Attackers could gain admin rights over EBS applications

Oct 28, 2015 11:12 GMT  ·  By

Last week, Oracle put out over 154 fixes to multiple of its products, in its quarterly security patching operation.

One of the main beneficiaries of those fixes was the Oracle E-Business Suite (Oracle EBS) which received multiple patches. Six of these came from ERPScan's staff, addressing issues like 3 XXE (XML External Entity) injection vulnerabilities, a user enumeration flaw, a cross-site scripting (XSS) problem, and an SQL injection bug.

The Oracle E-Business Suite is a collection of enterprise applications catering to companies that need enterprise resource planning (ERP), customer relationship management (CRM), and supply-chain management (SCM) solutions.

The Oracle EBS, a blessing and a curse at the same time

Because of the jumble of applications this product comprises, finding security vulnerabilities may be easy for researchers/attackers and dangerous for Oracle's clients.

According to ERPScan's security disclosure, the six bugs they've discovered affect the Oracle Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management applications.

These applications store and work with valuable and sensitive company data, usually from the financial, human resources, supply chain, and customer support departments.

Attackers can gain admin rights over Oracle EBS applications

Because some of the disclosed bugs (the SQL and XXE injections) allowed attackers administrative rights over the Oracle EBS and its compounding applications, impact on organizations that have not yet patched can be severe and with serious consequences to their business.

ERPScan says that attackers using these security loopholes can easily spy or sabotage companies deploying the Oracle EBS.

Some of the things attackers can do is (but not limited) to steal credit card information, mishandle company funds, alter financial reports, tamper credit limits, change product prices in the database, edit material and product stocks, and many other more, depending on the EBS applications deployed by a company.