Oracle Supplier Network and Transport Layer Security (TLS) Support
(Doc ID 1943414.1)
Last updated on FEBRUARY 09, 2024
Applies to:
Oracle Business Network - Version 5.1 and laterOracle Purchasing - Version 11.5.10 and later
Information in this document applies to any platform.
Details
Oracle Supplier Network (OSN) is a cloud-based supplier registration and messaging service provided to Oracle customers and their trading partners. For example, organizations can use OSN to automate transmission of important business documents, such as purchase orders and invoices, with their trading partners. The OSN service is hosted at http://osn.oracle.com/.
This announcement is published to alert OSN trading partners of a security vulnerability affecting Secure Socket Layer (SSL) v3.0 that was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or "Poodle"). This vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect Transport Layer Security (TLS) and is limited to SSL 3.0, which is generally considered an obsolete protocol.
On 30-Oct-2014, OSN development communicated this information to OSN trading partners via email, and an alert was also posted for users to see upon logging in to OSN. Following this announcement, a number of trading partners experienced intermittent message delivery outages between 01-Nov-2014 and 08-Nov-2014. Initially, the trading partners who had promptly updated their systems to disable SSL v3.0 for inbound message delivery were unable to receive documents sent from their trading partners through OSN. This was due to a delay in uptaking the TLS protocol in OSN, resulting in messages still being sent using the SSL v3.0 protocol which was no longer being accepted by the trading partners. The OSN engineering team worked to resolve the issue promptly and provided an initial fix on 03-Nov-2014. To avoid a repeat of this type of issue in the future, the OSN team will work to provide more accurate timetable details when requesting trading partners to make configuration changes to their connection method for OSN.
After delivering this fix, a number of supplier trading partners subsequently found they were unable to receive inbound documents from their buyer trading partners. This issue was caused by factors related to the OXTA changes. The OSN team were able to rectify this problem, and a follow-up patch was issued on 08-Nov-2014. To avoid a repeat of this type of issue in the future, the OSN team has reviewed internal testing protocols and plans to make some improvements to the existing procedures.
No new issues related to the SSL v3.0 protocol change have since been reported. The OSN team regrets any inconvenience caused by the document delivery outage. Latest information about the activities related to this vulnerability are provided in this document <Note:1943414.1>.
The following table illustrates the dates for each protocol's support for OSN transactions (incoming and outgoing), for both OSN Test and OSN Production:
SSL Protocol - OSN Test | TLS Protocol - OSN Test | SSL Protocol - OSN Prod | TLS Protocol - OSN Prod | |
---|---|---|---|---|
Incoming Transactions (sent from OSN to application) |
Disabled as of 06-Nov-2014 | Enabled on 06-Nov-2014 | Disabled as of 06-Nov-2014 | Enabled on 06-Nov-2014 |
Outgoing Transactions (sent from application to OSN) |
Disabled as of 16-Feb-2015 | Enabled on 06-Nov-2014 | Disabled as of 24-Aug-2015 | Enabled on 06-Nov-2014 |
This document will be updated again with any date changes and additional information related to the issue as it becomes available.
Actions
In order to fully and successfully operate with Oracle Supplier Network, please ensure that the following tasks are performed in all environments prior to the full SSL desupport date:
1. The Oracle E-Business Suite (EBS) environment will need to be updated so that it is compatible with TLS protocol, and it is very highly recommended to disable use of the SSLv3 protocol. <Note:1935500.1> "SSL Poodle Vulnerability (CVE-2014-3566)" points to http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html and this page has the information for each product affected by the vulnerability. Please follow the instructions from this document to ensure the migration from SSLv3 to TLS is completed. In particular, pay attention to the following note which is mentioned in the document for Oracle E-Business Suite: <Note:1937646.1> "CVE-2014-3566 - Instructions to Mitigate the SSLv3 Vulnerability ("POODLE Attack") in Oracle E-Business Suite".
2. As part of <Note:1937646.1>, a patch for product Oracle XML Gateway is required. The patch information is as follows:
- Release 11.5.10 requires <Patch 21610285> "1OFF:11.5.10:CVE-2014-3566 POODLE: XML GATEWAY AND SSLV3 VULNERABILITY"
- Release 12.0 requires <Patch 20488329>:R12.ECX.A "Fix for Bug 20488329"
- Release 12.1 requires <Patch 19909850>:R12.ECX.B "1OFF:12.1.3:CVE-2014-3566 POODLE: XML GATEWAY AND SSLV3 VULNERABILITY"
- Release 12.2 requires <Patch 20559497>:R12.ECX.C "Fix for Bug 20559497"
For more questions on these patches, please log a new service request with product Oracle XML Gateway.
3. Any OSN business partners (suppliers or customers) who may not be using Oracle E-Business Suite also will need to be sure they are compliant with the TLS protocol.
4. As far as the Oracle Supplier Network goes, there are no patches that you will need to install on your end. OSN patching is done only on the OSN servers. The patching/changes required for an EBS environment is addressed in points #1 and #2 immediately above.
Once the migration from SSLv3 to TLS is completed, any transactions previously sent but that did not get processed in OSN will need to be resent from Transaction Monitor in Oracle Applications, and those will now go through successfully. (Due to the nature of the issue, OSN Development is unable to retry the transaction data originally sent.)
It is highly recommended to test the TLS protocol (and disabling of SSL protocol) in OSN Test prior to the disabling of SSL in OSN Production.
Also, the OSN Development team and Oracle Security team very much discourage the use of both SSL and TLS protocols in the applications envrionment, due to the vulnerability mentioned above.
Additional notes:
It is possible for the OSN transactions to fully work without having applied the EBS patch identified in solution step #2 above. The OSN development team has stated that this is possible, via Bug 20656598, and for more information please see the following blog which describes which protocol will be used by default for different Java version:
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
It is still highly recommended to apply the patch in solution step #2 above, as XML Gateway is used by many products in the E-Business Suite.
OSN currently supports TLS 1.0, TLS 1.1 and TLS 1.2, with TLS 1.2 being the preferred protocol. For more information, please see <Note:2132154.1> "Best Practices in HTTPS and Certificate Management for Oracle Supplier Network".
Contacts
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Details |
Actions |
Contacts |
References |