Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle E-Business Suite cybersecurity risks and mitigation

Published byLydia Johns Modified over 6 years ago

Similar presentations

Presentation on theme: "Oracle E-Business Suite cybersecurity risks and mitigation"— Presentation transcript:

1 Oracle E-Business Suite cybersecurity risks and mitigation
Eng. Matias Mevied Oracle Security Specialist

2 ONAPSIS: COMPANY HIGHLIGHTS
Onapsis: Keeping Business-Critical Applications Secure & Compliant Market Leaders First-movers focused on Fortune and Federal organizations; over 200 customers Thought Leaders Dedicated in-house Research Labs; discovered over 500 vulnerabilities and attack vectors Patented Technology Awarded patent covering underlying critical algorithms and capabilities Experienced Management Successful executives from IBM, RSA, EMC, Sophos, Amazon.com Backed by Leading Investors .406 Ventures, Schlumberger, Evolution, Arsenal, Endeavor Board of Directors & Advisors CISO Target, CISO Schlumberger, former AVG CEO, CTO Veracode Sustained Hyper-Growth: 4th consecutive year of 100%+ YoY ARR & Bookings growth

3 Program Agenda Basic security configurations
Risk and mitigation examples Advanced Security Configurations Importance of implementing Critical Patch Updates What does Onapsis do for EBS?

4 Basic security configurations

5 Basic Security configurations
There are different security features in Oracle E-Business Suite that an administrator has to be aware: Password Policy Hashed Passwords Default passwords for application and database stacks (SYS.DBA_USERS_WITH_DEFPWD) Unsuccessful login (FND_UNSUCCESSFUL_LOGINS) SHA-1 SHA-2

6 Risk and mitigation examples

7 RISKS – Common vulnerabilities
There are different types of vulnerabilities which an attacker could use to attack E-Business Suite. For example: Cross Site Scripting Path Traversal HTTP Vs HTTPs SQL Injection Report download without authentication

8 CROSS SITE SCRIPTING DEMO

9 Cross Site Scripting Mitigation
There exist different ways to mitigate the Cross Site Scripting attacks in Oracle E-Business Suite: Oracle fixed this vulnerability in April CPU The solution was adding a new sanitization class called SecurityCrossScript to process the parameters. Our recommendation is always to apply the last Critical Patch Update. Configure the FND_RESTRICT_INPUT profile which helps to sanitize the input Implement Allowed JSP whitelist to reduce the attack surface CVE reference: CVE CPU Reference: html Doc ID: Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2017)

10 RISKS – PATH traversal

11 PATH traversal Mitigation
Oracle fixes this vulnerability in July CPU 2016 changing the regex to restrict the accesses to operating system files. Our recommendation is always to apply the last Critical Patch Update. The fix checks with a regex that the browser has in the URL only one (/) for each page. CPU Reference: My Oracle Support - Doc ID: Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2016)

12 RISKS - HTTP HTTP configuration is vulnerable to Man In The Middle attacks. The purpose of this attack is to sniff all the traffic from the browser to the server. Attacker Victim

13 HTTP DEMO

14 HTTPS The following graph shows different types of traffic which could be encrypted with HTTPS in Oracle E-Business Suite. Reference: My Oracle Support - Doc ID: Enabling TLS in Oracle E-Business Suite Release 12.1. Doc ID: Enabling TLS in Oracle E-Business Suite Release 12.2.

15 RISKS – SQL Injection The following is the information which an attacker could see with this URL execution:

16 RISKS – SQL Injection This is another example of how information an attacker could execute the SQL Injection:

17 SQL Injection - Mitigation
Oracle fixes this vulnerability with July CPU The solution for this fix is to request authentication before the user download some file and verify the permission to do that. CVE reference: CVE­-2016-­3542 CPU Reference: My Oracle Support - Doc ID: Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2016)

18 RISKS – Report download
The following is the information which an attacker could download all the files from FND_LOBS with this URL execution

19 SQL Injection - Mitigation
Oracle fixes this vulnerability with July CPU 2017 for Weblogic. The solution for this fix is to request authentication before the user download some file and verify the permission to do that. CVE reference: CVE CPU Reference: My Oracle Support - Doc ID: Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2017)

20 Advanced Security Configurations

21 Advanced Configurations and new features for 12.2
Attack Surface - JSP Access This feature is a whitelist of resources that are allowed to be called by your system.

22 Advanced Configurations and new features for 12.2
Attack Surface - Cookies Domain Scoping This functionality check how the cookies scope is configured.

23 Importance of implementin g Critical Patch Updates

24 Stay current with patching
Oracle release every quarter the Critical Patch Update report with all the vulnerabilities and patches. In Oracle E-Business Suite product the patches are incremental. The patches are divided into two, one for 12.1 releases and the other for 12.2 releases.

25 Stay updated with patching
Onapsis helps with more than 200 vulnerabilities reported in Oracle E-Business Suite

26 Stay current with patching
Is it enough just to apply EBS and Database CPUs? NO! Based on the last CPUs for July 2018 in 12.2, is necessary review more … Oracle Database or Oracle Weblogic Server Oracle Java (Including Java SE (JRE) Plug-in) Oracle Access Manager

27 What does Onapsis do for EBS?

28 OSP DEMO

29 Thanks!!! Questions?

Download ppt "Oracle E-Business Suite cybersecurity risks and mitigation"

Similar presentations

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.

Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004.

Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Best Practices for Securing Oracle EBS R12

Best Practices for Securing Oracle EBS R12
© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.

© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google