Oracle_E-Business_Suite

Oracle has released approximately 300 patches yesterday in its ‘Critical Patch Update Advisory’. The vast amount of patches released will ensure that Oracle admin’s across the world would be busy patching up vulnerabilities.

After digging deep and understanding the criticality of various vulnerabilities and its patches, we identified a critical vulnerability in the Oracle E-Business Suite (EBS). EBS is apparently prone to remote security vulnerability in Oracle Application Object Library and as per reports released the vulnerability CVE-2017-10244 affects the following supported versions of Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

The bug has been tamed critical as it allows attackers to gain access and download data stored in applications configured within the EBS without credentials.

The applications of EBS have its components vulnerable to attacks, further making its data insecure. These apps are related to Customer Relationship Management, Service Management, Financial Management, and Human Capital Management which includes vital information regarding talent management, HR analytics and workforce management. Apart from these there are many other areas of the EBS that are vulnerable to attacks making sensitive business information insecure.

As per the findings, some Oracle EBS modules are exposed to the internet in order to provide access to vendors and customers. Henceforth, the attackers are able to track the exposed modules by searching on the internet with the help of Google and Shodan. However, it has also been established that in order to exploit the  CVE-2017-10244 vulnerability the attackers would have to a detailed knowledge of EBS structure and parameters.

As far as patching Oracle EBS is concerned, it could be a challenging and a time consuming task given the fact that there are nearly 300 patches to be deployed. In relation to this Juan Perez-Etchegoyen, CTO of Onapsis said, “In terms of patching, the real challenge is understanding if the patch is breaking some real functionality or business process”. Taking all these aspects into consideration, the vast amount of patches released will ensure that Oracle admin across the world are busy patching up vulnerabilities.

Don’t leave yourself exposed. Find your vulnerabilities before cybercriminals do. Contact us for Vulnerability Assessment and Penetration Testing.

Details
Date Published
July 19, 2017