Skip navigation.

APPS Blogs

Are you ready for Oracle EBS 12.2 Upgrade ? Learn 12.2 before its too late…

Online Apps DBA - Tue, 2016-02-16 23:55
With Oracle E-Business Suite 12.2 Oracle replaced underlying Technology Stack from 10g AS to WebLogic Server, introduced Online Patching (ADOP), Dual File System and lot more .
Categories: APPS Blogs

Upgrading Oracle Apps (EBS) to 12.2 ? ORA-29283: Invalid File Operation

Online Apps DBA - Thu, 2016-02-11 10:28
 This post covers issue while running American English Upgrade patch driver reported in our Oracle EBS Upgrade R12.2 training (next batch starts on 20th Feb and only limited seats are available . We limit number trainees to 15 and where we cover Architecture, Overview of R12.2 & Major features in Upgrading to R12.2, Different upgrade paths available to R12.2, Best practices for R12.2 Upgrade, How […]
Categories: APPS Blogs

Weblogic: GC Log Generation

Online Apps DBA - Tue, 2016-02-09 06:02
  This post covers about GC log generation that is Garbage collection log generation in WebLogic and is must read if you are learning WebLogic. We cover this GC log generation topic in our Oracle WebLogic Training with other topics (such as creating WebLogic domain, managed servers, clustering,deployment, logging, JMS, JTA, JDBC, JMX or security, […]
Categories: APPS Blogs

Upgrade Oracle Apps (EBS) to 12.2 ? ORA-01804: failure to initialize timezone information – issue while running AutoConfig

Online Apps DBA - Fri, 2016-02-05 03:23
 This post covers issue running Autoconfig on DB Tier after upgrading database reported in our Oracle EBS Upgrade R12.2 training (next batch starts on 20th Feb and only limited seats are available . We limit number trainees to 15 and where we cover Architecture, Overview of R12.2 & Major features in Upgrading to R12.2, Different upgrade paths available […]
Categories: APPS Blogs

Oracle Apps R12.2 : Error Starting Admin Server : weblogic.nodemanager.NMException java.io.IOException: Server failed to start up

Online Apps DBA - Wed, 2016-02-03 09:59
 This post is from our Oracle Apps DBA (R12.2) Training ( next batch starts on 7th Feb and only 2 seats remaining . We limit number trainees to 15 and We cover Architecture, Installation, File System, WebLogic Concepts, Patching, Cloning , Common Tasks and difference in 12.2 from previous version with Hands-On,  Register here for Oracle Apps DBA 12.2 […]
Categories: APPS Blogs

WebLogic Server Hangs at Startup : Beware if you Disk is 100% full

Online Apps DBA - Tue, 2016-02-02 16:43
This entry is part 5 of 6 in the series WebLogic Server

We were recently implementing  Oracle Fusion MiddleWare for one of our Customer in United Arab Emirates and we encountered issue on WebLogic Server where startup of WebLogic Server hangs (WebLogic is heart of Fusion Middleware that is now used in almost every Fusion Middleware Product and also in E-Business Suite R12.2 and Peoplesoft) which we have described below.

Issue:

While starting WebLogic Admin Server, WebLogic Server was not coming up or hangs at startup at one point without generating any logs. This might come due to many reasons.

WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050 >
<Jan 29, 2016 3:42:26 AM PDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Jan 29, 2016 3:42:26 AM PDT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Jan 29, 2016 3:42:26 AM PDT> <Notice> <Log Management> <BEA-170019> <The server log file /mydomain/WLS/user_projects/domains/wls_mydomain/servers/AdminServer/logs/AdminServer.log is opened. All server side log events will be written to this file.>

Cause:

Earlier, we were facing Disk Space Issue (mount where WebLogicDomain directory configured was 100% full) and we got one message as ” No Disk Space Left on Device” because of which WebLogic Admin Server for BI Publisher got into hang state. After providing some Disk space to on the server it was not coming up and stuck at above point.

Fix:

After further investigations, we came to know the issue was with data folder inside /mydomain/WLS/user_projects/domains/wls_mydomain/servers/AdminServer/data folder, so to check if its really issue with data folder we renamed/moved the data folder to data_backup (as this was test environment) and tried to start it again. We analysed the server recreated the data folder by itself (from Admin Server) and started up fine without any hangs.

 

If you want to learn more or wish to discuss challenges you are hitting in Oracle WebLogic Server Implementation, Register for our Oracle WebLogic Administration Training (next batch starts on 13th February, 2016 – Register before 6th Feb and get discount of 100 USD,  Apply coupon code W100OFF ).

We are so confident on quality and value of our training that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money.

We also provide dedicated machine on cloud to practice WebLogic Implementation including day to day tasks and recording of live interactive trainings for life time access.

 

The post WebLogic Server Hangs at Startup : Beware if you Disk is 100% full appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

[Free Webinar] Learn Weblogic from Oracle ACE Atul Kumar & Oracle Expert Pavan

Online Apps DBA - Mon, 2016-02-01 11:14
This entry is part 4 of 6 in the series WebLogic Server

WebLogic 1

Nowadays, enterprises are using Weblogic server as it provides all the essential features to build and support JAVA EE applications.

