Oracle’s business software features major security flaws which could leave tens of thousands of businesses at risk of both financial theft and fraud. The vulnerable suite, called E-Business Suite (EBS) is a set of products which integrates customer relationship management tools (CRM) with enterprise resource planning tools (ERP) and with supply chain management processes.
Security researchers from Onapsis have given these vulnerabilities a CVSS score of 9.9, signalling their severity. They’re saying that the flaws could be exploited in two ways. One – the wire transfer payment system could be manipulated, and the hacker could reroute invoice payments to a different bank account without leaving a trace behind.
The second way revolves around hackers using the Oracle EBS to create and print authentic bank checks. They can also disable and erase audit logs to make sure their nefarious deeds remain hidden.
Even though Oracle patched these vulnerabilities in April 2018 and April 2019, Onapsis believes that 21,000 Oracle customers are still vulnerable to these threats.
"This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world's largest and most relied upon organisations are vulnerable to attackers stealing potentially billions," said Mariano Nunez, CEO and co-founder of Onapsis to IT Pro.
"The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls."