Thousands of businesses vulnerable to 'severe' Oracle EBS flaws

Abstract image of a skull inside computer code

Security researchers at Onapsis have discovered a number of 'severe' vulnerabilities in Oracle's E-Business Suite (EBS) that could leave more than 21,000 organisations at risk of financial theft and fraud.

Oracle EBS has become a critical set of products that help to integrate customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management processes within a business.

The vulnerabilities have been given a CVSS score of 9.9 – only four other issues have been given the same a score since 2015, according to Onapsis, although many more have been assigned a score of 10.0 (highest).

Businesses could be exploited in two different scenarios, the first involving manipulation of the wire transfer payment system whereby an attacker can reroute invoice payments to a bank account of their choosing without leaving a digital footprint.

Patch management vs vulnerability management What is enterprise resource planning (ERP)? What does GDPR mean to security?

Attackers could also create and print genuine bank checks through the Oracle EBS check printing process, disabling and erasing audit logs to conceal rogue activity.

"This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world's largest and most relied upon organisations are vulnerable to attackers stealing potentially billions," said Mariano Nunez, CEO and co-founder of Onapsis to IT Pro.

"The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls."

Onapsis researchers have been working with Oracle's Security Response Team in order to disclose the issues and create patches. The original vulnerabilities were patched in April 2018 but subsequent flaws have been patched as recently as April 2019. It's believed more than 21,000 Oracle EBS customers are still vulnerable to the attacks.

Oracle ran a simulation in 2017 of a realistic financial structure based on a large business with more than 25 years of experience with ERP deployments. Highlighting the risk these vulnerabilities present, the simulation found it was possible to process 1 million payments per hour.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.