Monday, September 16, 2013

Potential logging of E-Business Suite passwords after applying patches

Seems like July 2012 CPU patch introduced a security problem. (Reference Oracle Support Doc: 1579709.1)
If you are using EBS R12, you should check the following patches..


Was any of the CPU patches released between the dates July 2012 - April 2013 applied to the system?
Was the patch 10009066  applied to the system?
Was the patch 12832734 applied to the system?

Patch numbers:


R12.0x

(13979375) - CPU PATCH FOR JUL 2012

(14321239) - CPU PATCH FOR OCT 2012
(14782697) - CPU PATCH FOR JAN 2013
(16196189) - CPU PATCH FOR APR 2013

R12.1X

(13979377) - CPU PATCH FOR JUL 2012
(14321237) - CPU PATCH FOR OCT 2012
(14782696) - CPU PATCH FOR JAN 2013
(16196190) - CPU PATCH FOR APR 2013



If at lease one of these patches were applied, then there is a risk on your system.. That is, the EBS user passwords may be logged in the fnd log tables and/or diagnostic log file..
The issue has been addressed in the JULY 2013 CPU... So to fix this security problem, JULY 2013 CPU should be applied to the system.
But, If you dont want to apply JULY 2013 CPU , following trigger can be used to prevent the logging.


CREATE OR REPLACE TRIGGER
FND_LOG_MESSAGES_BI
BEFORE INSERT ON APPLSYS.FND_LOG_MESSAGES
REFERENCING NEW AS NEW OLD AS OLD FOR EACH ROW
WHEN (NEW.module like 'fnd.sso.SecureHttpRequest%')
BEGIN
:NEW.message_text := 'Ignored';
END;
/


Once you have fixed the problem or created the trigger to work around it , the remaining records should be deleted from the diag files and fnd_log_messages table..

FND_LOG_MESSAGES -> 
In SQL*Plus, login as APPS, and do one of the following:

TRUNCATE TABLE FND_LOG_MESSAGES;
or
DELETE FND_LOG_MESSAGES

where MODULE like 'fnd.sso.SecureHttpRequest%.secureParse';

COMMIT;

DIAG FILES->

For a single file

sed -i  -e '/fnd.sso.SecureHttpRequest/d' file_name

or for multiple files

find /some/dir  -name '*.log' -exec  \
 sed -i -e '/fnd.sso.SecureHttpRequest/d' {} \;


Not that , at the last step, you need to change EBS user passwords , because they might be recorded already..

Use the following to force a password change for all EBS users..

UPDATE FND_USER set PASSWORD_DATE = NULL

where nvl(END_DATE, sysdate+1) > sysdate

and USER_NAME not in ('GUEST','AUTOINSTALL','ASADMIN',

'ORACLE12.0.0','ORACLE12.1.0','ORACLE12.2.0','ORACLE12.3.0',

'ORACLE12.4.0','ORACLE12.5.0','ORACLE12.6.0','ORACLE12.7.0',

'ORACLE12.8.0','ORACLE12.9.0');

COMMIT;



No comments :

Post a Comment