And for that reason, more people are getting attracted towards learning Weblogic, but the main issue still lies. Where to go? and Where to start?

And if you are one those people who are still not sure about What Weblogic really is or why should you learn Weblogic; then we have good news for you.

On Saturday February 6th  at 10:00 PM IST, 4:30 PM GMT, 8:30 AM PST, Oracle ACE Atul Kumar & Oracle Expert Pavan would be discussing about Weblogic; and this is where you can clear all of your doubts related to Weblogic. You can grab this opportunity by clicking on below button to register for the webinar.

Click Here to Register For Free Webinar

We have limited number of seats for a limited time. So, grab it before it goes off!.

In the session, we will also have Live Question & Answer section in which you can ask questions to your heart’s content. So its 100% bonus session, with guaranteed benefit.

And just for the quick start, Weblogic server was first developed by BEA Systems, which was later acquired by Oracle in 2008. Weblogic is a middle tier server software application which is a Online Transaction Processing Platform (OLTP), and is mandatory in EBS 12.2.

For those who are interested in learning Weblogic from scratch, we also provide Training in Weblogic. Where you get a dedicated machine to practice and hone your skills, 24*7 Technical support, and if you are not satisfied then 100% money back guaranteed.

Don’t forget to share this post if you think this could be useful to others and also Subscribe to this blog for more such FREE Webinars and useful content related to Oracle.

The post [Free Webinar] Learn Weblogic from Oracle ACE Atul Kumar & Oracle Expert Pavan appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

Upgrading Oracle Apps (EBS) to 12.2 ? OPatch stopped with error “oracle.as.common.clone, 11.1.1.6.0, higher version 11.1.1.7.0 found

Online Apps DBA - Sat, 2016-01-30 13:13
This entry is part 5 of 8 in the series Oracle EBS 12.2 Upgrade

This post is from our Oracle EBS Upgrade R12.2 training where we cover Architecture, Overview of R12.2 & Major features in Upgrading to R12.2, Different upgrade paths available to R12.2, Best practices for R12.2 Upgrade, How to Minimize down time for R12.2 Upgrade, Difficulties/Issues while upgrading to R12.2.

One of upgrade trainee from our previous batch, hitting issue “oracle.as.common.clone, 11.1.1.6.0, higher version 11.1.1.7.0 found” while applying Latest AD and TXK patches  ‘20642039’ in Oracle E-Business 12.2.

Issue:

1. Applying the Latest AD and TXK patches  ‘20642039‘ in Oracle E-Business 12.2 as

export ORACLE_HOME=/u01/oracle/PROD122/fs1/FMW_Home/oracle_common 

Note: Here /u01/oracle/PROD122 is ORACLE_BASE where Oracle EBS 12.2 is installed and as patch is for ORACLE COMMON Home in Fusion Middleware we set ORACLE_HOME accordingly 

export PATH=/u01/oracle/PROD122/fs1/FMW_Home/oracle_common/OPatch:$PATH

cd $PATCH_TOP/20642039

opatch apply

And opatch stopped with below messages

Applying interim patch ‘20642039’ to OH ‘/u01/oracle/PRD12238/fs1/FMW_Home/oracle_common’ 
Verifying environment and performing prerequisite checks… 
OPatch system modification phase did not start: 
Patch “20642039” is not needed since it has no fixes for this Oracle Home. Please see log file for details. 
Log file location: /u01/oracle/PRD12238/fs1/FMW_Home/oracle_common/cfgtoollogs/opatch/20642039_Mar_10_2010_17_22_28/apply2010-03-10_17-22-27PM_1.log

OPatch stopped on request.

2. Then we look into Log file at /u01/oracle/PRD12238/fs1/FMW_Home/oracle_common/cfgtoollogs/opatch

/20642039_Mar_10_2010_17_22_28/apply2010-03-10_17-22-27PM_1.log, it was showing below error message

[Mar 13, 2010 1:09:00 AM]    ——————— Oracle Home discovery ——————— [Mar 13, 2010 1:09:00 AM]    OUI-67086:ApplySession applying interim patch ‘20642039’ to OH ‘/u01/oracle/PRD12238/fs1/FMW_Home/oracle_common’ [Mar 13, 2010 1:09:00 AM]    Applying interim patch ‘20642039’ to OH ‘/u01/oracle/PRD12238/fs1/FMW_Home/oracle_common’ [Mar 13, 2010 1:09:00 AM]    Starting to apply patch to local system at Sat Mar 13 01:09:00 GMT 2010 [Mar 13, 2010 1:09:00 AM]    Verifying environment and performing prerequisite checks… [Mar 13, 2010 1:09:02 AM]    Start the Apply initScript at Sat Mar 13 01:09:02 GMT 2010 [Mar 13, 2010 1:09:02 AM]    Finish the Apply initScript at Sat Mar 13 01:09:02 GMT 2010 [Mar 13, 2010 1:09:02 AM]    ——————— Prerequisite for apply ——————— [Mar 13, 2010 1:09:02 AM]    Running prerequisite checks… [Mar 13, 2010 1:09:02 AM]    Patch “20642039” is ignored as it is not a “Fusion Applications patch”. [Mar 13, 2010 1:09:02 AM]    Check if patch “20642039”  is a no-op patch. [Mar 13, 2010 1:09:02 AM]    Found a higher component in OH inventory: oracle.as.common.clone, 11.1.1.6.0 [Mar 13, 2010 1:09:02 AM]    [ oracle.as.common.clone, 11.1.1.6.0, higher version 11.1.1.7.0 found. ] Fix:  Since version is already 11.1.1.7.0 so this patch is not applicable. In this case there is another patch mentioned in the DOC ID 1903052.1 The latest AD-TXK codelevel has a dependency on Oracle Fusion Middleware:

