3 – Responsibilities

Oracle R12 Application Server


Java Server Pages (JSP)
8,000 JSP pages

Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
https
Client Apache
Core Servlets Database
Browser
OC4J 30 servlet classes APPS

Web Services Servlets


70 servlet classes

Oracle Forms
4,000 forms

 Step 5.2 is set the NODE_TRUST_LEVEL to EXTERNAL for the external application server.
 Step 5.3 limits the responsibilities accessible via the external application server.
DMZ Configuration

Oracle R12 Application Server


Java Server Pages (JSP)

90 8,000 JSP pages

Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level

URL Firewall
https
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS

Web Services Servlets


70 servlet classes

Oracle Forms
4,000 forms

 Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules.
Common Mistakes

Mistake Impact Risk

 20,000 EBS web pages exposed on the


Internet
URL Firewall in Appendix E not  Many EBS web pages may have
High
enabled or incorrectly enabled unpatched security vulnerabilities
 Diagnostic and debugging may be
available

EBS DMZ server not marked as  URL Firewall and Node Trust Level will
High
external server not be enabled

Node Trust Level includes  Unnecessary OA Framework web pages


Medium
too many responsibilities exposed on the Internet

 Attacker can access significant


FND_DIAGNOSTICS enabled Medium
information on the EBS configuration.
Agenda

EBS Critical
Overview Patch Updates Q&A

1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS Security Vulnerabilities

Oracle E-Business Suite security


vulnerabilities fixed between
January 2005 and January 2017

581
Oracle EBS Web Vulnerabilities Fixed

~130 SQL Injection in web pages

~220 Cross Site Scripting

~40 Authorization/Authentication

~20 Business Logic Issues


Oracle E-Business Suite Version Support

Premier Support Extended Support CPU Support


Version
End Date End Date (1) End Date

EBS 12.2 September 2021 TBD TBD

EBS 12.1 December 2016 December 2019 October 2019

EBS 12.0 January 2012 January 2015 January 2015

January 2016 (2, 3)


EBS 11.5.10 November 2010 November 2013
October 2017 (ACS only)

EBS 11.5.9 June 2008 N/A July 2008

EBS 11.5.8 November 2007 N/A October 2007

EBS 11.5.7 May 2007 N/A April 2007

1. Extended support requires a minimum baseline patch level – see MOS Note ID 1195034.1.
2. After January 2016, CPUs are available for customers with Advanced Support Contracts.
3. 11.5.10 Sustaining support exception through January 2016 provided CPUs.
Oracle EBS Extended Support Requirements

 EBS 12.2.3
12.2
 R12.AD.C.DELTA.7

 Basically 12.1.3
12.1
 Application Server 10.1.3.5

 EBS 12.0.6
12.0  Application Server 10.1.2.3 & 10.1.3.5
 Java 6

11.5.10  ATG RUP 6 or ATG RUP 7

Source: MOS Note ID 1195034.1 - Oracle E-Business Suite Error Correction Support Policy (V.5 – January 2015)
Oracle Security Vulnerabilities per Quarter

100
10

8
75

Maximum CVSS 2.0 Score


7
Security Bug Count

50
5

3
25
2

0 0

Critical Patch Update

Database Bugs E-Business Suite Bugs Database CVSS 2.0 E-Business Suite CVSS 2.0
Oracle EBS CPU Risks and Threats

The risk of Oracle E-Business Suite security vulnerabilities


depends if the application is externally accessible and if
the attacker has a valid application session.

Application
Type of User Description
Session

External/DMZ unauthenticated user No Access external URL

External/DMZ authenticated user Yes Any responsibility

Internal unauthenticated user No Access internal URL

Internal authenticated user Yes Any responsibility


Oracle EBS CPU Risks and Threats

The risk of Oracle E-Business Suite security vulnerabilities


depends if the application is externally accessible and if
the attacker has a valid application session.

Application
Type of User Description
Session

External/DMZ unauthenticated user No Access external URL

External/DMZ authenticated user Yes Any responsibility

Internal unauthenticated user No Access internal URL

Internal authenticated user Yes Any responsibility


Sample CPU Risk Mapping (last CPU July 2015)

Number of
Type of User Security Notes
Bugs

External
42 (1)  19 of 42 are high risk
unauthenticated user

 10 of 14 are exploited with


External
14 (1) only a valid application
authenticated user session

Internal
197  Many are high risk
unauthenticated user

Internal  Most require access to specific


35
authenticated user module in order to exploit

(1) Assumes URL firewall is enabled and count is for all external “i” modules (iSupplier, iStore, etc.).
SQL Injection Explained

