Seems like July 2012 CPU patch introduced a security problem. (Reference Oracle Support Doc: 1579709.1)
If you are using EBS R12, you should check the following patches..
R12.0x
(13979375) - CPU PATCH FOR JUL 2012
UPDATE FND_USER set PASSWORD_DATE = NULL
where nvl(END_DATE, sysdate+1) > sysdate
and USER_NAME not in ('GUEST','AUTOINSTALL','ASADMIN',
'ORACLE12.0.0','ORACLE12.1.0','ORACLE12.2.0','ORACLE12.3.0',
'ORACLE12.4.0','ORACLE12.5.0','ORACLE12.6.0','ORACLE12.7.0',
'ORACLE12.8.0','ORACLE12.9.0');
COMMIT;
If you are using EBS R12, you should check the following patches..
Was any of the CPU patches released between the dates July 2012 - April 2013 applied to the system?
Was the patch 10009066 applied to the system?
Was the patch 12832734 applied to the system?
Patch numbers:
(13979375) - CPU PATCH FOR JUL 2012
(14321239) - CPU PATCH FOR OCT 2012
(14782697) - CPU PATCH FOR JAN 2013
(16196189) - CPU PATCH FOR APR 2013
R12.1X
(13979377) - CPU PATCH FOR JUL 2012
(14321237) - CPU PATCH FOR OCT 2012
(14782696) - CPU PATCH FOR JAN 2013
(16196190) - CPU PATCH FOR APR 2013
CREATE OR REPLACE TRIGGERFND_LOG_MESSAGES_BI
BEFORE INSERT ON APPLSYS.FND_LOG_MESSAGES
REFERENCING NEW AS NEW OLD AS OLD FOR EACH ROW
WHEN (NEW.module like 'fnd.sso.SecureHttpRequest%')
BEGIN
:NEW.message_text := 'Ignored';
END;
/
TRUNCATE TABLE FND_LOG_MESSAGES;
or
DELETE FND_LOG_MESSAGES
where MODULE like 'fnd.sso.SecureHttpRequest%.secureParse';
COMMIT;
(14782697) - CPU PATCH FOR JAN 2013
(16196189) - CPU PATCH FOR APR 2013
R12.1X
(13979377) - CPU PATCH FOR JUL 2012
(14321237) - CPU PATCH FOR OCT 2012
(14782696) - CPU PATCH FOR JAN 2013
(16196190) - CPU PATCH FOR APR 2013
If at lease one of these patches were applied, then there is a risk on your system.. That is, the EBS user passwords may be logged in the fnd log tables and/or diagnostic log file..
The issue has been addressed in the JULY 2013 CPU... So to fix this security problem, JULY 2013 CPU should be applied to the system.
But, If you dont want to apply JULY 2013 CPU , following trigger can be used to prevent the logging.
CREATE OR REPLACE TRIGGERFND_LOG_MESSAGES_BI
BEFORE INSERT ON APPLSYS.FND_LOG_MESSAGES
REFERENCING NEW AS NEW OLD AS OLD FOR EACH ROW
WHEN (NEW.module like 'fnd.sso.SecureHttpRequest%')
BEGIN
:NEW.message_text := 'Ignored';
END;
/
Once you have fixed the problem or created the trigger to work around it , the remaining records should be deleted from the diag files and fnd_log_messages table..
FND_LOG_MESSAGES ->
In SQL*Plus, login as APPS, and do one of the following:
TRUNCATE TABLE FND_LOG_MESSAGES;
or
DELETE FND_LOG_MESSAGES
where MODULE like 'fnd.sso.SecureHttpRequest%.secureParse';
COMMIT;
DIAG FILES->
For a single file
sed -i -e '/fnd.sso.SecureHttpRequest/d' file_name
or for multiple files
find /some/dir -name '*.log' -exec \
sed -i -e '/fnd.sso.SecureHttpRequest/d' {} \;
Not that , at the last step, you need to change EBS user passwords , because they might be recorded already..
Use the following to force a password change for all EBS users..
UPDATE FND_USER set PASSWORD_DATE = NULL
where nvl(END_DATE, sysdate+1) > sysdate
and USER_NAME not in ('GUEST','AUTOINSTALL','ASADMIN',
'ORACLE12.0.0','ORACLE12.1.0','ORACLE12.2.0','ORACLE12.3.0',
'ORACLE12.4.0','ORACLE12.5.0','ORACLE12.6.0','ORACLE12.7.0',
'ORACLE12.8.0','ORACLE12.9.0');
COMMIT;
No comments :
Post a Comment
If you will ask a question, please don't comment here..
For your questions, please create an issue into my forum.
Forum Link: http://ermanarslan.blogspot.com.tr/p/forum.html
Register and create an issue in the related category.
I will support you from there.