Oracle Security Blog

Oracle released the thirteenth Critical Patch Update (CPU) today.  This quarter is the same as the previous twelve with many patches and long hours in order to get all the security patches applied in a timely manner.  17 of the 27 vulnerabilities fixed impact Oracle E-Business Suite 11i.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Here is a brief analysis of the pre-release announcement for the upcoming January 2008 Oracle Critical Patch Update (CPU) -

As part of the Oracle quarterly Critical Patch Update (CPU) process, a new reminder e-mail of the upcoming CPU is being sent to all individuals who signed up for e-mail notifications on the CPU web page.  This e-mail is only a reminder that the next CPU will be released on January 15, 2008 (sometime after noon Pacific Time).

I do respect Oracle for being an early adopter of their own products internally, including a very large implementation of the latest Oracle E-Business Suite.  Unfortunately, it appears that Oracle does not run all their products everywhere. 

I recently had to revisit the estimates I provided in our white paper on brute forcing credit card hashes since new techniques were published that can speed the brute forcing up by at least a factor of 5 using off-the-shelf video cards.  Well, a month later I am having to revise the estimates again.  Nick Breese of New Zealand has published a paper at

From the Integrigy servers statistics, I have known that we get hundreds of visits a day from the Oracle proxy and cache servers.  Many days collectively the Oracle domains (.com, .uk, etc.) are number one.  The vast majority of the hits are on blog, RSS feeds, and our whitepapers.  But I have not known how Oracle actually uses this information internally.  Well, now I know someone is at least reading our comments and recommendations.

When clients are deploying an unpublished supplier or customer application to the Internet for the first, they are always amazed at the sheer number of random attacks.  Granted many of these are looking for PHP pages or some other long ago patched vulnerability.  The question that always arises is "How did they find the server so quickly?"  Well, the hackers are just searching blocks of addresses on a continual basis.

This past March, I published a white paper looking at how some applications hash credit card numbers and how vulnerable these hashes are to brute forcing.  I developed a proof of concept to roughly estimate the timings (about 2 million hashes per second).  Looking ahead, I estimated with additional optimization, multi-threading, and faster processors probably 50 million hashes per second is achievable.

Performing security assessments on Oracle Applications implementations sometimes involves some detective work.  During our assessments, we have encountered a number of 11.5.10 CU2 implementations where the "Signon Password Hard to Guess" profile option was set to No rather than the strongly recommended Yes.  Each time, the client claimed it used to be set to Yes and closer analysis showed a vast majority of the passwords matched the complexity rules -- so it most likely had been set to Yes.

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, October 16th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, October 18 at 9:00 am and 5:00 pm U.S. Eastern Time

Here is a brief analysis of the pre-release announcement for the upcoming October 2007 Oracle Critical Patch Update (CPU) -

US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps.

Oracle has released a Metalink Note on the proper procedure for setting passwords for the database and FNDFS listeners.  It is important to note that there are two listeners in an Oracle Applications 11i implementation.  The first is the standard database listener and is the version from the installed database.  The second is for FNDFS/FNDMS and is used by the concurrent managers, generic service manager, and other internal Oracle Applications processes.  This second listener is part of the 8.0.6, thus is version 8.0.6.x.  Passwords should be set for both listeners,

Oracle has updated the white paper "Best Practices for Securing the E-Business Suite 11i" Metalink Note ID 189367.1 to version 3.0.5.  The major changes include -