Thousands Of Enterprises At Risk Due To Oracle EBS Critical Flaws – Experts Comments

It has been reported that two critical security vulnerabilities in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution. The Oracle EBS improper access control flaws come with CVSS scores of 9.9 out of 10. If successfully exploited in an attack, the two security flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers. At the moment, Onapsis’ research team estimates that approximately 50% of all Oracle EBS customers have not yet deployed the patches.

Notify of

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Robert Ramsden Board
InfoSec Expert
November 22, 2019 4:02 am

The Oracle EBS improper access control flaw should act as a stark remind for enterprises of the importance of patching and updating software, particularly for high severity vulnerabilities and those that impact critical systems, like payments. According to the research, an estimated 50% of all Oracle EBS customers have not deployed a patch despite one being available in April 2019. This points to organisations lacking proper cyber hygiene practices or the inability to detect and prioritise patches. Because of the financial risk involved, it is recommended that companies using Oracle EBS run an immediate assessment to ensure they are not exposed to these vulnerabilities; and in the longer term, make investments into next generation SIEM technology that can make this process easier.

Last edited 2 years ago by Robert Ramsden Board
Piyush Pandey
InfoSec Expert
November 22, 2019 3:59 am

Unfortunately, hackers are aware that traditional ERP systems lack the granular logging and analytics features required to detect unauthorized activity. Having a vulnerability that exploits a customer who may not be current on their security updates, raises the risk of a data breach exponentially. Organizations must take additional steps to enhance their levels of visibility and control over their ERP data – and all of the user activity taking place around it.

Last edited 2 years ago by Piyush Pandey
Information Security Buzz
Would love your thoughts, please comment.x