Sunday, June 11, 2017

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1

If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,
We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services:

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY


Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update


 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL

1 comment:

Jeffrey T. Hare, CPA CISA CIA said...

For those that have read and followed this blog post today (just posted last night), this has been the most widely viewed blog (in the first 24 hours) I have written. Am guessing that means that it has been circulated throughout Oracle. If that is the case, we look forward to any feedback they have and would glad post their analysis.

Jeffrey T. Hare, CPA CISA CIA