Recently I came across a post in one of the LinkedIn groups that someone shared about discovering the apps password being displayed in clear text in Oracle E-Business Suite 12.1.3 when compiling Oracle Forms either by the adpatch or adadmin utilities. The person had an SR open with Oracle Support on the issue and they provided them with a patch to resolve it. Thankfully he shared the patch number with everyone.
It seems that this security flaw was fixed sometime back but through some other set of patches must of broken this functionality. I decided to test in a sandbox environment to see if we were suffering from this too. Sure enough I found that we were!
To test this I went into the adadmin utility and I chose the ‘Generate form files’ option for the FND module. While this was running I’m executing the process command in another putty session to monitor the Linux sessions. Sure enough when form files start getting generated I can see the password. Yikes!
$ ps -eo command | grep frmcmp /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/FNDATFUN.fmb userid=APPS/APPS output_file=/ua01/appl/fnd/12.0.0/forms/US/FNDATFUN.fmx module_type=form batch=yes compile_all=special /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/FNDATHIR.fmb userid=APPS/APPS output_file=/ua01/appl/fnd/12.0.0/forms/US/FNDATHIR.fmx module_type=form batch=yes compile_all=special /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/FNDATREP.fmb userid=APPS/APPS output_file=/ua01/appl/fnd/12.0.0/forms/US/FNDATREP.fmx module_type=form batch=yes compile_all=special /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/FNDATTCH.fmb userid=APPS/APPS output_file=/ua01/appl/fnd/12.0.0/forms/US/FNDATTCH.fmx module_type=form batch=yes compile_all=special
The patch that fixes this issue is 22879584: Fix for Bug 22879584. The patch updates one file called aiogfm.o which happens to be one version higher than the version in my environment.
#Before Patch $ strings -a $AD_TOP/lib/aiogfm.o | grep '$Header' $Header: aiogfm.lc 120.6.12010000.5 2014/02/06 18:25:58 mkumandu ship $ #After Patch $ strings -a $AD_TOP/lib/aiogfm.o | grep '$Header' $Header: aiogfm.lc 120.6.12010000.6 2016/07/15 08:57:33 mkumandu ship $
I applied the patch to my sandbox environment and tested generating Oracle Forms again for the FND module. This time I see no username/password displayed when looking at the running processes.
$ ps -eo command | grep frmcmp /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/ALRSSRAI.fmb output_file=/ua01/appl/alr/12.0.0/forms/US/ALRSSRAI.fmx module_type=form batch=yes compile_all=special /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/FNDADDSQ.fmb output_file=/ua01/appl/fnd/12.0.0/forms/US/FNDADDSQ.fmx module_type=form batch=yes compile_all=special /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/APPTREE.fmb output_file=/ua01/appl/fnd/12.0.0/forms/US/APPTREE.fmx module_type=form batch=yes compile_all=special /ua01/product/10.1.2/bin/frmcmp_batch module=/ua01/appl/au/12.0.0/forms/US/FNDADDTC.fmb output_file=/ua01/appl/fnd/12.0.0/forms/US/FNDADDTC.fmx module_type=form batch=yes compile_all=special
The patch was released around the middle of July 2016. Oracle is being vague about what the patch fixes other then a reference to bug number 22879584 which is not available for public viewing. 🙁
Oracle should make this known to its customers and I would hope the fix will be included in the next round of security patches.