Thousands of businesses vulnerable to 'severe' Oracle EBS flaws

The suite of enterprise products can be exploited for financial fraud and theft

Security researchers at Onapsis have discovered a number of 'severe' vulnerabilities in Oracle's E-Business Suite (EBS) that could leave more than 21,000 organisations at risk of financial theft and fraud.

Oracle EBS has become a critical set of products that help to integrate customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management processes within a business.

The vulnerabilities have been given a CVSS score of 9.9 – only four other issues have been given the same a score since 2015, according to Onapsis, although many more have been assigned a score of 10.0 (highest).

Businesses could be exploited in two different scenarios, the first involving manipulation of the wire transfer payment system whereby an attacker can reroute invoice payments to a bank account of their choosing without leaving a digital footprint.

Attackers could also create and print genuine bank checks through the Oracle EBS check printing process, disabling and erasing audit logs to conceal rogue activity.

"This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world's largest and most relied upon organisations are vulnerable to attackers stealing potentially billions," said Mariano Nunez, CEO and co-founder of Onapsis to IT Pro.

"The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls."

Onapsis researchers have been working with Oracle's Security Response Team in order to disclose the issues and create patches. The original vulnerabilities were patched in April 2018 but subsequent flaws have been patched as recently as April 2019. It's believed more than 21,000 Oracle EBS customers are still vulnerable to the attacks.

Oracle ran a simulation in 2017 of a realistic financial structure based on a large business with more than 25 years of experience with ERP deployments. Highlighting the risk these vulnerabilities present, the simulation found it was possible to process 1 million payments per hour.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021