Deploying Oracle EBS To The Internet
Deploying Oracle EBS To The Internet
Deploying Oracle EBS To The Internet
February 9, 2017
Products Services
AppDefend Protects
Enterprise Application Firewall Oracle EBS
for the Oracle E-Business Suite
Build Security Design Services
Security Auditing, Encryption, DMZ
EBS Critical
Overview Patch Updates Q&A
1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Agenda
EBS Critical
Overview Patch Updates Q&A
1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS 12.0/12.1 DMZ Configuration
OA Framework (OA/RF.jsp)
12,200 pages
http/
https SQL*Net
Client Apache
Core Servlets Database
Browser
OC4J
81 servlet classes APPS
Oracle Forms
4,000 forms
All Oracle E-Business Suite environments include ALL modules (250+) and ALL web
pages (20,000+) even if modules are not installed, licensed, or configured. Many
security vulnerabilities exist in unused modules.
Oracle EBS 12.2 DMZ Configuration
OA Framework (OA/RF.jsp)
11,600 pages
http/
https SQL*Net
Client Apache
Core Servlets Database
Browser
WebLogic
84 servlet classes APPS
Oracle Forms
3,300 forms
All Oracle E-Business Suite environments include ALL modules (250+) and ALL web
pages (20,000+) even if modules are not installed, licensed, or configured. Many
security vulnerabilities exist in unused modules.
Oracle EBS 11i DMZ Configuration
OA Framework (OA/RF.jsp)
5,800 pages
http/ Apache
https SQL*Net
Client (2001)
Modplsql Pages Database
Browser
Jserv
700 packages APPS
(2000)
Servlets
301 servlet classes
Oracle Forms
4,400 forms
All Oracle E-Business Suite environments include ALL modules (250+) and ALL web
pages (20,000+) even if modules are not installed, licensed, or configured. Many
security vulnerabilities exist in unused modules.
Oracle EBS 11i Web Components
Non-EBS
Component 11i Version Release Date
Desupport1
Oracle
1.0.2.2.2 Dec 2001 June 2004
Application Server3
1. Oracle EBS 11i web components are desupported but had support exceptions for 11i environments through
January 2016. As of January 2016, all support for 11i and associated technology stack components has ended.
2. OpenSSL updated from 0.9.5a to 0.9.8zh with July 2015 Critical Patch Update for OAS 1.0.2.2.2.
3. Security vulnerabilities are patched but version is not upgraded.
Agenda
EBS Critical
Overview Patch Updates Q&A
1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS DMZ MOS Notes
12.2 1375670.1
“Oracle EBS
Configuration 12.1/12.0 380490.1
in a DMZ”
11i 287176.1
Oracle EBS R12 DMZ Configuration
OA Framework (OA/RF.jsp)Node
Trust
12,200 pages
250 Level
URL Firewall
https
Client Apache
3 84Core Servlets Database
Browser
OC4J
servlet classes APPS
Oracle Forms
4,000 forms
Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules. (See MOS Note ID 380490.1)
Oracle EBS DMZ Certified Modules (R12)
https://supplier.example.com
EBS EBS
SSL EBS
443 Reverse 8000 External 1521 1521 Internal
HTTP Database
A Proxy App App
SSL SQL*Net SQL*Net
Server
Server Server
External
Users
(supplier)
A
HTTPS/SSL should always be used otherwise passwords and data are sent in the clear.
B
A reverse proxy server should be implemented such as Apache, Blue Coat, or F5 BIG-IP.
Firewall between layers block access between layers except for explicitly defined ports.
C
DMZ Step Appendix E – URL Firewall
OA Framework (OA/RF.jsp)
11,600 pages
URL Firewall
https sqlnet
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS
Oracle Forms
4,000 forms
Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
https
Client Apache
Core Servlets Database
Browser
OC4J 30 servlet classes APPS
Oracle Forms
4,000 forms
Step 5.2 is set the NODE_TRUST_LEVEL to EXTERNAL for the external application server.
