Learn about the top security risks and vulnerabilities specific to the Oracle E-Business Suite and why you should care! Whether your ERP is in the process of being implemented or has been in place for years, there are a number of security vulnerabilities commonly overlooked by implementation / support teams focused on project timing, budget, and functionality. This presentation is geared toward the end user community, system administrators, and other application support personnel and what they need to know to protect their Oracle EBS data from unauthorized access.
Amplify the participants’ overall security awareness
Share knowledge and experiences in securing Oracle EBS
Provide a detailed list of commonly overlooked security vulnerabilities, risks each pose, and how to fix or mitigate each
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Learn About the Top Oracle E-Business Suite Security Vulnerabilities
1. Top Oracle E-Business Suite
Security Vulnerabilities
Christeen Russell, Crowe Horwath
2. Christeen Russell
• Senior Manager in the Technology Risk Group at Crowe Horwath
• Technology audit and implementation capabilities include:
• Oracle E-Business Suite 11i & R12
• Great Plains 10
• Microsoft CRM 4.0 & 2011
• Certified Public Accountant (CPA) - Illinois & New York
• Certified Information Systems Auditor (CISA)
3. Crowe Risk Consulting
We have more than 1,100 experienced practitioners with geographic,
functional, and industry expertise.
Crowe Horwath Global Risk Consulting
has been named a “Challenger” by
Gartner, Inc., in the “Magic Quadrant
for Global Risk Management
Consulting Services”, by Jacqueline
Heng and John A. Wheeler. The full
report can be reviewed at
www.crowehorwath.com/gartner
4. Objectives
1. Amplify the participants’ overall Oracle EBS security awareness
2. Share knowledge and experiences in securing Oracle EBS
3. Provide a detailed list of commonly overlooked Oracle EBS security
vulnerabilities, risks each pose, and how to fix or mitigate each
5. Top Security Concerns
• Seeded (default/generic) application accounts with known passwords (30+)
• Seeded database accounts with known passwords (200+)
• AZN menus
• Seeded responsibilities and menus
• Delegation authority and proxy users
• Direct database access through the application
• Defense against cross-site scripting (XSS), HTML injection attacks, and parameter and
URL tampering
• Weak default password settings
• Password setting “overrides”
• Protecting sensitive information
• Sensitive administrative pages
6. Why are These Top Security Concerns?
• Issues commonly seen in Oracle EBS environments
• Most are free and/or not complex to address
• Relevant to various releases
• Not well known
7. What are the Risks?
• Unauthorized access (to data and configuration settings), adversely
affecting transaction processing and data integrity
• Data exfiltration and leakage
• Non-compliance with regulations (SOX, PCI DSS/PA DSS, HIPPA, etc.)
• Non-compliance with company policy
• Potential to commit fraud
• Reputational harm
9. ID Overview
+30 seeded “generic” user ids: i.e. APPSMGR, IBEGUEST,
GUEST, SYSADMIN, WIZARDOracle EBS
Oracle EBS creates 200+ db accounts: i.e. APPS, APPLSYS,
SYS, SYSTEM, 100+ schema accountsOracle Database
oracle, applmgrOperating System
Oracle ships seeded accounts with widely known default passwords!
10. Privileged & Generic IDs
• Passwords are published on the internet and are typically “welcome”,
“Oracle”, or is the same as the id; i.e.
• MOBADM password is MOBADM
• ASGADM password is welcome
• Some IDs have privileged access
• New accounts are automatically added during upgrades, i.e.:
• 12.2.2 – GHG, APPS_NE
• 12.1.0 – DDR, DPP, INL, MTH, QPR, RRS
• 12.0.4 – IZU
• 12.0.0 – DNA, GMO, IBW, IPM, JMF
•2
.
2
.
2
–
G
H
G
,
A
P
P
S
_
N
E
•2
.
1
.
0
–
D
D
R
,
D
P
P
,
I
N
L,
M
T
H
,
Q
P
R
,
R
R
S
•2
.
0
.
4
–
I
Z
U
•2
.
0
.
0
–
D
N
A
,
G
M
O
,
I
B
W
,
I
P
M
,
J
M
F
•2
.
2
.
2
–
G
H
G
,
A
P
P
S
_
N
E
•2
.
1
.
0
–
D
D
R
,
D
P
P
,
I
N
L,
M
T
H
,
Q
P
R
,
R
R
S
•2
.
0
.
4
–
I
Z
U
•2
.
0
.
