SlideShare a Scribd company logo

Securing broken access controls on Oracle E-business suite

Download as PPTX, PDF
Suraj Khetani
Suraj Khetani

The document summarizes 0-day vulnerabilities found in Oracle E-Business Suite. The researcher discovered 12 remotely exploitable vulnerabilities that allowed unauthenticated access and ability to create, delete or modify critical data. Specific vulnerabilities are detailed for components like Customer Interaction History and CRM Technical Foundation. Screenshots demonstrate exploitation of the vulnerabilities. The vulnerabilities stem from design issues like default user accounts having excessive privileges and lack of access controls on files like HTML and XML. While WAFs could block the vulnerabilities, they did not block all file types leaving issues. Remediation includes applying patches, removing unused files, strengthening WAF rules, and securing default accounts.

Software
1 of 27
0-day Vulnerabilities on Oracle E-Business Suite Suraj Khetani Regional Associate Security Consultant Gulf Business Machines
#uname -a • Security Consultant/Penetration tester • Former Hip-hop Dance instructor • Fitness Enthusiast • Cricket lover; Played for UAE under-14 • Learner
Topics • Oracle EBS Overview • Attack surface • Overview of the vulnerability • Details about the vulnerabilities • How they were found • Issue with Design • Issues found with WAF • Mitigating the vulnerabilities with and without a WAF
E-Business Suite Overview • Suite of business applications such as ERP, CRM, SCM • Processes data for HR, Finance, etc • Used by medium to large enterprises • Oracle claims they have a robust security program • Huge attack surface!!!
Attack Surface • 10,000 JSPs • 4,000 html forms • Multiple other types of files like XML, DTD, etc • Oracle EBS application has 40 default user accounts. • Oracle EBS database has 300 default user accounts. • Number of default accounts increase with every new module
Vulnerability Overview • OWASP top 10 - Missing Function Level Access Control/Broken Access Controls • Ability to access to JSPs, forms and xml files without authentication • 21 vulnerabilities on EBS in Oct CPU. • Found 12 of the 14 remotely exploitable vulns
Vulnerability Details • Unauthenticated access to create, delete, modify data • Components affected: • Oracle Shipping Execution (subcomponent: Workflow Events). • Oracle Common Applications Calendar (subcomponent: Resources Module) • Oracle One-to-One Fulfillment (subcomponent: File Upload) • Oracle Interaction Center Intelligence (subcomponent: Select Application Dependencies). • Oracle Email Center (subcomponent: Dispatch/Service Call Requests) • Oracle CRM Technical Foundation (subcomponent: Responsibility Management). • Oracle Customer Interaction History (subcomponent: Outcome-Result, Result-Reason, and Outcome-Result). • Oracle CRM Technical Foundation (subcomponent: Default Responsibility)
CVE’s • CVE-2016-5532, CVE-2016-5575, CVE-2016-5583, CVE-2016-5585, CVE-2016-5586, CVE-2016-5587, CVE-2016-5589, CVE-2016-5591, CVE-2016-5592, CVE-2016-5593, CVE-2016-5595, CVE-2016-5596
Advisory • CVE-2016-5587 - Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Outcome-Result). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data. • Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. • CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Advisory • CVE-2016-5589 - Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Responsibility Management). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle CRM Technical Foundation accessible data as well as unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data. • Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. • CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots
Screenshots (David Litchfiled)
How I found • Live Demo
Product Design Issue • Default user account - GUEST. • Anonymous user = GUEST privilege. • GUEST account Authorized to access any servlets meant to be used for authenticated users
Broken Access Controls vs WAF • WAFs have ability to block broken access controls • Successfully blocking the 0-days on EBS • Did not block files with extensions HTML, XML, DTD, etc
WAF Blocking the Vuln
Remediation • Apply Patches • Remove unwanted/unused servlets, forms, etc • Fine tune WAFs to block unauthenticated access to files other than JSP like HTML, XML • Identify default user accounts and change their passwords
Questions?

Recommended

Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
Thomas F. "T.J." Maher Jr.
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Micho Hayek
 
sumnevaSERT Presentation
sumnevaSERT PresentationsumnevaSERT Presentation
sumnevaSERT Presentation
Scott Spendolini
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
Alex Cachia
 
Salesforce Security
Salesforce SecuritySalesforce Security
Salesforce Security
SFSupport247
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
Resume_abhishek12
Resume_abhishek12Resume_abhishek12
Resume_abhishek12
abhishek sikarwar
 

Recommended

Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
Thomas F. "T.J." Maher Jr.
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Micho Hayek
 
sumnevaSERT Presentation
sumnevaSERT PresentationsumnevaSERT Presentation
sumnevaSERT Presentation
Scott Spendolini
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
Alex Cachia
 
Salesforce Security
Salesforce SecuritySalesforce Security
Salesforce Security
SFSupport247
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
Resume_abhishek12
Resume_abhishek12Resume_abhishek12
Resume_abhishek12
abhishek sikarwar
 
Five Keys for Performance Management of Oracle Forms and E-Business Suite
Five Keys for Performance Management of Oracle Forms and E-Business SuiteFive Keys for Performance Management of Oracle Forms and E-Business Suite
Five Keys for Performance Management of Oracle Forms and E-Business Suite
Correlsense
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
ERPScan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apex
Enkitec
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
Karthikeyan VK
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)
Shambhavi Roy
 
Raghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu VM_Cloud Resume
Raghu VM_Cloud Resume
Raghu Ravi
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Praveen Gavaji_AS400_Resume
Praveen Gavaji_AS400_ResumePraveen Gavaji_AS400_Resume
Praveen Gavaji_AS400_Resume
praveen gavaji
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
Noah Jaehnert
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
Mohammad Owais Ahmad
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
ERPScan
 
Apex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard ProblemsApex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard Problems
Salesforce Developers
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 

More Related Content

Similar to Securing broken access controls on Oracle E-business suite

Five Keys for Performance Management of Oracle Forms and E-Business Suite
Five Keys for Performance Management of Oracle Forms and E-Business SuiteFive Keys for Performance Management of Oracle Forms and E-Business Suite
Five Keys for Performance Management of Oracle Forms and E-Business Suite
Correlsense
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
ERPScan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apex
Enkitec
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
Karthikeyan VK
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)
Shambhavi Roy
 
Raghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu VM_Cloud Resume
Raghu VM_Cloud Resume
Raghu Ravi
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Praveen Gavaji_AS400_Resume
Praveen Gavaji_AS400_ResumePraveen Gavaji_AS400_Resume
Praveen Gavaji_AS400_Resume
praveen gavaji
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
Noah Jaehnert
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
Mohammad Owais Ahmad
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
ERPScan
 
Apex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard ProblemsApex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard Problems
Salesforce Developers
 

Similar to Securing broken access controls on Oracle E-business suite (20)

Five Keys for Performance Management of Oracle Forms and E-Business Suite
Five Keys for Performance Management of Oracle Forms and E-Business SuiteFive Keys for Performance Management of Oracle Forms and E-Business Suite
Five Keys for Performance Management of Oracle Forms and E-Business Suite
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apex
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)
 
Raghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu VM_Cloud Resume
Raghu VM_Cloud Resume
 
Owasp
Owasp Owasp
Owasp
 
Praveen Gavaji_AS400_Resume
Praveen Gavaji_AS400_ResumePraveen Gavaji_AS400_Resume
Praveen Gavaji_AS400_Resume
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Apex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard ProblemsApex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard Problems
 

Recently uploaded

Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabhQuarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
aisafed42
 
ppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptxppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 

Recently uploaded (20)

Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabhQuarter 3 SLRP grade 9.. gshajsbhhaheabh
Quarter 3 SLRP grade 9.. gshajsbhhaheabh
 
ppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptxppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 

Securing broken access controls on Oracle E-business suite

  • 1. 0-day Vulnerabilities on Oracle E-Business Suite Suraj Khetani Regional Associate Security Consultant Gulf Business Machines
  • 2. #uname -a • Security Consultant/Penetration tester • Former Hip-hop Dance instructor • Fitness Enthusiast • Cricket lover; Played for UAE under-14 • Learner
  • 3. Topics • Oracle EBS Overview • Attack surface • Overview of the vulnerability • Details about the vulnerabilities • How they were found • Issue with Design • Issues found with WAF • Mitigating the vulnerabilities with and without a WAF
  • 4. E-Business Suite Overview • Suite of business applications such as ERP, CRM, SCM • Processes data for HR, Finance, etc • Used by medium to large enterprises • Oracle claims they have a robust security program • Huge attack surface!!!
  • 5. Attack Surface • 10,000 JSPs • 4,000 html forms • Multiple other types of files like XML, DTD, etc • Oracle EBS application has 40 default user accounts. • Oracle EBS database has 300 default user accounts. • Number of default accounts increase with every new module
  • 6. Vulnerability Overview • OWASP top 10 - Missing Function Level Access Control/Broken Access Controls • Ability to access to JSPs, forms and xml files without authentication • 21 vulnerabilities on EBS in Oct CPU. • Found 12 of the 14 remotely exploitable vulns
  • 7. Vulnerability Details • Unauthenticated access to create, delete, modify data • Components affected: • Oracle Shipping Execution (subcomponent: Workflow Events). • Oracle Common Applications Calendar (subcomponent: Resources Module) • Oracle One-to-One Fulfillment (subcomponent: File Upload) • Oracle Interaction Center Intelligence (subcomponent: Select Application Dependencies). • Oracle Email Center (subcomponent: Dispatch/Service Call Requests) • Oracle CRM Technical Foundation (subcomponent: Responsibility Management). • Oracle Customer Interaction History (subcomponent: Outcome-Result, Result-Reason, and Outcome-Result). • Oracle CRM Technical Foundation (subcomponent: Default Responsibility)
  • 8. CVE’s • CVE-2016-5532, CVE-2016-5575, CVE-2016-5583, CVE-2016-5585, CVE-2016-5586, CVE-2016-5587, CVE-2016-5589, CVE-2016-5591, CVE-2016-5592, CVE-2016-5593, CVE-2016-5595, CVE-2016-5596
  • 9. Advisory • CVE-2016-5587 - Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Outcome-Result). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data. • Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. • CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
  • 10. Advisory • CVE-2016-5589 - Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Responsibility Management). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle CRM Technical Foundation accessible data as well as unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data. • Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. • CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
  • 22. How I found • Live Demo
  • 23. Product Design Issue • Default user account - GUEST. • Anonymous user = GUEST privilege. • GUEST account Authorized to access any servlets meant to be used for authenticated users
  • 24. Broken Access Controls vs WAF • WAFs have ability to block broken access controls • Successfully blocking the 0-days on EBS • Did not block files with extensions HTML, XML, DTD, etc
  • 26. Remediation • Apply Patches • Remove unwanted/unused servlets, forms, etc • Fine tune WAFs to block unauthenticated access to files other than JSP like HTML, XML • Identify default user accounts and change their passwords