Half of companies are probably using a vulnerable Oracle E-Business suite

Organizations need to fix a pair of security vulnerabilities in Oracle E-Business Suite (EBS). Otherwise, they run the risk of potential financial fraud and non-compliance with financial regulations, such as Sarbanes-Oxley, according to application security firm Onapsis.

The two flaws, CVE-2020-2586 and CVE-2020-2587, could allow an attacker to make changes to the ledger application included in Oracle’s EBS, to steal or modify business information sensitive, or to delete information as part of a ransom campaign, according to a notice published by Onapsis. The vulnerabilities open the EBS applications and its various modules to an unauthenticated remote exploit, bypassing the controls to allow the modification of financial data, specifies Onapsis in its opinion.

The vulnerable component is installed by default in every Oracle EBS instance. While it cannot be disabled, it can be fixed by applying the January 2020 Critical Patch (CPU) update, according to Juan Perez-Etchegoyen, chief technology officer at Onapsis. However, only about half of businesses have likely applied the critical update, as an average business typically takes one to two quarters to update their systems, he says.

“It is essential that companies check that they are up to date with the latest fixes,” says Perez-Etchegoyen. “It’s even more important if they have systems connected to the Internet to allow access to their remote workforce. These applications and patches are very complex in their deployment, so it is important to verify that the patch is applied correctly. . “

The vulnerability notice emphasizes that software flaws in critical business applications, such as enterprise resource planning (ERP) software, should be prioritized during update cycles. Organizations often delay patching critical systems because any downtime can have a significant impact. Typically, about half of businesses take two or more quarters to apply a critical patch update, says Perez-Etchegoyen.

“Typically, it depends on the maturity of the security of the company,” he says.

Oracle E-Business Servers are a popular ERP solution, allowing businesses to track their organizations and infrastructure usage to improve decision making and reduce costs. The app typically takes care of the entire business process, from supply chain management to financial management, explains Perez-Etchegoyen.

Software has become even more important with the shift to remote working, as businesses rely on systems to help them manage their now distributed operations. However, the trend towards working from home has resulted in many more instances of Oracle E-Business Server being accessed from the Internet, apparently to enable remote workers in human resources, engineering, and management. to access the server. In the past six months, Onapsis has found that 30% more EBS instances are accessible from the Internet, explains Perez-Etchegoyen.

“When a business exposes a system to the Internet, it usually doesn’t take all the necessary precautions to keep it secure, because it has to make sure its teams have access to the services. But it also means that these systems are vulnerable from anywhere on the planet, ”he says. “It is therefore important that IT security is involved in these decisions. “

In November, Onapsis initially revealed a pair of loopholes that could allow a similar attack. Dubbed the Payday vulnerabilities, the two issues could have allowed an attacker to execute code on the server and commit financial fraud with the company’s accounting.

Likewise, with the latest vulnerabilities, which Onapsis called “BigDebIT”, an attacker could access any functionality of the application, including the financial side of the ERP service, allowing financial attacks.

“An attacker can execute and conceal transactions, then intercept information from the bank,” Onapsis says in the report. “There would be no reconciliation of the transaction and the audit would likely miss it as well.”

The company is also raising the specter that companies that fail to apply the fixes could expose themselves to financial regulatory failure.

Any Oracle EBS customer who has not applied the Critical Patch Update (CPU) as of January 2020 and is regulated by Sarbanes-Oxley (SOX) may find deficiencies in Internal Control over Financial Reporting (ICFR) “, says the report.

In a statement sent to Dark Reading, Oracle pointed out that the vulnerabilities were patched in January.

“Oracle encourages customers to follow the secure configuration recommendations in its deployment guides, stay on actively supported versions, and apply critical patch updates without delay,” the company said. “At the time of this report’s publication, the most recent Critical Patch Update was the April 2020 Critical Patch Update.”

Perez-Etchegoyen of Onapsis says there is no indication that a public exploit for the loopholes has been released to date.

Related content

Learn from industry experts in an interactive and conversational setting on how to prepare for this cybersecurity ‘really bad day’. Click to more information and to register.

Mary H. Martino