So we have applied the patch 20756887 and It completed successfully.

If you are applying Delta 6 to a system on a pre-Delta 5 AD-TXK codelevel, you must apply the Oracle Fusion Middleware patch before proceeding with the AD and TXK patches. If you do not apply this patch, application of the TXK patch will fail.

If you want to learn more about Oracle EBS Upgrade to R12.2  then click the button below and register for  our  Oracle Upgrade 12.2  (next batch starts on 20th Februrary, 2016 )

Note: We are so confident on our workshops that we provide 100% Money back guarantee, in unlikely case of you being not happy after first session, just drop us a mail before second session and We’ll refund FULL money (or ask us from our 100s of happy trainees in our private Facebook Group)

Stay Tuned for more Information on Oracle Apps 12.2 Upgrade!!

Oracle E-Business Suite Upgrade to R12.2 Training

Live Instructor led Online sessions with Hands-on Lab Exercises, Dedicated Machines to Practice and Recorded sessions of the Training

Click here to learn more with limited time discounts

The post Upgrading Oracle Apps (EBS) to 12.2 ? OPatch stopped with error “oracle.as.common.clone, 11.1.1.6.0, higher version 11.1.1.7.0 found appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

FREE Demo Class : Oracle Apps DBA 12.1 & 12.2 : on 29 January (Friday) Join Team K21 Technologies

Online Apps DBA - Tue, 2016-01-26 09:26
This entry is part 7 of 8 in the series Oracle Apps 12.2

 on 29 January (Friday) Join Team K21 Technologies

We’re so glad and excited to share that this year 2016, we got an amazing start-up on learning and noticed that you are also seeking the same. How?

Few Days back we have done our FREE Webinar on Oracle E-Business 12.2 New Features every Apps DBA must know and in that Webinar many of the attendee requested to have a  Free Demo Hands-On class so they can get any idea how we usually present in live class. We thought why not to present live doing some of the activity an Apps DBA would do in 12.2 like installing R12 (12.1 or 12.2) or Start/Stop Services or Managing Application or How new WebLogic Console look like in 12.2 so everyone of you can get a feel of Live Class of K21 Technologies.

Before I jump in to provide you information about our upcoming Free Demo class on 29 January at 10:00 PM IST at 4:30 PM GMT / 12:30 PM EST / 10:00 PM IST for Apps DBA.

I just need a favour from you to put your comment in comment box below or either on registration page what you would like us to cover in class so I can make class according to your requirement and just for you people.

If you wish to register for the Free Demo Hands-on Class for Apps DBA Just click on below button

Click Here to Register For FREE Demo Class

Please notice that we have limited number of seats for a limited time. So, grab it before it goes off !

Don’t forget to share this post if you think this could be useful to others and also Subscribe to this blog for more such FREE Webinars and useful content related to Oracle.

The post FREE Demo Class : Oracle Apps DBA 12.1 & 12.2 : on 29 January (Friday) Join Team K21 Technologies appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

Car Logos

iAdvise - Mon, 2016-01-25 21:02
Symbols and elaborate images for car logos can be confusing. So many famous brands use the same animals or intricate images that may seem appealing at first but are actually so similar to each other that you can't tell one company apart from the other unless you're really an expert in the field.
How many auto brands do you know that have used a jungle cat or a horse or a hawk's wings in their trademark?
There're just too many to count.
So how can you create a design for your automobile company that is easy to remember and also sets you apart from the crowd?
Why not use your corporation name in the business mark?
How many of us confuse the Honda trademark with Hyundai's or Mini's with Bentley's?
But that won't happen if your car logos and names are the same.
Remember the Ford and BMW's business image or MG's and Nissan's? The only characteristic that makes them easier to remember is their company name in their brand mark.
Car LogosCar LogosCar LogosCar LogosCar LogosCar LogosCar LogosCar Logos
But it's not really that easy to design a trademark with the corporation name. Since the only things that can make your car brand mark appealing are the fonts and colors, you need to make sure that you use the right ones to make your logo distinct and easy to remember.
What colors to use?
When using the corporation name in trademark, the rule is very simple. Use one solid color for the text and one solid color for the background. Text in silver color with a red or a dark blue background looks appealing but you can experiment with different colors as well. You can also use white colored text on a dark green background which will make your design identifiable from afar. Don't be afraid to use bright colored background but make sure you use the text color that complements the background instead of contrasting with it.
What kind of fonts to use?
Straight and big fonts may be easier to read from a distance but the font style that looks intricate and appealing to the customers and give your design a classic look are the curvier fonts. But make sure that the text is not too curvy that it loses its readability. You can even use the Times Roman font in italic effect or use some other professional font style with curvy effect to make sure that the text is readable and rounded at the same time.
Remember the ford logo? It may just be white text on a red background, but it's the curvy font style that sets it apart from the rest. Remember the Ford business mark or the smart car logo?
What shapes to use?
The vehicle business image has to be enclosed in a shape, of course. The shape that is most commonly used is a circle. You can use an oval, a loose square or even the superman diamond shape to enclose your design. But make sure that your chosen shape does not have too many sides that make the mark complicated.
The whole idea of a car corporation mark is to make it easily memorable and recognizable along with making it a classic. Using the above mentioned ideas can certainly do that for your trademark.
Beverly Houston works as a Senior Design Consultant at a Professional Logo Design Company. For more information on car logos and names find her competitive rates at Logo Design Consultant.
Categories: APPS Blogs

