It has been reported that two critical security vulnerabilities in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution. The Oracle EBS improper access control flaws come with CVSS scores of 9.9 out of 10. If successfully exploited in an attack, the two security flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers. At the moment, Onapsis’ research team estimates that approximately 50% of all Oracle EBS customers have not yet deployed the patches.
Two highly critical vulnerabilities in Oracle's E-Business Suite could put firms who haven't patched the flaws at risk of their systems getting hacked for illicit payments and other financial fraud. https://t.co/4YhwdMBSAj
— Taslet Security (@TasletCom) November 21, 2019
The Oracle EBS improper access control flaw should act as a stark remind for enterprises of the importance of patching and updating software, particularly for high severity vulnerabilities and those that impact critical systems, like payments. According to the research, an estimated 50% of all Oracle EBS customers have not deployed a patch despite one being available in April 2019. This points to organisations lacking proper cyber hygiene practices or the inability to detect and prioritise patches. Because of the financial risk involved, it is recommended that companies using Oracle EBS run an immediate assessment to ensure they are not exposed to these vulnerabilities; and in the longer term, make investments into next generation SIEM technology that can make this process easier.
Unfortunately, hackers are aware that traditional ERP systems lack the granular logging and analytics features required to detect unauthorized activity. Having a vulnerability that exploits a customer who may not be current on their security updates, raises the risk of a data breach exponentially. Organizations must take additional steps to enhance their levels of visibility and control over their ERP data – and all of the user activity taking place around it.