PeopleSoft, similar to other major ERP applications, while depending on a database to store information, arguably does not secure the supporting database. The security of the database is the client’s responsibility.

In order to give a few examples of what we are talking about when we refer to database security, the following are several of the 200+ database security checks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your database for a few quick checks:

• Limit direct database access whenever possible. This is always our number one recommendation – how isolated is your database?
• Database CPU patching – have you applied the latest database CPU patches?
• Logging and auditing – do you have auditing enabled? How much? What monitoring tools and processes do you have?
• Database passwords – especially key accounts such as the Connect Id, Access Id, IB and PS – are they set to weak or default passwords? Are you using profiles?
• Permissions and authorizations – when was the last time you reviewed them? How many users have SELECT ANY TABLE privileges?
• Ensure the Default tablespace should never be ‘SYSTEM’ or PSDEFAULT for named users. These should be reserved for the Oracle RDBMS and application respectively
• Do not use SYSADM for day-to-day support. Use named accounts instead, are you?

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

In 2012, details of a vulnerability in the Oracle Database listener were published that allows an attacker to register with the database listener and to intercept and modify TNS network traffic between the client and database server. This “TNS Poison” attack allows an unauthenticated attacker with only network connectivity to compromise most database accounts.

The fix to prevent TNS Poison attacks was announced in April 2012, but was not fixed by the Critical Patch Update securtiy patch. Instead, manual changes are required to the database listener prior to 12c. Even though this vulnerability is four years-old, Integrigy routinely identifies vulnerable Oracle databases during our security assessments – hence the purpose of this webinar.

This education webinar demonstrates a TNS poison attack and how an Oracle database can be compromised without any database authentication. Required remediation steps for each database version are discussed as well as methods for checking if a database is protected or if it has been compromised. 

The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter.  Starting with the October 2016 CPU, only 12.1.0.2 and 11.2.0.4 are supported.  In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 12.1.0.2 or 11.2.0.4.  As these are terminal database releases, the final CPU patch for 12.1.0.2 is July 2021 and for 11.2.0.4 is October 2020.  For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a large number of high priority fixes - Security Patch Updates (SPU) which include only security fixes are not available for 12c.

The October 2016 CPU fixes 12 security bugs in 7 database components.  Only the APEX (Application Express) security bug is remotely exploited without authentication – as with all APEX patches, this is a separate patch and upgrades APEX to 5.0.4.00.12.

This CPU should be considered HIGH risk due to the 5 security bugs that require only CREATE SESSION privilege in order to exploit.  These bugs can be exploited by any database user and can be used to compromise the entire database.

IOUG COLLABORATE 2011 - You did everything by the book followed the database security checklists and implemented security best practices but one day you find significant security issues in one of your databases. How did this happen? After auditing hundreds of databases I have compiled a list of common database security mistakes and potentials causes of each mistake. Common database security mistakes can impact every aspect of the Oracle Database and include reappearing default passwords misapplied Critical Patch Update security patches and wayward privileges and grants. Based on audits of hundreds of databases learn the facts and statistics behind what security vulnerabilities most likely exist like which database accounts are most often have default passwords.

Oracle April 2011 CPU - Oracle Database Impact
Thursday, May 5, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly educational session will focus on the April 2011 CPU and the impact on the Oracle Database. The topics will include:

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

IOUG COLLABORATE 2011 - Credit card data breaches are headline news thus organizations must properly protect credit card data or risk being tomorrow's headline. If an Oracle Database "stores processes or transmits credit card numbers" it must comply with all the requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) regardless of size or transaction volume. This presentation will provide an overview of the PCI requirements and discuss how each requirement impacts the Oracle Database. Best practices and guidance for securing credit card data and complying with PCI will be discussed especially the most difficult to address requirements of encryption security patches and auditing.

Here is a brief analysis of the pre-release announcement for the upcoming July 2011 Oracle Critical Patch Update (CPU) -

