Application Security

04:55 PM
Dark Reading
Dark Reading
Products and Releases

Onapsis Identifies and Helps Oracle Secure Critical Vulnerability in E-Business Suite (EBS)

In advance of annual Black Hat conference, Onapsis Research Labs' threat intelligence protects Oracle customers from severe risks affecting EBS-based platforms

Boston, MA – July 18, 2017 – Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today announced the discovery of several vulnerabilities, including one rated as high-risk, affecting Oracle E-Business Suite (EBS) platforms. If exploited, this vulnerability would allow an attacker to retrieve all business documents stored in the EBS system, resulting in a potentially severe information and data loss situation as well as costly compliance violations such as PCI-DSS, PII, NIST and SoX.

Oracle EBS is one of the most critical applications to the operations of large organizations. Cross-industry capabilities span Customer Relationship Management (CRM), Finance Management, Human Capital Management, Supply Chain Management, Procurement and many others.

Onapsis is warning users of Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 that they are exposed to an arbitrary documents download vulnerability, meaning that anyone who is able to connect to the web server (not requiring any access credentials) and using a single HTTP request, will be able to access any document stored in the database, which acts as a repository for the organization and stores critical business documents and processes. 

This news is another example that business-critical applications such as Oracle EBS are an emerging threat as they are the perfect economic target for cybercrime organizations and nation-state hackers, as well as internal fraud. Vulnerabilities to Oracle EBS are on the rise, with a 46% increase in 2017 year-to-date over the same period last year. By nature, these applications are not built with security mind and are not protected by today’s traditional security tools. Further, the responsibility of securing these applications often falls through cracks between IT, application and security teams. This situation is creating an urgency with CISOs and boards of directors for what has been a major blind spot in their security programs.

“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Juan Perez-Etchegoyen, CTO, Onapsis. 

“While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization,” continued Perez-Etchegoyen.

As the leading Oracle partner for cybersecurity, Onapsis worked closely with Oracle’s Product Security & Engineering teams to help them develop the security patches. “As always, Onapsis immediately discloses the vulnerability information to the vendor so that a patch can be developed and released to Oracle customers, which they did very quickly and had in their next CPU. Our number one priority is securing Business-Critical Applications, and are we proud that we were directly responsible for securing 11 of the 22 vulnerabilities affecting EBS in this month’s CPU,” explained Mariano Nunez, CEO and Co-Founder, Onapsis.

As part of its responsible disclosure policy, the Onapsis Research Labs will only release technical details of these vulnerabilities after it has been patched in order to confirm Oracle customers have what they need to secure these EBS systems.  Additional mitigation steps can be found in the Onapsis Advanced Threat Protection Report.

The Onapsis Research Labs has discovered more than 240 vulnerabilities in Oracle business applications, has helped Oracle secure over 57% of all EBS vulnerabilities reported, and has released over 150 advisories to date. Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

About Onapsis

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.