Application Security

7/18/2017
04:55 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Onapsis Identifies and Helps Oracle Secure Critical Vulnerability in E-Business Suite (EBS)

In advance of annual Black Hat conference, Onapsis Research Labs' threat intelligence protects Oracle customers from severe risks affecting EBS-based platforms

Boston, MA – July 18, 2017 – Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today announced the discovery of several vulnerabilities, including one rated as high-risk, affecting Oracle E-Business Suite (EBS) platforms. If exploited, this vulnerability would allow an attacker to retrieve all business documents stored in the EBS system, resulting in a potentially severe information and data loss situation as well as costly compliance violations such as PCI-DSS, PII, NIST and SoX.

Oracle EBS is one of the most critical applications to the operations of large organizations. Cross-industry capabilities span Customer Relationship Management (CRM), Finance Management, Human Capital Management, Supply Chain Management, Procurement and many others.

Onapsis is warning users of Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 that they are exposed to an arbitrary documents download vulnerability, meaning that anyone who is able to connect to the web server (not requiring any access credentials) and using a single HTTP request, will be able to access any document stored in the database, which acts as a repository for the organization and stores critical business documents and processes. 

This news is another example that business-critical applications such as Oracle EBS are an emerging threat as they are the perfect economic target for cybercrime organizations and nation-state hackers, as well as internal fraud. Vulnerabilities to Oracle EBS are on the rise, with a 46% increase in 2017 year-to-date over the same period last year. By nature, these applications are not built with security mind and are not protected by today’s traditional security tools. Further, the responsibility of securing these applications often falls through cracks between IT, application and security teams. This situation is creating an urgency with CISOs and boards of directors for what has been a major blind spot in their security programs.

“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Juan Perez-Etchegoyen, CTO, Onapsis. 

“While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization,” continued Perez-Etchegoyen.

As the leading Oracle partner for cybersecurity, Onapsis worked closely with Oracle’s Product Security & Engineering teams to help them develop the security patches. “As always, Onapsis immediately discloses the vulnerability information to the vendor so that a patch can be developed and released to Oracle customers, which they did very quickly and had in their next CPU. Our number one priority is securing Business-Critical Applications, and are we proud that we were directly responsible for securing 11 of the 22 vulnerabilities affecting EBS in this month’s CPU,” explained Mariano Nunez, CEO and Co-Founder, Onapsis.

As part of its responsible disclosure policy, the Onapsis Research Labs will only release technical details of these vulnerabilities after it has been patched in order to confirm Oracle customers have what they need to secure these EBS systems.  Additional mitigation steps can be found in the Onapsis Advanced Threat Protection Report.

The Onapsis Research Labs has discovered more than 240 vulnerabilities in Oracle business applications, has helped Oracle secure over 57% of all EBS vulnerabilities reported, and has released over 150 advisories to date. Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

About Onapsis

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.