• Overall, 55 Oracle security vulnerabilities (non-Solaris bugs) are fixed in this CPU, which is an above average number but well within the range of previous CPUs (Apr-11=47, Jan-11=43, Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
• The Oracle product and vulnerability mix appears to be similar to previous CPUs, with the only exception being a large number of Oracle Grid Control vulnerabilities fixed this quarter.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
  • • • Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 for major platforms
      • Application Server = 10.1.2.3.0, 10.1.3.5.0, 11.1.1.3.0, 11.1.1.4.0, and 11.1.1.5.0
      • E-Business Suite = 11.5.10.2, 12.04, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
• As anticipated by Integrigy, this is the first CPU available for Oracle Database 11.2.0.2.
• For the Oracle E-Business, as of the July 2011 there is no CPU support for all versions prior to 11.5.10.2 and 12.0.0 - 12.0.5.  We are not sure if it is a mistake in the CPU, but 12.0.4 is listed as a supported version.  11.5.10.2 requires the "Minimum Baseline for Extended Support" as specified in Metalink Note ID 883202.1.
• Based on the pre-release announcement, few determinations can be made as to the actual severity and impact on most organizations because of the varied components being patched this quarter.  For the database, the highest CVSSv2 score is a 7.2 and 2 vulnerabilities are remotely exploitable without authentication.  However, since 18 components are listed as being patched for the 13 vulnerabilities, it is hard to determine the impact without more details regarding individual vulnerabilities.  We anticipate the highest scoring vulnerabilities will be the client-side and Database Vault vulnerabilities.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2011 CPU E-Business Suite Impact Webinar Thursday, July 28, 2pm ET and (2) Oracle July 2011 CPU Oracle Database Impact Webinar Tuesday, August 2, 2pm ET.

Oracle Database

• There are 13 database vulnerabilities; 2 are remotely exploitable without authentication and 2 are applicable to client-side only installations.
• Since at least one database vulnerability has a CVSS 2.0 metric of 7.1 (important to high for a database vulnerability), this is a fairly important CPU.
• The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments.  It will be interesting to see what the actual vulnerabilities are in these components: CMDB Metadata & Instance APIs, Content Management, Core RDBMS, Database Target Type Menus, Database Vault, EMCTL, Enterprise Config Management, Enterprise Manager Console, Event Management, Instance Management, Oracle Universal Installer, Schema Management, Security Framework, Security Management, SQL Performance Advisories/UIs, Streams, AQ & Replication Mgmt, and XML Developer Kit.
• In addition, there are 18 vulnerabilities in Oracle Enterprise Manager and 3 in Oracle Secure Backup.

Oracle Fusion Middleware

• There are 7 new Oracle Fusion Middleware vulnerabilities, 2 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
• All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.

Oracle E-Business Suite 11i and R12

• There is only one new Oracle E-Business Suite 11i and R12 vulnerability, which is remotely exploitable without authentication.  Most likely the Business Intelligence vulnerability cannot be exploited externally in DMZ implementations.

Planning Impact

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  Based on the patched components, this may be a lower than average risk CPU for specific databases based on configuration and installed options.  It appears most of the vulnerabilities are related to Enterprise Manager components.
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• For Oracle E-Business Suite customers, most likely the Business Intelligence will have to be applied to all implementations even if the Business Intelligence module is not installed, configured, or licensed.

Upcoming Integrigy CPU Webinars

Oracle July 2011 CPU E-Business Suite Impact
Thursday, July 28, 2pm ET

Oracle July 2011 CPU Oracle Database Impact
Tuesday, August 2, 2pm ET

Integrigy's CTO, Stephen Kost, will be presenting a series of webinars on Oracle's Critical Patch Update for July 2011.

Oracle July 2011 CPU - Oracle E-Business Suite Impact
Thursday, July 28, 2:00pm - 3:00pm EDT

This quarterly eLearning session will focus on the July 2011 CPU and the impact on E-Business Suite environments.

Topics will include;

• a review of the security vulnerabilities fixed in the CPU,
• an analysis of the required CPU patches,
• a discussion of a high-level patch strategy.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle E-Business Suite webinar.


Oracle July 2011 CPU - Oracle Database Impact
Tuesday, August 2, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2011 CPU and the impact on the Oracle Database. The topics will include:

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

An overview of the Oracle Critical Patch Update (CPU) for July 2011 and the impact on the Oracle Database. This presentation includes a discussion of individual security vulnerabilities fixed by the CPU.

Oracle October 2011 CPU - Oracle Database Impact
Thursday, November 3, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly educational session will focus on the October 2011 CPU and the impact on the Oracle Database. The topics will include:

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

An overview of the Oracle Critical Patch Update (CPU) for October 2011 and the impact on the Oracle Database. This presentation includes a discussion of individual security vulnerabilities fixed by the CPU.

InfoWorld magazine today published detailed information regarding Oracle Database security bug CVE-2012-0082, which has associated fixes in the Oracle's January 2012 Critical Patch Update.  This security vulnerability specifically relates to the Oracle System Change Number (SCN) and ways to increase the SCN beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN) in order to stop processing of database transactions. 