0
–
D
N
A
,
G
M
O
,
I
B
W
,
I
P
M
,
J
M
F
11. Seeded ID’s – Application Level
ID Purpose Change Password Disable Account
AME_INVALID_APPROVER AME workflow migration 11.5.9 to
11.5.10
Yes Yes
ANONYMOUS FND/AOL - Anonymous for non-logged
users
Yes Yes
APPSMGR Routine maintenance via concurrent
requests
No^ Yes
ASADMIN Application Server Administrator No^ Yes
ASGADM Mobile gateway related products Yes Yes*
ASGUEST Sales Application guest user Yes Yes*
AUTOINSTALL AD Yes Yes
CONCURRENT MANAGER FND/AOL: Concurrent Manager Yes Yes
FEEDER SYSTEM AD - Supports data from feeder system Yes Yes
^ it is not possible to login as this user unless you change the password
* Required for Mobile Sales, Service, and Mobile Core Gateway components. Or required for Sales Application. Or required for iStore.
12. Seeded ID’s – Application Level
ID Purpose Change Password Disable Account
GUEST Guest application user Yes No
IBE_ADMIN iStore Admin user Yes Yes*
IBE_GUEST iStore Guest user Yes Yes*
IBEGUEST iStore Guest user Yes Yes*
IEXADMIN Internet Expenses Admin Yes Yes
INDUSTRY DATA Used for PCI Security Demo No^ Yes
INITIAL SETUP AD Yes Yes
IRC_EMP_GUEST iRecruitment Employee Guest Login Yes Yes
IRC_EXT_GUEST iRecruitment External Guest Login Yes Yes
MOBADM Mobile Applications Development Yes Yes
MOBILEADM Mobile Applications Admin Yes Yes
MOBILEDEV Mobile Applications Development Yes Yes
Do not disable the GUEST account.
13. Seeded ID’s – Application Level
ID Purpose Change Password Disable Account
OP_CUST_CARE_ADMIN Customer Care Admin for Oracle
Provisioning
Yes Yes
OP_SYSADMIN OP (Process Manufacturing) Admin User Yes Yes
ORACLE12.0.0 to
ORACLE12.9.0
Owner for release specific seed data No^ No
PORTAL30 Oracle Portal and Portal Single Sign On
(desupported)
Yes Yes
PORTAL30_SSO Oracle Portal and Portal Single Sign On
(desupported)
Yes Yes
STANDALONE BATCH PROCESS FND/AOL Yes Yes
SYSADMIN Application Systems Admin Yes No
WIZARD AD Application Implementation Wizard Yes Yes
XML_USER Gateway Yes Yes
Do not disable the SYSADMIN account.
14. Other Generic ID’s – Application Level
• Search for other generic ID’s from the users table (fnd_users)
• SQL statement to identify users with:
• no “end_date”
• no “employee_id” and/or
• “last_logon_date” greater than a certain date
• Greatly narrow down your search through the user list
15. Seeded ID’s – Database Level
Schema Purpose Change Password
SYS Initial schema in any Oracle database Yes
SYSTEM Initial DBA User Yes
DBSNMP, SYSMAN, MGMT_VIEW Used for database status monitoring Yes
SCOTT Oracle db demo account Yes and lock the account
SSOSDK Single Sign On SDK Yes
JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS,
ORDSYS, OUTLN, OWAPUB, MGDSYS
Yes
PORTAL30_DEMO, PORTAL30_PUBLIC,
PORTAL30_SSO_PS, & PORTAL30_SSO_PUBLIC
Oracle Login Server and Portal 3.0.9 with E-
Business Suite 11i
Yes and lock PORTAL30_DEMO
if using 11i; otherwise lock all
PORTAL30, PORTAL30_SSO Oracle Login Server and Portal 3.0.9 with E-
Business Suite 11i
Yes and lock the schemas if not
using 11i
CTXSYS Used by Online Help and CRM service products
for indexing knowledge base data
Yes
16. Seeded ID’s – Database Level
Schema Purpose Change Password
EDWREP Embedded Data Warehouse Metadata
Repository
Yes, but if not using Embedded Data
Warehouse, then lock and expire EDWREP
ODM Oracle Data Manager Yes
APPLSYSPUB Verifies the username/password combination and the
records the success or failure of a login attempt. R12
only
Yes (must be all upper case)
APPLSYS Contains shared APPS objects Yes, use a long secure password
APPS Runtime user for E-Business Suite.
Owns all of the applications code in the
database
Yes, use a long secure password
APPS_mrc Obsolete account Yes, use a long secure password
AD_MONITOR
EM_MONITOR
Oracle Applications Manager uses this schema to
monitor running patches. Although the default
password for
AD_MONITOR is 'lizard', the schema is created locked
and expired.
