Application Security
7/18/2017
04:55 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Onapsis Identifies and Helps Oracle Secure Critical Vulnerability in E-Business Suite (EBS)

In advance of annual Black Hat conference, Onapsis Research Labs' threat intelligence protects Oracle customers from severe risks affecting EBS-based platforms

Boston, MA – July 18, 2017 – Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today announced the discovery of several vulnerabilities, including one rated as high-risk, affecting Oracle E-Business Suite (EBS) platforms. If exploited, this vulnerability would allow an attacker to retrieve all business documents stored in the EBS system, resulting in a potentially severe information and data loss situation as well as costly compliance violations such as PCI-DSS, PII, NIST and SoX.

Oracle EBS is one of the most critical applications to the operations of large organizations. Cross-industry capabilities span Customer Relationship Management (CRM), Finance Management, Human Capital Management, Supply Chain Management, Procurement and many others.

Onapsis is warning users of Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 that they are exposed to an arbitrary documents download vulnerability, meaning that anyone who is able to connect to the web server (not requiring any access credentials) and using a single HTTP request, will be able to access any document stored in the database, which acts as a repository for the organization and stores critical business documents and processes. 

This news is another example that business-critical applications such as Oracle EBS are an emerging threat as they are the perfect economic target for cybercrime organizations and nation-state hackers, as well as internal fraud. Vulnerabilities to Oracle EBS are on the rise, with a 46% increase in 2017 year-to-date over the same period last year. By nature, these applications are not built with security mind and are not protected by today’s traditional security tools. Further, the responsibility of securing these applications often falls through cracks between IT, application and security teams. This situation is creating an urgency with CISOs and boards of directors for what has been a major blind spot in their security programs.

“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Juan Perez-Etchegoyen, CTO, Onapsis. 

“While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization,” continued Perez-Etchegoyen.

As the leading Oracle partner for cybersecurity, Onapsis worked closely with Oracle’s Product Security & Engineering teams to help them develop the security patches. “As always, Onapsis immediately discloses the vulnerability information to the vendor so that a patch can be developed and released to Oracle customers, which they did very quickly and had in their next CPU. Our number one priority is securing Business-Critical Applications, and are we proud that we were directly responsible for securing 11 of the 22 vulnerabilities affecting EBS in this month’s CPU,” explained Mariano Nunez, CEO and Co-Founder, Onapsis.

As part of its responsible disclosure policy, the Onapsis Research Labs will only release technical details of these vulnerabilities after it has been patched in order to confirm Oracle customers have what they need to secure these EBS systems.  Additional mitigation steps can be found in the Onapsis Advanced Threat Protection Report.

The Onapsis Research Labs has discovered more than 240 vulnerabilities in Oracle business applications, has helped Oracle secure over 57% of all EBS vulnerabilities reported, and has released over 150 advisories to date. Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

About Onapsis

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.