Where this vulnerability gets interesting is that the SCN is synchronized to the highest SCN when two databases are connected via a database link.  Therefore, it is possible to increase a database to the near maximum SCN through a database link, which will cascade through to all other interconnected databases.  The result can be ORA-600 errors and potentially database crashes on the database with the lower SCN.

This vulnerability appears to have been discovered as the result of a bug in RMAN which can cause the SCN to reach current maximum SCN value and a change in the way the Maximum Reasonable SCN is calculated in 11.2.0.2.  The 11.2.0.2 change appears to have impacted or crashed at least a hundred databases at a very large Oracle customer.

As this vulnerability will get significant press, we foresee an "arms race" ensuing with release of different methods to maliciously increment the current SCN and techniques to perform database denial of services attacks related to the SCN.

Integrigy will be publishing in the near future our analysis of the impact of this vulnerability along with recommendations on mitigating the risk in your organization.

Oracle has published more information regarding SCNs and potential impact in a My Oracle Support (MOS) note (requires My Oracle Support access) -

Information on the System Change Number (SCN) and how it is used in the Oracle Database [ID 1376995.1]

Upcoming Webinar: Security Boot Camp: Oracle Database Security Vulnerabilities Explained

Upcoming Webinar: Securing 1,000 Oracle Databases - Challenges and Solutions

Thursday, July 26, 2:00pm - 3:00pm EDT

For those of you that missed this session at the recent Collaborate12 conference, please read on.

Oracle Database security checklists and standards are focused on one database, not 1,000 databases. The significant challenge is when you have 100, 500, 1,000, or even 10,000 Oracle Databases in your organization to protect. In order to protect and securely maintain a thousand Oracle Databases requires an enterprise database security framework and database security program. This session will describe how to implement a database security program with all the necessary components to protect the databases in a large enterprise. The database security program will include configuration management, enterprise database user security, periodic access reviews and controls, routine security patching, and an enterprise database auditing strategy.

Click here to register for this Oracle Database Security webinar.

A quick reference guide for securing the Oracle Database.  The guide includes information on (1) standard Oracle Database accounts and default passwords, (2) password controls and profile settings, (3) Critical Patch Updates (CPUs) and Patch Set Updates (PSUs), (4) important security related SYS views and tables, (5) recommended Oracle Database file permissions, (6) security related initialization parameters, (7) useful SQL security statements, (8) important system and object privileges, and (9) auditing configuration.

Oracle Database security checklists and standards are focused on one database, not 1,000 databases. The significant challenge is when you have 100, 500, 1,000, or even 10,000 Oracle Databases in your organization to protect. In order to protect and securely maintain a thousand Oracle Databases requires an enterprise database security framework and database security program. This session will describe how to implement a database security program with all the necessary components to protect the databases in a large enterprise. The database security program will include configuration management, enterprise database user security, periodic access reviews and controls, routine security patching, and an enterprise database auditing strategy.

For those of you that missed this session at the recent Collaborate12 conference, please read on. Do you truly know why you should be regularly applying Oracle Critical Patch Updates? This session will provide an in-depth look and demonstration of different types of security vulnerabilities fixed by Oracle’s quarterly Critical Patch Updates (CPU). Using information and exploit code that is published and readily available on the Internet, actual security bugs fixed in CPUs will be demonstrated to show how easily they may be used to compromise a database. The purpose of this session is to help you better appreciate the importance of keeping up to date with the Oracle Critical Patch Updates.

Most IT Security personnel are familiar with the security requirements of networks and operating systems. But many in IT Security are not aware of the security risks inherent in their company’s Oracle production databases. Issues concerning the protection of sensitive data, restricting excessive user access privileges, and implementing database activity monitoring are not given serious consideration. This one hour webinar will highlight the security risks and safeguards that should be found in every production database.

Integrigy is presenting nine papers this year at COLLABORATE 17 (https://collaborate.oaug.org/).   The COLLABORATE 17 conference is a joint conference for the Oracle Applications User Group (OAUG), Independent Oracle Users Group (IOUG), and Quest International Users Group.

Please see the attached summary. If you have any questions or would like to meet with Integrigy at COLLABORATE, please contact us at info@integrigy.com 

Integrigy is presenting nine papers this year at COLLABORATE 17 (https://collaborate.oaug.org/). The COLLABORATE 17 conference is a joint conference for the Oracle Applications User Group (OAUG), Independent Oracle Users Group (IOUG), and Quest International Users Group. 

Here is our schedule. If you have questions or would like to meet with us while at COLLABORTE 17, please conact us at info@integrigy.com.

You can download a complete listing of Integrigy's sessions at Integrigy COLLABORATE 17 Sessions.