Yes
17. Seeded ID’s – Database Level
ABM AHL AHM AK ALR AMF AMS AMV AMW AP AR ASF
ASG ASL ASN ASO ASP AST AX AZ BEN BIC BIL BIM BIS BIV
BIX BNE BOM BSC CCT CE CLN CN CRP CS CSC CSD CSE CSF
CSI CSL CSM CSP CSR CSS CUA CUE CUF CUG CUI CUN CUP
CUS CZ DDD DDR DNA DOM DPP EAA EAM EC ECX EDR EGO
ENG ENI EVM FA FEM FII FLM FPA FPT FRM FTE FTP FUN FV
GCS GL GHG GMA GMD GME GMF GMI GML GMO GMP GMS GR
HR HRI HXC HXT IA IBA IBC IBE IBP IBU IBW IBY ICX IEB
IEC IEM IEO IES IEU IEX IGC IGF IGI IGS IGW IMC IMT INL
INV IPA IPD IPM ISC ITA ITG IZU JA JE JG JL JMF JTF JTM JTS
LNS ME MFG MRP MSC MSD MSO MSR MST MTH MWA OE
OKB OKC OKE OKI OKL OKO OKR OKS OKX ONT OPI OSM
OTA OZF OZP OZS PA PFT PJI PJM PMI PN PO POA POM PON
POS PRP PSA PSB PSP PV QA QOT QP QPR QRM RG RHX RLA
RLM RRS SSP VEA VEH WIP WMS WPS WSH WSM XDO XDP
XLA XLE XNB XNC XNI XNM XNP XNS XTR ZFA ZPB ZSA ZX
• By default the password is the same as the SCHEMA name
• Change all of these schema passwords
200+
DB schemas shipped
with Oracle EBS
New schemas are created
during upgrades
18. Control Seeded ID’s
• Change the password and disable the account where recommended
• Changed passwords should be “sealed”
• For accounts where the password cannot be changed and/or disabled
log activity performed using the accounts (manual logins)
• Setup alerts or have periodic reviews of activity
• Consult Oracle Metalink Note 403537.1.
20. Restricted Access & Segregation of Duties
• Defined as users with too much or conflicting access
• Risk:
• Unauthorized transactions, erroneous transactions, or fraudulent activity
• Users with combined access privileges to modify system configuration settings along
with business transaction execution access increases the risk that application
controls dependent upon configuration settings will be circumvented
• Data leakage or exfiltration
• So let’s discuss:
• AZN’s
• Seeded menus and responsibilities
• Delegation authority
• Proxy users
21. Process Tab / AZN
• Click an icon to gain immediate access to the associated form
• In this example, the user most likely has “end-to-end” access in the purchase to payments process
Traditional way to access functions Process tab access
22. Process Tab / AZN - continued
• Potential Segregation of Duties
Conflicts!!
• NOTE: Many do not know this
additional access exists.
Example of a menu with an AZN submenu (menus are assigned to responsibilities):
25. Seeded Menus & Responsibilities
• Should not be used nor copied and renamed
• These are not “perfect” and also may contain AZN menus, leading to:
• Excessive access
• Segregation of duties conflicts
• Example: Seeded Receivables Inquiry is not limited to view only
• Create auto adjustments
• Write off receipts
• Open and close periods
• May re-introduce the aforementioned issues during upgrades/patches if using
standard menus
26. User Management - UMX
• Delivers Role Based Access Control (RBAC)
• Groups responsibilities, permission sets, and data security rules
• Common user registration workflow
• Forgotten password functionality
• Security decentralization
• Proxies
27. Delegated Administration
• Delegate local admins to perform system administration for a subset
of users and roles
• Risks:
• The “users” form in the User Management screen (UMX) does not allow one
to establish a password expiration
• How do you ensure any remote locations are compliant with corporate
security policies
28. Password Expiration
• Set at the User level
• Can set the “Password Expiration”
to either:
• Days
• Accesses
• None
• By default user passwords do not
periodically expire
• Create a personalization
• Periodic review or alert
29. Manage Proxies
• Allows a user to determine who can act their behalf for a time
• Equivalent to sharing your username and password
• Activity performed by another is logged under the delegator’s username
• R12.2 introduced
• “Designate proxy” to all users as a default
• “All or nothing is gone”, can now select certain responsibilities and workflows to delegate
• This should not be used without a business case and compensating controls
• User’s access does not appear in the system administrator module
• Run script to see if proxies exist
30. Proxy
• The delegate can't view what s/he did as someone’s proxy
• Periodically review the proxy report which shows all navigation
completed by the proxy user:
32. Profile Options
• Affects security, processes, controls
• 8000+ profile options
• Set at one or more levels.
• User takes precedence over the
other levels
• Site level has the lowest priority
• Some maintained by users, most
maintained by the SA responsibility
User
Responsibility
Application
(module)
Site
Takes Precedence
33. Profile Options – Diagnostics
• Utilities: Diagnostic & FND: Diagnostics
• These profile options should be set to “No” at all levels
• Risk: Allows users to change individual database records
• Hide Diagnostics Menu Entry
• Hides the diagnostic menu from users
• Profile option should be set to “Yes”
• The default is "No" or NOT hidden
34. Profile Options – Diagnostics – 12.1.3+ only
• Assign the “FND Diagnostics menu
Examine Read Only” function to a
Menu
• Ensure the profile option “Hide
Menu Entry” is set to No
• Grant the seeded permission set to
a role
• Assign the role to a user
• APPS password not required in
read-only mode
35. Profile Options – Information Leakage
• Set of profile options that
can defend against:
• Cross-site scripting (XSS)
• HTML injection attacks
• Parameter and URL
tampering
• Can lead to data leaks
Profile Option^ Default Recommended
FND Validation Level Error (as of R12) Error*
FND Function Validation
Level
Error (as of 11.5.10) Error*
Framework Validation
Level
Error (as of 11.5.10) Error*
Restrict Text Input Yes Yes
IRC: XSS Filter Null Enabled
FND: Fixed Key Enabled Null Yes
FND: Fixed Key None Yes, only at User
level
*R12.2 does not allow the profile option value to be changed
^ at Site level unless otherwise stated
36. Profile Options – Others
Profile Option^ Purpose Default Recommended
Concurrent:Report
Access Level
Determines access privileges to report
output files and log files generated by a
concurrent program
User User
Sign-On:Notification Warns users of key events such as failed
concurrent requests, failed login attempts,
and incorrect default printer settings
No Yes
Personalize Self-
Service Defn
Enables or disables the global Personalize
Page link that appears on each self-service
web application page
No No – Site level
Yes – User level for
approved individuals only
FND: Developer Mode Enables the Edit Region global button. Also
enables Developer Test Mode diagnostics.
Null No
Yes – User level for
approved individuals only
^ at Site level unless otherwise stated
37. Profile Options – Password Settings
• By default Oracle does not set strong password parameters
• Different studies have shown that passwords of 10 characters with a
symbol can take “years” to break by high powered computers
Profile Oracle Default Recommended (Site)
Sign-on Password Case None Sensitive
Sign-on Password Failure Limit None 3 (attempts)
Sign-on Password Hard to Guess No Yes
Sign-on Password Length 5 8 to 10 (characters)
Sign-on Password No Reuse None 180+ (days)
44. Sensitive Information
• Challenge: Finding the sensitive data
• 11 modules consisting of 20 known tables that display credit card data
• Are CCN, SSN, etc. stored in other non-designated fields (i.e. misc. fields)?
• Encrypt, restrict access
• Options include:
• SQL scripts
• EBSCheckCCEncryption.sql - Checks whether credit cards are encrypted in ‘Immediate’
mode
• Third party products
• Oracle AMP Data Scrambling
• Oracle OEM Data Masking
45. Non-Production / Cloning
• When environments are cloned from production sometimes users access
increases (additional users, additional privileged) and configuration
settings get changed
• Controls:
• Change passwords of privileged ids when cloning to the app and db levels
• Metalink No. 419475.1 “Removing Credentials from a Cloned EBS Production Database”
• Scramble key data:
• Employee name, address, social security number, compensation details
• Customer name, address, credit card data
• Risks:
• Data confidentiality is breached
• Data is exfiltrated
• Privileged access to production
47. Sensitive Administrative Pages
• Some Oracle forms and pages allow for modification of the
application:
• Oracle Forms Controlled by Function Security (~47)
• HTML Pages Controlled by Function Security (~21)
• Functionality Controlled by Profile Options (3)
• Pages Controlled by JTF Permissions and Roles (3)
• Most of these are accessible only from SA menus and responsibilities,
where access should already be limited
• Eliminate or minimize access to these screens in a production system
• Oracle has published an SQL query to who has access to the forms
and pages, see MOS Note 1334930.1
50. Best Practices
• On going monitoring of:
• Privileged IDs
• Generic IDs
• Key configuration (i.e. responsibilities, menus, profile options)
• Users without password expirations
• Proxies
• Approval processes are in place when making changes to
configuration and users