Attacker modifies URL with extra SQL

http://<server>/pls/VIS/fnd_gfm.dispatch?
p_path=fnd_help.get/US/fnd/@search');%20f
nd_user_pkg.updateUser('SYSADMIN',%20'SEE
D',%20'welcome1

Oracle EBS executes appends SQL to the SQL


statement being executed
 SQL executed as APPS database account
 Example changes any application account
password

This vulnerability was patched as part of Oracle Security Alert #32


Common Mistakes

Mistake Impact Risk

 Many SQL injection and other high risk


vulnerabilities are unpatched

 Number of vulnerabilities can be


exploited even if DMZ is properly
configured with URL Firewall and Node
Oracle Critical Patch
Trust Level
Update (CPU) EBS
Critical
security patches not
 Most EBS vulnerabilities not blocked by
being routinely applied
commercial Web Application Firewalls or
other security tools

 Must use an EBS specific security tool to


block known and 0-day security
vulnerabilities, such as AppDefend
Agenda

EBS Critical
Overview Patch Updates Q&A

1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS SSL MOS Notes

Enabling SSL for Oracle E-Business Suite in a DMZ requires


a complex setup because of certificates. Follow the steps
for configuring SSL in the “Middle Tier.” SSL configuration
was updated in July 2016 to support TLS 1.1 and TLS 1.2.

12.2 1367293.1
(Previous 2143101.1)
“Enabling SSL/TLS in
Oracle E-Business 12.1/12.0 2143099.1
(Previous 376700.1)
Suite”
11i 123718.1
Oracle EBS HTTP Network Traffic

POST
http://oa.integrigy.com:8010/OA_HTML/OA.jsp?
page=/oracle/apps/fnd/sso/login/webui/MainLo
ginPG HTTP/1.1

_AM_TX_ID_FIELD=1wcuM2LWP
_FORM=DefaultFormNameKBTL4xsJ
usernameField=SYSADMIN
passwordField=MYPASSWORD
SubmitButton%24%24unvalidated=falseI_3t5ZET
Using SSL Encryption

Encrypt all end-user traffic externally as well as internally.

1. Use SSL encryption and acceleration on load


balancers
- Simplifies setup and configuration
- Removes load from application servers to load balancer
with dedicated SSL encryption hardware
2. Implement SSL on Oracle EBS Application Servers
- Use Oracle’s MOS SSL Notes
- Be sure to disable SSLv2, SSLv3, and weak ciphers
Common Mistakes

Mistake Impact Risk

 EBS SSL components slow to be


Using Oracle EBS native SSL updated and behind in support for
encryption rather than SSL newer protocols and ciphers
Medium
termination on the reverse  Native EBS SSL maintained by DBAs
proxy or load balancer rather than network administrators
resulting

[If EBS native SSL is used]  Must update and patch to support
SSL is not patched and updated latest versions of SSL/TLS (TLS 1.1 and Medium
to latest TLS 1.2) updated in July 2016

[If EBS native SSL is used]


 Must disable SSLv2, SSLv3, and weak
Protocols and cipher suites are Medium
ciphers
not
Integrigy AppDefend

AppDefend is an enterprise application firewall designed


and optimized for the Oracle E-Business Suite.

 Prevents Web Attacks  Limits EBS Modules


Detects and reacts to SQL More flexibility and capabilities
Injection, XSS, and known than URL firewall to identify
Oracle EBS vulnerabilities EBS modules

 Application Logging  Protects Web Services & Mobile


Enhanced application Detects and reacts to attacks
logging for compliance against native Oracle EBS web
requirements like PCI-DSS services (SOA, SOAP, REST) and
10.2 Oracle EBS Mobile applications
AppDefend and Oracle EBS 12.0 & 12.1

Oracle R12 Application Server


Java Server Pages (JSP)
8,000 JSP pages

OA Framework
(OA/RF.jsp)
11,600 pages

AppDefend
https
Client Apache
Core Servlets Database
Browser
OC4J
30 servlet classes APPS

Web Services Servlets


70 servlet classes

Oracle Forms
4,000 forms

 AppDefend runs within the Oracle E-Business OC4J containers as a servlet filter and
monitors all incoming requests and out-going responses. Being in the OC4J container,
AppDefend can access all session state, attributes, error messages, and the database.
Agenda

EBS Critical
Overview Patch Updates Q&A

1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Contact Information

web: www.integrigy.com
Stephen Kost
e-mail: info@integrigy.com
Chief Technology Officer
blog: integrigy.com/oracle-security-blog
Integrigy Corporation
youtube: youtube.com/integrigy

Copyright © 2016 Integrigy Corporation

You might also like