FREE Live Demo class with Hands-On : Oracle Access Manager : Sunday

Online Apps DBA - Fri, 2016-01-22 04:42
This entry is part 5 of 5 in the series Oracle Access Manager

 Sunday

This Sunday 24th Jan at 7:30 AM PST / 10:30 AM EST/ 3:30 PM GMT/ 9 PM GMT  I’ll be doing FREE Demo Class on Oracle Access Manager with Hands-on for my Upcoming Oracle Access Manager course.

But before I can Jump into this  FREE Demo class with some Hands-On exercises I need your help!

I’m starting this class just for you…that’s why I’ve have decided why not to take your respective suggestion.

I want to get crystal clear idea about where you need help with Oracle Access Manager ?

  • What Topic you would like me to cover in class?
  • What are the Topics that you feel you are lack in and want to increase your knowledge?

If I know exactly what kind of struggles you’ve with Oracle Access Manager & Integration with Oracle Applications, I can tailor this class specifically to what you need right now.

Would you be so kind as to take 5 minutes to give me your respective suggestions!

Just follow below button to reserve you seat for Demo class on Oracle Access Manager and giving your suggestion what you want me to cover at time registration ?

Click Here to Join Class Click Here to Join Class

If you do, I’ve got something for you in return! If you  provide your valuable suggestion I’ll be very glad to provide you some extra discount on my Oracle Access Manager Training that is going to start from 31st Jan

You’ll have first-round access to this Demo class that will give you a sneak-peek It will fill up fast, but you will be guaranteed a seat!

Thanks so much for helping me make this class amazing. I can’t wait to show it to you!

Click here  to get your premium access to January’s free Demo class.

Don’t forget to share this post if you think this could be useful to others and also Subscribe to this blog for more such FREE Webinars and useful content related to Oracle.

The post FREE Live Demo class with Hands-On : Oracle Access Manager : Sunday appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

Oracle Critical Patch Update January 2016 E-Business Suite Analysis

To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk

First, this CPU with 78 EBS security fixes has 10x the number of EBS security fixes than an average CPU.  For the previous 44 CPUs released since 2005, an average of 7.5 security bugs are fixed per quarter for EBS.  Second, there are a significant number of SQL injection and other high risk bugs, such as the ability to read arbitrary files from the EBS applications servers.  Third, the security bugs are in a wide-range of over 30 technical and functional modules, therefore, every EBS implementation is at significant risk.  Even if you don't have the module installed, configured, or licensed, in almost all cases the vulnerability can still be exploited. Finally, at least 10 security vulnerabilities can be readily exploited in EBS Interface-facing self-service modules.

Integrigy is credited with discovering 40 of the security bugs fixed this quarter.  We have additional security bugs open with Oracle which we except to be resolved in the next few quarters.

Due to the high number of vulnerabilities affecting Oracle E-Business Suite 11.5.10, Oracle changed the stated 11.5.10 support policy for the January 2016 CPU from requiring an Advanced Support Contract (ACS) to being available for all customers with valid support contracts.  For the April 2016 through October 2016 CPUs, Oracle E-Business Suite 11.5.10 CPU patches will only be available for customers with an Advanced Support Contract (ACS).  After October 2016, there will be no more CPUs for 11.5.10.

Vulnerability Breakdown

An analysis of the security vulnerabilities shows the 78 security fixes resolve 35 SQL injection bugs, 17 unauthorized access issues, 9 cross-site scripting (XSS) bugs, 5 XML External Entity (XXE) bugs, and various other security issues and weaknesses.  The most critical are the SQL injection bugs as these may permit unauthenticated web application users to execute SQL as the application database account (APPS).  Many of these SQL injection bugs allow access to sensitive data or the ability to perform privileged functions such as changing application or database passwords, granting of privileges, etc.

Also, several of the bugs allow an attacker with unauthenticated web application access to retrieve arbitrary files from the application server.  With some knowledge of EBS, it may be possible to download files with the APPS database password.

