BigDebIT is the name that Onapsis uses to refer to two highly-critical Oracle EBS vulnerabilities. The name was chosen given the high risk that these vulnerabilities carry to potentially affect critical business information and processes, including Oracle General Ledger. The Onapsis Research Labs believes that more than 21,000 global organizations who use Oracle EBS for financial management, customer relationship management (CRM), supply chain management (SCM), human capital management (HCM), logistics and procurement may be at risk since the vulnerabilities exist in all application modules of Oracle EBS.

As the vulnerabilities have a CVSS score of 9.9, this defines the vulnerabilities as a high risk and the Onapsis Research Labs furthermore believes there are no viable workarounds. These vulnerabilities can only be mitigated by applying the security patches.

Successfully exploiting the BigDebIT vulnerabilities could allow an attacker to take full control over the entire Oracle EBS system, including other potential exploitation scenarios such as modifying or deleting system data. Onapsis is highlighting a potential exploit on Oracle General Ledger because of the serious impact an attack can have on an organization’s finances and financial reporting. Because of this, these vulnerabilities may represent a material compliance risk. For companies subject to Sarbanes-Oxley (SOX) in the United States and/or organizations subject to the European Union’s GDPR, these vulnerabilities must be promptly addressed

The attack scenarios on the BigDebIT vulnerabilities are especially important for Oracle EBS customers to understand how critical Oracle EBS security updates could be to their overall security posture if not properly implemented. Because these vulnerabilities can be exploited with unauthenticated access to Oracle EBS, organizations must be aware that existing Segregation of Duties (SoD), access controls and other security controls such as web application firewalls (WAFs) will not keep you protected. It is important to understand what the status quo is around Oracle EBS cybersecurity in your organization and get internal stakeholders aligned towards the goal of securing Oracle EBS applications. It is also recommended that you run a full Oracle EBS security assessment to learn where you may be vulnerable and at risk.

The Onapsis Research Labs has worked closely with Oracle Corporation's Security Response Team to fix several critical vulnerabilities in Oracle EBS. The BigDebIT vulnerabilities were patched in Oracle’s January 2020 Critical Patch Update (CPU).

CVE-2020-2586 (fixed in January 2020), CVSS v3 9.9

CVE-2020-2587 (fixed in January 2020), CVSS v3 9.9

The Onapsis Research Labs estimates that as many as half of the 21,000 organizations using Oracle EBS have still not applied the January 2020 Critical Patch Update (CPU) that addresses the BigDebIT vulnerabilities.

With the release of today’s threat report, Onapsis is highlighting how these two vulnerabilities were uncovered and reported by the Onapsis Research Labs and could be used to gain unauthenticated access (no username or password needed) to Oracle General Ledger to manipulate an organization’s financial statements—impacting security and financial compliance.

This is just one potential attack scenario as all Oracle EBS applications, including ERP, CRM, SCM, HCM, and others are at risk. Potential exploits on these applications could also violate privacy regulations, such as GDPR, CCPA and others.

Unfortunately, auditors are not typically looking for these types of risks, even though timely application of security patches should be mandatory for every organization relying on Oracle EBS to support their business. To provide a proof of how critical these issues are, the Onapsis Research Labs has created a proof of concept attack scenario against Oracle General Ledger. In spite of comprehensive auditing deployed both within the application and the database, due to the nature of the BigDebIT vulnerabilities all audit trails of the exploits were able to be successfully erased.

We anticipate external audit firms will extend their current controls (which are mostly related to SoD) to address Oracle EBS cybersecurity risks in the near future. The status quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend that organizations evaluate their internal audit process to ensure they are incorporating these additional types of controls and manage business risk appropriately in advance of this happening.

Any Oracle EBS system without the proper patches installed (January 2020 CPU) is vulnerable to these attacks.

Successfully exploiting any of these vulnerabilities allows for the manipulation of financial reports, financial theft and fraud and could lead to full control over the entire Oracle EBS system. Beyond the impact of financial fraud, these vulnerabilities represent a material compliance risk. For companies subject to Sarbanes-Oxley (SOX) in the United States and/or organizations subject to the European Union’s GDPR, these vulnerabilities must be promptly addressed.

