Thousands of businesses vulnerable to 'severe' Oracle EBS flaws

The suite of enterprise products can be exploited for financial fraud and theft

Security researchers at Onapsis have discovered a number of 'severe' vulnerabilities in Oracle's E-Business Suite (EBS) that could leave more than 21,000 organisations at risk of financial theft and fraud.

Oracle EBS has become a critical set of products that help to integrate customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management processes within a business.

The vulnerabilities have been given a CVSS score of 9.9 – only four other issues have been given the same a score since 2015, according to Onapsis, although many more have been assigned a score of 10.0 (highest).

Businesses could be exploited in two different scenarios, the first involving manipulation of the wire transfer payment system whereby an attacker can reroute invoice payments to a bank account of their choosing without leaving a digital footprint.

Attackers could also create and print genuine bank checks through the Oracle EBS check printing process, disabling and erasing audit logs to conceal rogue activity.

"This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world's largest and most relied upon organisations are vulnerable to attackers stealing potentially billions," said Mariano Nunez, CEO and co-founder of Onapsis to IT Pro.

"The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls."

Onapsis researchers have been working with Oracle's Security Response Team in order to disclose the issues and create patches. The original vulnerabilities were patched in April 2018 but subsequent flaws have been patched as recently as April 2019. It's believed more than 21,000 Oracle EBS customers are still vulnerable to the attacks.

Oracle ran a simulation in 2017 of a realistic financial structure based on a large business with more than 25 years of experience with ERP deployments. Highlighting the risk these vulnerabilities present, the simulation found it was possible to process 1 million payments per hour.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021