Wednesday, April 27, 2011

EnterpriseOne Security Vulnerability

Usually when Oracle sends out their quarterly Critical Patch Update Advisory they are chock full of vulnerabilities for Oracle database and Solaris or Java but nothing for EnterpriseOne.  This time however...

Oracle has reported that a security vulnerability exists for EnterpriseOne.

The starting point for the security notice is here: http://www.oracle.com/technetwork/topics/security/alerts-086861.html but I have to caution that you will click no less than five links to finally get to the document that reveals....absolutely nothing about the vulnerability.   The PDF is here: https://support.oracle.com/CSP/main/article?cmd=show&type=ATT&id=1315038.1:04201101 and lists eight Security Vulnerability ID's all of which state:

"Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Enterprise Infrastructure SEC). Supported versions that are affected are 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3. Difficult to exploit vulnerability allows successful unauthenticated network attacks via TCP/IP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some JD EdwardsEnterpriseOne Tools accessible data as well as read access to a subset of JD Edwards EnterpriseOne Tools accessible data and ability to cause a partial denial of service (partial DOS) of JD Edwards EnterpriseOne Tools."

Repeated efforts through GSS to determine the exact reason for the security issue did not yield the root cause.  They simply will not tell you.  Since the suggested remedy (update Tools Release level) is non-trivial we think it is important for Oracle to clarify the rather vague description to give customers better information on which to base their cost-benefit analysis for a Tools update.

I don't think Oracle quite understands that applying a "patch" for E1 is not quite as simple as applying a patch for Solaris or Oracle dB.
Subscribe to The Karamazov Group Blog - Get an email when new posts appear

No comments: