Databases Reference
In-Depth Information
Table 5.1
Oracle security alerts for Oracle Applications
Oracle Security Alert Number
Vulnerable Oracle Applications Versions
32
11.5.1-11.5.6
44
11i
53
10.7-11.5.8
56
11.5.1-11.5.8
57
11.0.x, 11.5.1-11.5.8
are approximately 15 default accounts, default passwords, and default con-
figuration settings that must be changed or dropped. By default there is no
sign-on failure limit, so password cracking is a vulnerability. Another prob-
lem that is common to most, if not all, application suites is a mismatch
between the application user model and the database user model. Oracle
Applications accesses the database using the APPS account; no information
is passed to the database allowing it to enforce tighter controls on which
data can be accessed and which operations performed. This issue is further
discussed in the next section and in Chapter 6.
In Chapter 3
you learned that the database should also be viewed as a
networked server and that you should address network security for your
database. The same is true for packaged suites. In fact, these deployments
tend to be far more complex. As an example, in a full deployment of Ora-
cle Applications, you will normally have the ports shown in Table 5.2 to
worry about.
Table 5.2
Oracle ports for Oracle Applications servers
Server
Ports
Oracle Database Server
1521
Oracle Application Server
80, 443 and sometimes 2649, 8888 and 7777
Oracle Forms Listener
9000
Oracle WebDB Listener
2002
Oracle TCF Server
10021-10029, 15000
Oracle Report Review Agent
1526
Oracle Metric Server
9010, 9020
Search WWH ::
Custom Search