Oracle Self-Service Web Applications, including Self-Service Expenses, Self-Service Human Resources, Internet Procurement, Internet Receivables, Self-Service Time, Web Suppliers, iStore, iPayment, iSupport, and iMarketing from Oracle, extend the functionality of Oracle E-Business Suite by adding a browser-based, walk-up-and-use functionality that supplements Oracle E-Business Suite.
These modules are designed to be accessible by users outside the company organization. They are configured as a subset of Oracle E-Business Suite functionality accessible via the Internet.
Within this functionality is the ability to make self-service account requests, commonly referred to as Self-Service Registration, and login assistance password resets, which allows individuals to request a new user account and, in the case of forgotten credentials, reset them via an automated process. Self-registration is often configured by default.
Self-registration, however, does have security implications, as external threat actors could target these account requests, attempting malicious exploits such as CVE-2022-21500, an out-of-cycle security alert for a vulnerability in the iStore self-registration pages.
Vulnerabilities within self-registration pages will generally have high CVSS (Common Vulnerability Scoring System) scoring due to the potential of self-registration pages to be remotely exploitable without authentication over HTTP protocol.
To mitigate and protect against malicious self-service account requests, the following is recommended:
Attack Surface Reduction for Self-Registration Pages
By default, Oracle E-Business Suite provides access to non-licensed module pages; thus, it is crucial to reduce the surface area of Oracle E-Business Suite to only those application modules and web pages required.
Oracle E-Business Suite has some attack surface reduction features for Self-Service Web Applications deployed on an external node in the DMZ, which are accessible via the Internet.
- Enable Trust Levels at the Node and Responsibility level to ensure internal applications are not exposed externally.
- Ensure URL Firewall is enabled creating an allowlist. URL firewall is implemented as a whitelist list of URLs required, and any other URL request not matched in the whitelist list is refused.
- For Oracle E-Business Suite 12.2 (and applicable 12.1 releases), use the Allowed Resources feature to disable JSP and Servlet resources not used in your environment.
- Where Self-registration is not required, disable UMX User Registration (this can be done at the Profile option level) and suppress the Register URL link on the login page, which allows the user to perform self-service registration in User Management.
- As complementary security to EBS features such as URL Firewall, use relevant network security (firewalls/WAF URL Filtering) to deny access to self-service registration pages for modules not licensed for increased protection. For example, for CVE-2022-21500, where iStore is not licensed and in use, the mitigation was to block registration pages such as /OA_HTML/ibeCAcpSSOReg.jsp.
Best Practice Security for Self-Registration Pages
Where self-service account request & self-service login assistance functionality is required within your Oracle E-Business Suite environment, ensure implementation of relevant best practice protection and detection processes in place.
These recommendations include:
Quick win security checks/implementations
- Verify that self-register and login assistance requests are redirecting correctly to the internal URL for internal users and the external URL for external users by verifying that the “Application Framework Agent” profile option is set correctly.
- Ensure FND_DIAGNOSTICS is not enabled in the environment at the server level. If enabled, arbitrary SQL queries could potentially be executed on EBS Sensitive Pages such as self registration page.
- Check for profile option recommendations in module implementation guides relevant to self-registrations and email notifications.
- e.g., As per the iSupplier implementation guide, ensure to only give low-level responsibility to newly registered users. POS: Default Responsibility for Newly Registered Supplier Users (The responsibility specified in this profile option must be flagged as external)
- As per the iStore implementation guide, the JTA UM Application URL (JTA_UM_APPL_URL) profile option provides the name of the Oracle iStore application entry JSP, ibeCZzpHome.jsp, in the welcome notification sent to newly approved customers.
- Within an Advanced Configuration environment, ensure that WF: Workflow Mailer Framework Web Agent (WF_MAIL_WEB_AGENT) and HTMLAGENT parameter value in the Workflow Service Component Configuration is set accordingly to ensure HTML content for internal/external notifications is sent with the correct references.
Process Improvement
- Oracle User Management ships with the following sample self-service registration processes:
- Employee Self-Service Registration & Customer Self-Service Registration (external individuals)
- As per Oracle E-Business Suite Security Guide, organizations can use these registration processes in their existing form or as references for developing their own registration processes.
- It is recommended to look at options for a more secure custom registration process or to utilize options such as Challenge Question and/or adding personalizations to the Self Service Registration User Account Information, such as making phone numbers required to be able to validate and authenticate self-registration requests.
- Self-service account requests utilize workflow notifications; for instance, when a user uses the Register Here link, an email is sent back with the user name and password. Look to segregate Workflow Mailer configuration by creating a dedicated workflow mailer service for password reset/external functions to ensure internal Workflow emails are not inadvertently sent to external customers.
- e.g., Create a custom mailer by making a copy of the seeded WF Mailer and setting the relevant Correlation ID for the custom mailer or Configure Workflow Notification Mailer to send email notifications for only one Workflow Item type per mailer such as UMXHELP.
- Ensure the Workflow Notification Mailer has relevant security as recommended in Workflow Administrator guides. Oracle E-Business Suite Workflow Notification Mailer can be configured to connect to the SMTP and IMAP Mail Servers through TLS protocol for enhanced security.
- Implement Oracle E-Business Suite Non-Reversible Hashed passwords to obfuscate authentication credentials in FND_USER, where this is the master source of truth.
- Modify Registration Text for Email Notifications and/or customize the ‘Reset Password’ Email Notification to ensure notifications are coming from the correct system (including internal cloned environments).
- Note that the messages of the notifications, depending on the E-Business Suite version, have moved from the actual Workflow to FND messages.
- Set up multiple approvers for self-service account requests and remove/reduce the proxy user authentication.
- Introduced in R12 for User Management (UMX) proxy user functionality, Proxy User Authentication allows a user to delegate some of his capabilities to another user without sharing a password.
It is recommended to:
a) Disable Manage Proxies/Configure Proxy Delivery To Specific Role/Responsibility
or
b) Hide The Manage Proxies Homepage (Attack Surface Reduction) Modify Registration Text for Email Notifications
Audit Checks
- Audit workflows associated with self service registration and login assistance processes for suspicious activity.
e.g. User management uses workflow types such as UMXHELP for password reset, UMXUPWD for forgot password, UMXREGWF for UMX Registration to drive the registration process amongst others. Audit workflows with these Workflow Item types ensuring the approvals are working as expected.
- Review the Oracle HTTP Server access logs to determine if self registration pages have been accessed suspiciously. For instance if there are multiple requests at the same time, this could indicate a denial of service attempt.
- Audit self-registration user requests for malicious looking usernames/email addresses.
e.g. SQL queries can be performed on tables such as UMX_REG_REQUESTS table which stores information about
registration requests and/or product specific tables such as Supplier Registrations table POS_SUPPLIER_REGISTRATIONS.e.g. For CVE-2022-21500, a user request was made for JWICK, John Wick, with email address domain @bvhrk.com which was associated with a spam/bot domain.
Outside Oracle E-Business Suite/Integrated Product configuration
- Look to provide an additional layer of security to such as Multifactor Authentication (MFA).
Oracle E-Business Suite doesn’t have out of box functionality which provides features such as two factor authentication or OTP authentication unless integrated with Oracle Access Manager and Oracle Adaptive Access Manager, thus this will require an additional application layer.
- For SSO enabled environments, look to configure necessary safeguards not to provision Oracle E-Business Suite registration requests to the LDAP until all necessary due diligence and approvals have been performed.