EBS Version Breakdown

23 vulnerabilities are found in all versions of Oracle E-Business Suite.  The remainder are mostly specific to the different web architectures found in each version.  The following is the breakdown of the 78 vulnerabilities by EBS version --

11.5.10 12.0.x 12.1.x 12.2.x 66 38 40 22

For 11.5.10, there are 22 vulnerabilities in web pages implemented using mod_plsql.  mod_plsql is an Oracle specific web architecture where the web application is implemented using database PL/SQL packages.  mod_plsql was removed from EBS starting with 12.0.  For information on mitigating some of the mod_plsql vulnerabilities, see the section below "EBS 11i mod_plsql Mitigation."

Many of the R12 (12.0, 12.1, 12.2) specific vulnerabilities are in Java Server Pages (JSP) and Java servlets, which are not found in 11i.

I have included 12.0.x in the listing of versions to show even though this version is not supported for the January 2016 CPU, a significant number of the security bugs affect this version.

January 2016 Recommendations

As with all Critical Patch Updates, the most effective method to resolve the vulnerabilities is to apply the patches in a timely manner. 

The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication.   These implementations should (1) apply the CPU as soon as possible and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

If the CPU can not be applied in a timely manner, Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite, should be implemented.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

EBS 11i mod_plsql Mitigation

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7 or the January 2016 CPU.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Critical Patch Update January 2016 E-Business Suite Analysis

To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk

First, this CPU with 78 EBS security fixes has 10x the number of EBS security fixes than an average CPU.  For the previous 44 CPUs released since 2005, an average of 7.5 security bugs are fixed per quarter for EBS.  Second, there are a significant number of SQL injection and other high risk bugs, such as the ability to read arbitrary files from the EBS applications servers.  Third, the security bugs are in a wide-range of over 30 technical and functional modules, therefore, every EBS implementation is at significant risk.  Even if you don't have the module installed, configured, or licensed, in almost all cases the vulnerability can still be exploited. Finally, at least 10 security vulnerabilities can be readily exploited in EBS Interface-facing self-service modules.

Integrigy is credited with discovering 40 of the security bugs fixed this quarter.  We have additional security bugs open with Oracle which we except to be resolved in the next few quarters.

Due to the high number of vulnerabilities affecting Oracle E-Business Suite 11.5.10, Oracle changed the stated 11.5.10 support policy for the January 2016 CPU from requiring an Advanced Support Contract (ACS) to being available for all customers with valid support contracts.  For the April 2016 through October 2016 CPUs, Oracle E-Business Suite 11.5.10 CPU patches will only be available for customers with an Advanced Support Contract (ACS).  After October 2016, there will be no more CPUs for 11.5.10.

Vulnerability Breakdown

An analysis of the security vulnerabilities shows the 78 security fixes resolve 35 SQL injection bugs, 17 unauthorized access issues, 9 cross-site scripting (XSS) bugs, 5 XML External Entity (XXE) bugs, and various other security issues and weaknesses.  The most critical are the SQL injection bugs as these may permit unauthenticated web application users to execute SQL as the application database account (APPS).  Many of these SQL injection bugs allow access to sensitive data or the ability to perform privileged functions such as changing application or database passwords, granting of privileges, etc.

Also, several of the bugs allow an attacker with unauthenticated web application access to retrieve arbitrary files from the application server.  With some knowledge of EBS, it may be possible to download files with the APPS database password.

EBS Version Breakdown

23 vulnerabilities are found in all versions of Oracle E-Business Suite.  The remainder are mostly specific to the different web architectures found in each version.  The following is the breakdown of the 78 vulnerabilities by EBS version --

11.5.10 12.0.x 12.1.x 12.2.x 66 38 40 22

For 11.5.10, there are 22 vulnerabilities in web pages implemented using mod_plsql.  mod_plsql is an Oracle specific web architecture where the web application is implemented using database PL/SQL packages.  mod_plsql was removed from EBS starting with 12.0.  For information on mitigating some of the mod_plsql vulnerabilities, see the section below "EBS 11i mod_plsql Mitigation."

Many of the R12 (12.0, 12.1, 12.2) specific vulnerabilities are in Java Server Pages (JSP) and Java servlets, which are not found in 11i.

I have included 12.0.x in the listing of versions to show even though this version is not supported for the January 2016 CPU, a significant number of the security bugs affect this version.

January 2016 Recommendations

As with all Critical Patch Updates, the most effective method to resolve the vulnerabilities is to apply the patches in a timely manner. 

The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication.   These implementations should (1) apply the CPU as soon as possible and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

If the CPU can not be applied in a timely manner, Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite, should be implemented.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

EBS 11i mod_plsql Mitigation

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7 or the January 2016 CPU.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Critical Patch Update January 2016 E-Business Suite Analysis

To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk

First, this CPU with 78 EBS security fixes has 10x the number of EBS security fixes than an average CPU.  For the previous 44 CPUs released since 2005, an average of 7.5 security bugs are fixed per quarter for EBS.  Second, there are a significant number of SQL injection and other high risk bugs, such as the ability to read arbitrary files from the EBS applications servers.  Third, the security bugs are in a wide-range of over 30 technical and functional modules, therefore, every EBS implementation is at significant risk.  Even if you don't have the module installed, configured, or licensed, in almost all cases the vulnerability can still be exploited. Finally, at least 10 security vulnerabilities can be readily exploited in EBS Interface-facing self-service modules.

