Oracle EBS SQL Log Disclosure

SQL logs are used for any table maintenance or data retrieval operations performed on the EBS instance. Statement-based logs can be used to find out what statements the application makes with no need to understand the underlying database logic.

Impact

An attacker may be able to retrieve sensitive information like database credentials by simply inspecting the SQL logs.

Solution

It is strongly recommended to silence the EBS SQL logs. The logs should not be stored on the local file system and must be removed once they have been archived.