ERPScan Took a Closer Look at Oracle EBS Security, 6 Vulnerabilities Patched in Recent Update

ERPScan has announced today that Oracle released updates for 6 vulnerabilities identified by ERPScan researchers.

ERPScan, the most honored SAP Security and Oracle Security provider focused on ERP and Enterprise Business Application security, has announced today that Oracle released updates for 6 vulnerabilities identified by ERPScan researchers.

According to the recent Critical Patch Update for October 2015, 154 vulnerabilities were fixed in total by Oracle in its set of enterprise products. Among 12 vulnerabilities closed in Oracle E-Business Suite, there were 6 exposed by ERPScan Research team. These issues include XSS Vulnerability, SQL Injection vulnerability, several XXE Injection Vulnerabilities ([1], [2]), and User Enumeration vulnerability. Some of those issues (SQL Injection, XXE Injections) allow an attacker to gain unauthorized access to the business application with administrator rights.

The vulnerabilities were discovered in the core platform of Oracle’s most popular Enterprise application - Oracle EBS (E-Business Suite). Some of the most critical business applications based on E-Business Suite platform are affected such as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management. Listed applications store and process the most valuable corporate data such as HR information, financial data, supplier and customer lists, and others.

The severity of attack impact is limited by the attacker’s skills and imagination. Depending on the application type, a malicious person can carry out the following espionage, sabotage or fraudulent actions:

- Manipulate data about quantity of material resources

- Change the item prices

- Misappropriate funds

- Tamper credit limits

- Steal credit card data

- Modify financial reports

- And others

This is the 16th update since 2008 where ERPScan researchers were acknowledged by Oracle for their help in solving security issues in their solutions.

“During our review of Oracle security, we identified dozens of vulnerabilities affecting Oracle EBS Security. We managed to find at least one example of every vulnerability from OWASP TOP 10.” - Alexey Tyurin, Head of Oracle Security department at ERPScan

ERPScan recommends that all companies using Oracle e-Business Suite applications update their systems with the latest patches provided by Oracle to improve the Oracle EBS Security level.

In addition, ERPScan recommends its Security services to assess your systems against Oracle EBS security.