Onapsis Identifies and Helps Oracle Secure Critical Vulnerability in E-Business Suite (EBS)
Boston, MA – July 18, 2017 – Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today announced the discovery of several vulnerabilities, including one rated as high-risk, affecting Oracle E-Business Suite (EBS) platforms. If exploited, this vulnerability would allow an attacker to retrieve all business documents stored in the EBS system, resulting in a potentially severe information and data loss situation as well as costly compliance violations such as PCI-DSS, PII, NIST and SoX. Oracle EBS is one of the most critical applications to the operations of large organizations. Cross-industry capabilities span Customer Relationship Management (CRM), Finance Management, Human Capital Management, Supply Chain Management, Procurement and many others.
Onapsis is warning users of Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 that they are exposed to an arbitrary documents download vulnerability, meaning that anyone who is able to connect to the web server (not requiring any access credentials) and using a single HTTP request, will be able to access any document stored in the database, which acts as a repository for the organization and stores critical business documents and processes.
This news is another example that business-critical applications such as Oracle EBS are an emerging threat as they are the perfect economic target for cybercrime organizations and nation-state hackers, as well as internal fraud. Vulnerabilities to Oracle EBS are on the rise, with a 46% increase in 2017 year-to-date over the same period last year. In advance of annual Black Hat conference, Onapsis Research Labs’ threat intelligence protects Oracle customers from severe risks affecting EBS-based platforms By nature, these applications are not built with security mind and are not protected by today’s traditional security tools. Further, the responsibility of securing these applications often falls through cracks between IT, application and security teams. This situation is creating an urgency with CISOs and boards of directors for what has been a major blind spot in their security programs.
“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Juan Perez-Etchegoyen, CTO, Onapsis.
"While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization,” continued Perez-Etchegoyen.
As the leading Oracle partner for cybersecurity, Onapsis worked closely with Oracle’s Product Security & Engineering teams to help them develop the security patches. “As always, Onapsis immediately discloses the vulnerability information to the vendor so that a patch can be developed and released to Oracle customers, which they did very quickly and had in their next CPU. Our number one priority is securing Business-Critical Applications, and are we proud that we were directly responsible for securing 11 of the 22 vulnerabilities affecting EBS in this month’s CPU,” explained Mariano Nunez, CEO and Co-Founder, Onapsis.
As part of its responsible disclosure policy, the Onapsis Research Labs will only release technical details of these vulnerabilities after it has been patched in order to confirm Oracle customers have what they need to secure these EBS systems. Additional mitigation steps can be found in the Onapsis Advanced Threat Protection Report.
The Onapsis Research Labs has discovered more than 240 vulnerabilities in Oracle business applications, has helped Oracle secure over 57% of all EBS vulnerabilities reported, and has released over 150 advisories to date. Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.
Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.
Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.
Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.
These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.
Leslie Kesselring, Kesselring Communications