The Onapsis Research Labs has prepared an example scenario of an attacker leveraging these vulnerabilities to attack Oracle General Ledger. By using the BigDebIT vulnerabilities to gain unauthenticated access and bypassing access and security controls to Oracle General Ledger, an attacker can manipulate financial data and falsify financial reports that publicly-traded companies use for SOX compliance.

This is a question executive management has to discuss with the Board of Directors and the independent auditor. If the risk is present in your organization, you should assess its materiality, likelihood of occurrence and ability of detection with them.

For example, attackers with full access to the basic infrastructure of Oracle EBS could directly or indirectly tamper with financial results. This could be done by altering records in the General Ledger or altering the reports and/or reporting mechanisms used to prepare financial statements. Financial Statement Generator (FSG) reports are primary means of producing both financial statements and ad-hoc inquiries in Oracle EBS. FSG report definitions, while stored in the database, are usually accessed by accounting departments from workstations and laptops using a Microsoft Excel add-on. Tampering with often used FSG reports to produce errant results would materially sabotage financial operations in ways not easily detected.

Being able to attest to the reliability of financial results is the core requirement of SOX. For companies subject to SOX compliance, the BigDebIT vulnerabilities, if left unmitigated, could represent a material finding. Ultimately, it will be up to the independent auditor to include BigDebIT vulnerabilities as a risk to the integrity of the financial statements. Onapsis can only provide expert advice and support to management and auditors.

Management should be aware of this risk, starting with the CISO and CIO up to the CFO and CEO. Additionally, as a source of independent assurance, your internal audit team and the head of Compliance and Audit should assess this risk from a business perspective to become advocates and present it to the Audit Committee as well.

Unfortunately, these vulnerabilities are not detected by any solution performing GRC (SoD) controls for Oracle EBS. Because these attacks would be unauthenticated requiring no user credentials or passwords, attackers can easily bypass any SoD controls. Organizations will need to manually check for the BigDebIT vulnerabilities or use an automated cybersecurity solution.

Unfortunately, the BigDebIT vulnerabilities are not under the general scope of IT General Controls. Even in a scenario where IT General Controls have a satisfactory state in your Oracle EBS application, the presence of this risk would equal the combination of several ITGC (IT General Controls) deficiencies. Based on our experience, the BigDebIT associated risks are usually not included in traditional audits. We encourage internal and external auditors to include the risk assessment of BigDebIT vulnerabilities as part of your IT General Control audits for SAP systems.

To be effective, web-application firewalls (WAFs) need to be properly implemented and constantly maintained with the latest ruleset of attack signatures. Likewise, WAFs especially need to be carefully monitored. The best guidance from the Onapsis Research Labs for whether or not a WAF will detect and alert and/or mitigate the TCF attack scenarios documented is to assume that the WAF will fail to detect or stop the attacks. The security patches released by Oracle should be applied at the first opportunity.

Onapsis has no evidence of the BigDebIT vulnerabilities being exploited in the wild to date, but based on our field experience with customers, partners and prospects, we can confirm that any Oracle EBS implementation that has not applied the January 2019 Oracle Critical Patch are vulnerable to attacks on vulnerable systems. In fact, as most organizations are not able to detect the exploitation of these vulnerabilities, a system compromise may go undetected.

As the leading ERP cybersecurity expert, Onapsis has reported and helped secure over 800 security vulnerabilities in both Oracle and SAP applications.

When the Onapsis Research Labs identifies a potential weakness, they immediately notify Oracle so they can begin evaluating and preparing a patch for the reported misconfiguration and vulnerability. The Onapsis Research Labs provides all necessary information to the vendor in order to confirm they have what they need to produce the patch. Onapsis never releases public information about a misconfiguration or vulnerability before it is patched by the vendor.

Yes, The Onapsis Platform offers organizations the opportunity to eliminate risks related to these vulnerabilities and misconfigurations in three ways:

• by determining their level of exposure and potential business impact
• by continually assessing Oracle EBS to identify vulnerabilities and misconfigurations that put the organization at risk
• by prioritizing what vulnerabilities need to be addressed immediately to streamline risk mitigation