With massive macroeconomic changes, organizations have had to rapidly adapt over the last few months. While operating with limited resources, time-constraints and remote teams, many organizations are now scrambling to patch security holes in their mission-critical applications as cyberattacks rise. This is important as no organization today can afford the financial impact and reputational damage of a significant security breach or compliance violation.
Today, Onapsis is releasing a Threat Research Report about critical vulnerabilities that the Onapsis Research Labs found in the Oracle E-Business Suite and worked with the Oracle Security Response Team to fix in Oracle’s January 2020 Critical Patch Update. The problem is that all of these rapid changes have challenged IT and InfoSec teams, and thousands of organizations are still at risk today. These vulnerabilities, dubbed BigDebIT, are two highly-critical vulnerabilities that place every unprotected Oracle EBS customer at risk of cyberattacks and compliance violations.
The Onapsis Threat Research Report is highlighting a potential exploit scenario on Oracle General Ledger, one of the financial application modules of Oracle EBS, leveraging the BigDebIT vulnerabilities. A successful attacker could gain unauthenticated access (no username or password needed) to Oracle General Ledger to manipulate an organization’s financial statements, impacting the financial integrity and reputation of the organization. For publicly traded companies, having the BigDebIT vulnerabilities on your Oracle EBS systems may present a deficiency in IT General Controls for Sarbanes-Oxley (SOX) compliance. This could result in a SOX compliance violation that could negatively impact the company’s financials, resulting in penalties and fines against the company and its executive leaders. Learn more in the video below about how BigDebIT can impact your Oracle EBS system and leave your organization at risk.
The Oracle General Ledger example is just one potential attack scenario, as all Oracle EBS applications, including ERP, CRM, SCM, HCM and others are at risk. Potential exploits on these applications could lead to significant cybersecurity breaches and also violate privacy regulations, such as GDPR, CCPA and others.
Although these vulnerabilities were addressed in Oracle’s January 2020 Critical Patch Update (CPU), many organizations have been so financially and resource-constrained, it has been a struggle to act on remediating these vulnerabilities. Onapsis wants to ensure all Oracle EBS customers are aware of the critical nature of these vulnerabilities and ensure they are taking the necessary steps to protect their organizations.