Integrigy is credited with discovering 40 of the security bugs fixed this quarter.  We have additional security bugs open with Oracle which we except to be resolved in the next few quarters.

Due to the high number of vulnerabilities affecting Oracle E-Business Suite 11.5.10, Oracle changed the stated 11.5.10 support policy for the January 2016 CPU from requiring an Advanced Support Contract (ACS) to being available for all customers with valid support contracts.  For the April 2016 through October 2016 CPUs, Oracle E-Business Suite 11.5.10 CPU patches will only be available for customers with an Advanced Support Contract (ACS).  After October 2016, there will be no more CPUs for 11.5.10.

Vulnerability Breakdown

An analysis of the security vulnerabilities shows the 78 security fixes resolve 35 SQL injection bugs, 17 unauthorized access issues, 9 cross-site scripting (XSS) bugs, 5 XML External Entity (XXE) bugs, and various other security issues and weaknesses.  The most critical are the SQL injection bugs as these may permit unauthenticated web application users to execute SQL as the application database account (APPS).  Many of these SQL injection bugs allow access to sensitive data or the ability to perform privileged functions such as changing application or database passwords, granting of privileges, etc.

Also, several of the bugs allow an attacker with unauthenticated web application access to retrieve arbitrary files from the application server.  With some knowledge of EBS, it may be possible to download files with the APPS database password.

EBS Version Breakdown

23 vulnerabilities are found in all versions of Oracle E-Business Suite.  The remainder are mostly specific to the different web architectures found in each version.  The following is the breakdown of the 78 vulnerabilities by EBS version --

11.5.10 12.0.x 12.1.x 12.2.x 66 38 40 22

For 11.5.10, there are 22 vulnerabilities in web pages implemented using mod_plsql.  mod_plsql is an Oracle specific web architecture where the web application is implemented using database PL/SQL packages.  mod_plsql was removed from EBS starting with 12.0.  For information on mitigating some of the mod_plsql vulnerabilities, see the section below "EBS 11i mod_plsql Mitigation."

Many of the R12 (12.0, 12.1, 12.2) specific vulnerabilities are in Java Server Pages (JSP) and Java servlets, which are not found in 11i.

I have included 12.0.x in the listing of versions to show even though this version is not supported for the January 2016 CPU, a significant number of the security bugs affect this version.

January 2016 Recommendations

As with all Critical Patch Updates, the most effective method to resolve the vulnerabilities is to apply the patches in a timely manner. 

The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication.   These implementations should (1) apply the CPU as soon as possible and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

If the CPU can not be applied in a timely manner, Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite, should be implemented.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

EBS 11i mod_plsql Mitigation

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script $FND_TOP/patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7 or the January 2016 CPU.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

Tags: Oracle E-Business SuiteOracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

OAMConsole : 404 Page not found for /oamconsole in Oracle Access Manager 11gR2

Online Apps DBA - Wed, 2016-01-20 04:52
This entry is part 4 of 5 in the series Oracle Access Manager

This post covers issue encountered by one of our trainee in our Oracle Access Manager 11gR2 Training / Workshop (Training starts on 31st January, 2016 Discount of 200 USD is going on till 23rd of January, 2016, Apply Coupon code A200OFF) where /oamconsole was not working. (We provide dedicated machine to practice hands-on during the OAM training)

OAM Console (/oamconsole) is an application to manage Oracle Access Manager Configuration that gets deployed on WebLogic’s Admin Server (when you configure OAM Server). You access OAM Console from http://WebLogicAdminServerHost:AdminPort/oamconsole

Error:

While accessing an oamconsole at http://<host>:<port>/oamconsole

Error Displayed on screen as “404 Page Not Found”

____

Error 404–Not Found
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.
_____

Root Cause :

If you hit issues like this then on WebLogic Console /console (this is another application that gets deployed when you create a WebLogic Domain) check status of oam_admin under deployments .

In my case deployment of oam_admin application was in Admin State hence /oamconsole was not accessible  . To find our root cause of application oam_admin in Admin state look at Admin Server log file and possibly try starting application from console (check fix below). In my case Server was hitting max number of open connections so increased limit on number of open connections on server.

 

Fix:

Check status of deployment in WebLogic Server Console

 

 

Select application and click on Start -> Servicing All applications

 

 

If you want to learn more or wish to discuss challenges you are hitting in Oracle Access Manager Implementation or OAM Integration with Oracle E-Business Suite (R12.1/12.2), register for our Oracle Access Manager Training (next batch starts on 31st January, 2016 – Register before 23rd Jan and get discount of 200 USD,  Apply coupon code A2OFF ).

We are so confident on quality and value of our training that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money.

We provide dedicated machine on cloud to practice OAM Implementation including integration with E-Business Suite and recording of live interactive trainings for life time access.

Stay tuned for more updates!!

Want to learn Oracle Access Manager?

