ABSENCE OF mod_plsql IN R12

Running APEX with Oracle Applications Release 12 will not be that straightforward after all. The reason being the absence of mod_plsql in the Release 12 Application Server. In this post i will explore this topic a bit further and understand what exactly does the mod_plsql do and its absence in Oracle Applications Release 12.

mod_plsql

mod_plsql is a extension module of the Apache Web Server which is the core component of the Oracle Application server. It was also formally referred to as Oracle PLSQL Cartridge. The main function of the mod_plsql is that is allows the middle tier or the web server to understand and execute plsql code. This is particular useful in generation of dynamic web pages. The mod_plsql makes a connection to your database based on the information defined by your Data Access Descriptor (DAD) settings. That is in Oracle Applications the wdbsrv.app file would be used by the mod_plsql to connect to your database and execute the sql/plsql code against it. What this does mean is that virtually almost any plsql code can be executed through the web browser via a http/https protocol.

In a default apache web server configuration mod_plsql is configured and started by default.The Oracle Application server both standalone and the one bundled within Oracle Applications Release 11i.

mod_plsql Vulnerabilities

Although i am yet to see any official document from Oracle on the mod_plsql's demise in release 12 apart from Steven Chan’s blog and the Oracle Open World presentations, the reason for its exclusion are not mentioned.

The main reason which i feel is the security vulnerabilities that mod_plsql has. Since a connection to a database is possible relatively easily in a mod_plsql implementation its gives rise to security threats. In fact it allows anyone with access to the Oracle Application web server to execute any sql /plsql code against the APPS schema and view any data which is visible to the APPS user. This obviously quite dangerous. Also exists a risk of sql injection, which is one of the most commonly used techniques by hackers. Sql injection is a technique where the hacker tries to add in malicious code in between a valid sql/plsql code.This often makes the system quite vulnerable and difficult to detect the intrusion.

Although there have been workaround to block the mod_plsql vulnerabilities, they have been known to cause problems in complex implementations of Oracle Applications. These vulnerabilities have not gone unnoticed by oracle and it has relase Oracle Security Alert #28 which takes about the risk arising from the mod_plsql.

As a result i feel the security vulnerabilities surrounding mod_plsql would have been one of the major factors for Oracle to decide to de support mod_plsql in Oracle Applications Release 12.

Oracle Applications Framework.
When i has started blogging my third post covered Oracle Applications Framework(OAF).Its time to revisit the topic now. The Oracle Applications Framework is a java framework which is based on the J2EE MVC design pattern and allows to execute HTMl,XML,PL/SQL,Java and web services without compromising on security. The connection to the database in Oracle Applications Framework model is done through Java Database Connection (JDBC) Drivers.

The Oracle Applications Framework comes bundled in a default installation of Oracle Applications Release 11.5.10 and later for Oracle Applications Release 11.5.9 and prior you would be required to upgrade to the latest AD patchset level to be able to use Oracle Applications Framework. For the current release of OAF you must have be on java 1.3 atleast. The actual requirements for OAF in Release 12 are not known as the official documentation on that is yet to be released.

Apart from addressing the security vulnerabilities OAF also allows the out of box customizations of the Oracle Applications imodules. In Oracle Applications Release 12 all customizations which use the application server mod_plsql would have to be migrated to the Oracle Applications Framework model.

Additional References
Red-database-security.com's Sql Injection via mod_plsql
Steven Chan's Post on Release 12 Tech Stack