Vulnerabilities in Oracle E-Business Suite allow hackers to exploit or deface Financial records
Oracle’s E-Business Suite consists of a collection of enterprise resource planning (ERP), customer relationship management (CRM), and supply-chain management (SCM) computer applications either developed or acquired by Oracle. The software utilizes Oracle’s core Oracle relational database management system technology. The E-Business Suite contains several product lines often known by short acronyms.
Oracle E-Business Suite (EBS) a business management solution is used by more than 21,000 organizations around the world. Researchers at Onapsis, a company that specializes in protecting business-critical applications, last year discovered several vulnerabilities in Oracle EBS. Well, as soon as the discovery was spotted the company fixed some flaws but two of them were labeled “BigDebIT”.
According to Onapsis, the two flaws, CVE-2020-2586 and CVE-2020-2587, could allow an attacker to make changes to the general ledger application included in Oracle’s EBS, steal or modify sensitive business information, or delete the information as part of a ransom campaign. The vulnerabilities open up the EBS applications and its various modules to an unauthenticated remote exploit, bypassing controls to allow the modification of financial data.
The cybersecurity company estimates that there are at least 1,500 Oracle EBS deployments that are exposed to the internet, making them more susceptible to attacks exploiting the BigDebIT flaws if the patches released by the vendor are not installed.
Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process
Onapsis explained in a report.
In a statement sent to Dark Reading, Oracle pointed out the vulnerabilities were patched in January.
“Oracle encourages customers to follow the secure configuration recommendations in its deployment guides, remain on actively-supported versions, and apply Critical Patch Updates without delay,” the company said. “At the time of the publication of this report, the most recent Critical Patch Update was the April 2020 Critical Patch Update”
However, the company has patched the flaws in the April 2020 update and also recommends you to update the latest patch to avoid any exploitation. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here