Security report r12.2

Dear Erman,
 
our erp is in intranet.No DMZ
 
These issues are identified with erp url.Can you please suggest us what can be done to avoid these security reported issues?

1)Browser cache weakness
description--Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn't need to be downloaded again. History mechanisms are used for user convenience, so the user can see exactly what they saw at the time when the resource was retrieved. If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser's cache or by simply pressing the browser's "Back" button.
impac--The attacker can use the back button to crawl through the pages the victim has visited previously.
 
2)Insufficient Anti-Automation
description--Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. Certain web site functionalities should be protected against automated attacks.
ikpact--Attackers could repeatedly exercise web site functionality attempting to exploit or defraud the system. An automated robot could potentially execute thousands of requests a minute, causing potential loss of performance or service.
 
3)Improper Input Validation
description--Application fails to validate the user supplied parameters with any random data which includes specials characters such as ( ‘ “ < # > ) \%
impact--Further malicious attacks such as injection attacks or input tampering attacks are possible.
 
Thank You
 
 

Check the EBS Oracle E-Business Suite Security Guide  
"https://docs.oracle.com/cd/E26401_01/doc.122/e22952/toc.htm"

Check the latest CPU doc as well ->
Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2021) (Doc ID 2759182.1)

Other than that, you need to analyze the vulnerabilities one by one and check if we have a fix for them or not.. But! there are not standart fix for every vulnerability.. For instance, we don't have a captcha (as far as I know), so you may do some custom enhancements or configurations (like putting a frontend server in front of the EBS and integrate the login, like implementing OAM - SSO etc..) to support the required fixes..

Thanks erman,verified but could not see “ Browser cache weakness“ in guide..I think this vulnerability is outside of erp..Any idea

Thanks

Cant you just take actions on the client side for this?

It is not documented for EBS.. I don't think it is applicable in standard ways..
There should be a special header variable named Cache-Control in the packets, so you may implement it by using a load balancer or reverse proxy but it will be a little adventure..

Something like;

Header set Cache-Control "no-cache, no-store, must-revalidate"
How to Add Cache-control and "Pragma: no-cache" headers on Oracle HTTP Server (Doc ID 2274034.1)

Maybe you can add those directives to the Oracle HTTP Server of EBS, but as I said this is not documented so a little challange and your conf. will be unsupported if you do manual conf in standard component configuration files.. In addition to that, if you modify the apache/Oracle HTTP Server conf and set that cache-control, you need to test your EBS well enough to ensure that nothing gets broken.