Reserve your spot for FREE Demo Class with Hands-on Lab Exercises on 24th Jan 2016 at 7:30 AM PST/ 10:30 AM EST/ 9:00 PM IST/ 3:30 PM GMT by Oracle ACE Atul Kumar

Click here to reserve your spot for FREE

The post OAMConsole : 404 Page not found for /oamconsole in Oracle Access Manager 11gR2 appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

Oracle Database Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle Database.  The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

CPU Supported Database Versions

As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  The final CPU for 12.1.0.1 will be July 2016.  11.2.0.4 will be supported until October 2020 and 12.1.0.2 will be supported until July 2021.

11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015. 

Database CPU Recommendations
  1. When possible, all Oracle databases should be upgraded to 11.2.0.4 or 12.1.0.2.  This will ensure CPUs can be applied through at least October 2020.
     
  2. [12.1.0.1] New databases or application/database upgrade projects currently testing 12.1.0.1 should immediately look to implement 12.1.0.2 instead of 12.1.0.1, even if this will require additional effort or testing.  With the final CPU for 12.1.0.1 being July 2016, unless a project is implementing in January or February 2016, we believe it is imperative to move to 12.1.0.2 to ensure long-term CPU support.
     
  3. [11.2.0.3 and prior] If a database can not be upgraded, the only effective mitigating control for many database security vulnerabilities is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using valid node checking, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.  Direct database access is required to exploit database security vulnerabilities and most often a valid database session is required.
     

Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all Oracle databases. 

 

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Database Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle Database.  The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

CPU Supported Database Versions

As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  The final CPU for 12.1.0.1 will be July 2016.  11.2.0.4 will be supported until October 2020 and 12.1.0.2 will be supported until July 2021.

11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015. 

Database CPU Recommendations
  1. When possible, all Oracle databases should be upgraded to 11.2.0.4 or 12.1.0.2.  This will ensure CPUs can be applied through at least October 2020.
     
  2. [12.1.0.1] New databases or application/database upgrade projects currently testing 12.1.0.1 should immediately look to implement 12.1.0.2 instead of 12.1.0.1, even if this will require additional effort or testing.  With the final CPU for 12.1.0.1 being July 2016, unless a project is implementing in January or February 2016, we believe it is imperative to move to 12.1.0.2 to ensure long-term CPU support.
     
  3. [11.2.0.3 and prior] If a database can not be upgraded, the only effective mitigating control for many database security vulnerabilities is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using valid node checking, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.  Direct database access is required to exploit database security vulnerabilities and most often a valid database session is required.
     

Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all Oracle databases. 

 

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Database Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle Database.  The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

CPU Supported Database Versions

As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  The final CPU for 12.1.0.1 will be July 2016.  11.2.0.4 will be supported until October 2020 and 12.1.0.2 will be supported until July 2021.

11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015. 

Database CPU Recommendations
  1. When possible, all Oracle databases should be upgraded to 11.2.0.4 or 12.1.0.2.  This will ensure CPUs can be applied through at least October 2020.
     
  2. [12.1.01] New databases or application/database upgrade projects currently testing 12.1.0.1 should immediately look to implement 12.1.0.2 instead of 12.1.0.1, even if this will require additional effort or testing.  With the final CPU for 12.1.0.1 being July 2016, unless a project is implementing in January or February 2016, we believe it is imperative to move to 12.1.0.2 to ensure long-term CPU support.
     
  3. [11.2.0.3 and prior] If a database can not be upgraded, the only effective mitigating control for many database security vulnerabilities is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using valid node checking, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.  Direct database access is required to exploit database security vulnerabilities and most often a valid database session is required.
     

Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all Oracle databases. 

 

Tags: Oracle DatabaseOracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack.  The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

For 2016, CPUs for Oracle E-Business Suite will become a significant focus as a large number of security vulnerabilities for the Oracle E-Business Suite will be fixed.  The January 2016 CPU for the Oracle E-Business Suite (EBS) will include 78 security fixes for a wide range of security bugs with many being high risk such as SQL injection in web facing self-service modules.  Integrigy anticipates the next few quarters will have an above average number of EBS security fixes (average is 7 per CPU since 2005).  This large number of security bugs puts Oracle EBS environments at significant risk as many of these bugs will be high risk and well publicized.

Supported Oracle E-Business Suite Versions

Starting with the April 2016 CPU, only 12.1 and 12.2 will be fully supported for CPUs moving forward.  11.5.10 CPU patches for April 2016, July 2016, and October 2016 will only be available to customers with an Advanced Customer Support (ACS) contract.  There will be no 11.5.10 CPU patches after October 2016.  CPU support for 12.0 ended as of October 2015.

11.5.10 Recommendations
  1. When possible, the recommendation is to upgrade to12.1 or 12.2.
  2. Obtaining an Advanced Customer Support (ACS) contract is a short term (until October 2016) solution, but is an expensive option.
  3. An alternative to applying CPU patches is to use Integrigy's AppDefend, an application firewall for Oracle EBS, in proxy mode which blocks EBS web security vulnerabilities.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

12.0 Recommendations
  1. As no security patches are available for 12.0, the recommendation is to upgrade to 12.1 or 12.2 when possible.
  2. If upgrading is not feasible, Integrigy's AppDefend, an application firewall for Oracle EBS, provides virtual patching for EBS web security vulnerabilities as well as blocks common web vulnerabilities such as SQL injection and cross-site scripting (XSS).  AppDefend is a simple to implement and cost-effective solution when upgrading EBS is not feasible.
12.1 Recommendations
  1. 12.1 is supported for CPUs through October 2019 for implementations where the minimum baseline is maintained.  The current minimum baseline is the 12.1.3 Application Technology Stack (R12.ATG_PF.B.delta.3).  This minimum baseline should remain consistent until October 2019, unless a large number of functional module specific (i.e., GL, AR, AP, etc.) security vulnerabilities are discovered.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
12.2 Recommendations
  1. 12.2 is supported for CPUs through July 2021 as there will be no extended support for 12.2.  The current minimum baseline is 12.2.3 plus roll-up patches R12.AD.C.Delta.7 and R12.TXK.C.Delta.7.  Integrigy anticipates the minimum baseline will creep up as new RUPs (12.2.x) are released for 12.2.  Your planning should anticipate the minimum baseline will be 12.2.4 in 2017 and 12.2.5 in 2019 with the releases of 12.2.6 and 12.2.7.  With the potential release of 12.3, a minimum baseline of 12.2.7 may be required in the future.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
EBS Database Recommendations
  1. As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015.  The final CPU for 12.1.0.1 will be July 2016.
  2. When possible, all EBS environments should be upgraded to 11.2.0.4 or 12.1.0.2, which are supported for all EBS versions including 11.5.10.2.
  3. If database security patches (SPU or PSU) can not be applied in a timely manner, the only effective mitigating control is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using the EBS feature Managed SQLNet Access, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.
  4. Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all EBS databases.
Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack.  The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

For 2016, CPUs for Oracle E-Business Suite will become a significant focus as a large number of security vulnerabilities for the Oracle E-Business Suite will be fixed.  The January 2016 CPU for the Oracle E-Business Suite (EBS) will include 78 security fixes for a wide range of security bugs with many being high risk such as SQL injection in web facing self-service modules.  Integrigy anticipates the next few quarters will have an above average number of EBS security fixes (average is 7 per CPU since 2005).  This large number of security bugs puts Oracle EBS environments at significant risk as many of these bugs will be high risk and well publicized.

Supported Oracle E-Business Suite Versions

Starting with the April 2016 CPU, only 12.1 and 12.2 will be fully supported for CPUs moving forward.  11.5.10 CPU patches for April 2016, July 2016, and October 2016 will only be available to customers with an Advanced Customer Support (ACS) contract.  There will be no 11.5.10 CPU patches after October 2016.  CPU support for 12.0 ended as of October 2015.

11.5.10 Recommendations
  1. When possible, the recommendation is to upgrade to12.1 or 12.2.
  2. Obtaining an Advanced Customer Support (ACS) contract is a short term (until October 2016) solution, but is an expensive option.
  3. An alternative to applying CPU patches is to use Integrigy's AppDefend, an application firewall for Oracle EBS, in proxy mode which blocks EBS web security vulnerabilities.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

12.0 Recommendations
  1. As no security patches are available for 12.0, the recommendation is to upgrade to 12.1 or 12.2 when possible.
  2. If upgrading is not feasible, Integrigy's AppDefend, an application firewall for Oracle EBS, provides virtual patching for EBS web security vulnerabilities as well as blocks common web vulnerabilities such as SQL injection and cross-site scripting (XSS).  AppDefend is a simple to implement and cost-effective solution when upgrading EBS is not feasible.
12.1 Recommendations
  1. 12.1 is supported for CPUs through October 2019 for implementations where the minimum baseline is maintained.  The current minimum baseline is the 12.1.3 Application Technology Stack (R12.ATG_PF.B.delta.3).  This minimum baseline should remain consistent until October 2019, unless a large number of functional module specific (i.e., GL, AR, AP, etc.) security vulnerabilities are discovered.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
12.2 Recommendations
  1. 12.2 is supported for CPUs through July 2021 as there will be no extended support for 12.2.  The current minimum baseline is 12.2.3 plus roll-up patches R12.AD.C.Delta.7 and R12.TXK.C.Delta.7.  Integrigy anticipates the minimum baseline will creep up as new RUPs (12.2.x) are released for 12.2.  Your planning should anticipate the minimum baseline will be 12.2.4 in 2017 and 12.2.5 in 2019 with the releases of 12.2.6 and 12.2.7.  With the potential release of 12.3, a minimum baseline of 12.2.7 may be required in the future.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
EBS Database Recommendations
  1. As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015.  The final CPU for 12.1.0.1 will be July 2016.
  2. When possible, all EBS environments should be upgraded to 11.2.0.4 or 12.1.0.2, which are supported for all EBS versions including 11.5.10.2.
  3. If database security patches (SPU or PSU) can not be applied in a timely manner, the only effective mitigating control is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using the EBS feature Managed SQLNet Access, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.
  4. Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all EBS databases.
Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs