Oracle Critical Patch Update January 2016 E-Business Suite Analysis
To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk.
First, this CPU with 78 EBS security fixes has 10x the number of EBS security fixes than an average CPU. For the previous 44 CPUs released since 2005, an average of 7.5 security bugs are fixed per quarter for EBS. Second, there are a significant number of SQL injection and other high risk bugs, such as the ability to read arbitrary files from the EBS applications servers. Third, the security bugs are in a wide-range of over 30 technical and functional modules, therefore, every EBS implementation is at significant risk. Even if you don't have the module installed, configured, or licensed, in almost all cases the vulnerability can still be exploited. Finally, at least 10 security vulnerabilities can be readily exploited in EBS Interface-facing self-service modules.
Integrigy is credited with discovering 40 of the security bugs fixed this quarter. We have additional security bugs open with Oracle which we except to be resolved in the next few quarters.
Due to the high number of vulnerabilities affecting Oracle E-Business Suite 11.5.10, Oracle changed the stated 11.5.10 support policy for the January 2016 CPU from requiring an Advanced Support Contract (ACS) to being available for all customers with valid support contracts. For the April 2016 through October 2016 CPUs, Oracle E-Business Suite 11.5.10 CPU patches will only be available for customers with an Advanced Support Contract (ACS). After October 2016, there will be no more CPUs for 11.5.10.
Vulnerability Breakdown
An analysis of the security vulnerabilities shows the 78 security fixes resolve 35 SQL injection bugs, 17 unauthorized access issues, 9 cross-site scripting (XSS) bugs, 5 XML External Entity (XXE) bugs, and various other security issues and weaknesses. The most critical are the SQL injection bugs as these may permit unauthenticated web application users to execute SQL as the application database account (APPS). Many of these SQL injection bugs allow access to sensitive data or the ability to perform privileged functions such as changing application or database passwords, granting of privileges, etc.
Also, several of the bugs allow an attacker with unauthenticated web application access to retrieve arbitrary files from the application server. With some knowledge of EBS, it may be possible to download files with the APPS database password.
EBS Version Breakdown
23 vulnerabilities are found in all versions of Oracle E-Business Suite. The remainder are mostly specific to the different web architectures found in each version. The following is the breakdown of the 78 vulnerabilities by EBS version --
11.5.10 | 12.0.x | 12.1.x | 12.2.x |
66 | 38 | 40 | 22 |
For 11.5.10, there are 22 vulnerabilities in web pages implemented using mod_plsql. mod_plsql is an Oracle specific web architecture where the web application is implemented using database PL/SQL packages. mod_plsql was removed from EBS starting with 12.0. For information on mitigating some of the mod_plsql vulnerabilities, see the section below "EBS 11i mod_plsql Mitigation."
Many of the R12 (12.0, 12.1, 12.2) specific vulnerabilities are in Java Server Pages (JSP) and Java servlets, which are not found in 11i.
I have included 12.0.x in the listing of versions to show even though this version is not supported for the January 2016 CPU, a significant number of the security bugs affect this version.
January 2016 Recommendations
As with all Critical Patch Updates, the most effective method to resolve the vulnerabilities is to apply the patches in a timely manner.
The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication. These implementations should (1) apply the CPU as soon as possible and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.
If the CPU can not be applied in a timely manner, Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite, should be implemented. AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.
EBS 11i mod_plsql Mitigation
In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages. The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL. This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7 or the January 2016 CPU. This must be thoroughly tested as it may block a few mod_plsql pages used by your organization. Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used. This fix is included and implemented as part of the January 2016 CPU.