Today Oracle released the first Critical Patch Update of the year that contains 334 new security patches and a total of 23 patches for Oracle E-Business Suite (EBS), one of the most used ERP software in the World. Among these fixes, the two most critical ones were reported by Onapsis Research Labs and are related to the already known PAYDAY vulnerabilities that we explained a few months ago in a public report. With these new patches, every EBS customer that does not apply January’s CPU will be vulnerable to this sensitive attack that can compromise the system, leading to financial fraud or direct disruption of the business operations. Last time Oracle patched bugs related to this attack was in April 2019 (and the first time one year earlier), so let’s make a summary of why PAYDAY vulnerabilities are relevant and need to be addressed as soon as possible, and then we will review some other details and statistics about this month CPU.
PAYDAY Threat Report was published by Onapsis in November 2019, describing a set of vulnerabilities Onapsis Research Labs originally reported to Oracle in 2017, all of them related to TCF component. Oracle started to patch these vulnerabilities in April 2018, and subsequent CPUs have had fixes for the other reported bugs, completing all of the original reports by April 2019. As has been said, in November Onapsis published the Threat Report explaining the impact of these bugs and how it can be abused by an attacker for financial fraud.
Nevertheless, Onapsis Researchers also found that there were other attack vectors that allowed the same vulnerability to be exploited even if the customers deployed April 2019 CPU, and reported it to Oracle, that is patching today this two new vulnerabilities (CVSS-2020-2586 and CVSS-2020-2587), both tagged with CVSS Score 9.9 (as the previous ones also described in the Threat Report). The difference is that with these patches, it is confirmed that even with the systems up to date are vulnerable to these attacks, and therefore need to prioritize the installation of January’s CPU. Oracle also explains in its release that even though the vulnerabilities where found in Oracle Human Resources modules (component Hierarchy Diagrammers), “attacks may significantly impact additional products”, as it is in the financial fraud examples we detailed in the report, such as the ability for the attacker to create malicious wire transfers or directly print malicious checks, as can be seen in the following video:
ORACLE EBS PAYDAY: MANIPULATING WIRE TRANSFERS
ORACLE EBS PAYDAY: PRINTING APPROVED CHECKS
Nevertheless, these are only examples of critical attacks. If an attacker successfully exploits these vulnerabilities, exploitation scenarios may vary, including high compromise of all availability, integrity or confidentiality of the information. All supported versions are affected by these patches: 12.1.1-12.1.3 and 12.2.3-12.2.9. For customers with all the patches up to date (including October 2019 CPU) this attack can be executed with low privileged accounts. But if you didn’t apply patches lately (before October 2018) or have reverted some changes so to avoid disruption of some TCF protocol functionalities, in some cases this attack can be executed by unauthenticated attackers.
If you want to read the full PAYDAY report, please visit the following webpage for more details:
More data about the CPU
In this CPU Oracle recommends the customer to apply the security patches for technology stack components in Oracle E-Business Suite, including database and Oracle Fusion Middleware. There are 85 vulnerabilities in total affecting this platform:
12 for Database (3 of these vulnerabilities may be remotely exploitable without authentication)
38 for Oracle Fusion Middleware (30 of these vulnerabilities may be remotely exploitable without authentication)
12 for Java (All of these vulnerabilities may be remotely exploitable without authentication)
23 for Oracle E-Business Suite technology stack components (21 of these vulnerabilities may be remotely exploitable without authentication)
Consider that all the 85 vulnerabilities in this CPU affects Oracle E-Business Suite directly, in all versions from EBS 12.1 to 12.2.9. This means that it is not enough to have the latest version available, you always need to install the CPU in your stack too. Don’t forget the Weblogic CPU, it’s as important as the Database and EBS CPU, a successful attack of some of the vulnerabilities in Weblogic can give access to the WebLogic server and this server is the same as EBS.
It is worth mentioning that the two critical vulnerabilities reported by Onapsis Research Labs are the only ones with CVSS Score 9.9, the highest of this CPU. Our team is continuously looking for vulnerabilities and we try to put the focus on critical vulnerabilities, as it is in this case.
Finally, a reminder that the next CPU will be released on April 14 2020, so you have time to implement and test this CPU before that date, despite our recommendation to prioritize it due to its critical patches. To implement this CPU for Oracle EBS, you can use this step-by-step guide to implementing Oracle Critical Patch Updates.
Additionally, also remember that we offer a complimentary assessment called a Business Risk Illustration (BRI), where we will assess your Oracle EBS systems to show you where you are vulnerable and at risk with more than 200 checks. It demonstrates the value Onapsis brings by automating continuous monitoring of Oracle EBS to deliver actionable intelligence, enabling you to prioritize vulnerability remediation. Talk to us today to schedule your BRI.
Stay tuned to our blog, as we continue to provide you with more information and best practices for Oracle EBS security.