Step 5.3 limits the responsibilities accessible via the external application server.
DMZ Configuration
Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
URL Firewall
https
Client Apache
3 30Core Servlets Database
Browser
OC4J
servlet classes APPS
Oracle Forms
4,000 forms
Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules.
Common Mistakes
EBS DMZ server not marked as URL Firewall and Node Trust Level will
High
external server not be enabled
EBS Critical
Overview Patch Updates Q&A
1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS Security Vulnerabilities
581
Oracle EBS Web Vulnerabilities Fixed
~40 Authorization/Authentication
1. Extended support requires a minimum baseline patch level – see MOS Note ID 1195034.1.
2. After January 2016, CPUs are available for customers with Advanced Support Contracts.
3. 11.5.10 Sustaining support exception through January 2016 provided CPUs.
Oracle EBS Extended Support Requirements
EBS 12.2.3
12.2
R12.AD.C.DELTA.7
Basically 12.1.3
12.1
Application Server 10.1.3.5
EBS 12.0.6
12.0 Application Server 10.1.2.3 & 10.1.3.5
Java 6
Source: MOS Note ID 1195034.1 - Oracle E-Business Suite Error Correction Support Policy (V.5 – January 2015)
Oracle Security Vulnerabilities per Quarter
100
10
8
75
50
5
3
25
2
0 0
Database Bugs E-Business Suite Bugs Database CVSS 2.0 E-Business Suite CVSS 2.0
Oracle EBS CPU Risks and Threats
Application
Type of User Description
Session
Application
Type of User Description
Session
Number of
Type of User Security Notes
Bugs
External
42 (1) 19 of 42 are high risk
unauthenticated user
Internal
197 Many are high risk
unauthenticated user
(1) Assumes URL firewall is enabled and count is for all external “i” modules (iSupplier, iStore, etc.).
SQL Injection Explained
http://<server>/pls/VIS/fnd_gfm.dispatch?
p_path=fnd_help.get/US/fnd/@search');%20f
nd_user_pkg.updateUser('SYSADMIN',%20'SEE
D',%20'welcome1
EBS Critical
Overview Patch Updates Q&A
1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Oracle EBS SSL MOS Notes
12.2 1367293.1
(Previous 2143101.1)
“Enabling SSL/TLS in
Oracle E-Business 12.1/12.0 2143099.1
(Previous 376700.1)
Suite”
11i 123718.1
Oracle EBS HTTP Network Traffic
POST
http://oa.integrigy.com:8010/OA_HTML/OA.jsp?
page=/oracle/apps/fnd/sso/login/webui/MainLo
ginPG HTTP/1.1
_AM_TX_ID_FIELD=1wcuM2LWP
_FORM=DefaultFormNameKBTL4xsJ
usernameField=SYSADMIN
passwordField=MYPASSWORD
SubmitButton%24%24unvalidated=falseI_3t5ZET
Using SSL Encryption
[If EBS native SSL is used] Must update and patch to support
SSL is not patched and updated latest versions of SSL/TLS (TLS 1.1 and Medium
to latest TLS 1.2) updated in July 2016
OA Framework
(OA/RF.jsp)
11,600 pages
AppDefend
https
Client Apache
Core Servlets Database
Browser
OC4J
30 servlet classes APPS
Oracle Forms
4,000 forms
AppDefend runs within the Oracle E-Business OC4J containers as a servlet filter and
monitors all incoming requests and out-going responses. Being in the OC4J container,
AppDefend can access all session state, attributes, error messages, and the database.
Agenda
EBS Critical
Overview Patch Updates Q&A
1 2 3 4 5
URL Firewall & EBS SSL
DMZ Configuration
Contact Information
web: www.integrigy.com
Stephen Kost
e-mail: info@integrigy.com
Chief Technology Officer
blog: integrigy.com/oracle-security-blog
Integrigy Corporation
youtube: youtube.com/integrigy