Oracle E-Business Suite servers vulnerable to full data leaks

Critical flaws in Oracle's E-Business Suite can be exploited to easily access and capture any documents stored in the enterprise software platform.

Security vendor Onapsis discovered the issue, and said it is easy to exploit.

Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are exposed to an arbitrary documents download vulnerability.

Anyone who can connect to an E-Business Suite web server can access any document stored there with a single HTTP request. No access credentials are required to make the server fulfil the request, Onapsis said.

"This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it," chief technology officer of Onapsis, Juan Perez-Etchegoyen, said.

Any number of critical documents could be stored in the system, including invoices, purchase orders, HR information, and design drafts.

Even systems in isolated demilitarised zone mode are vulnerable, Perez-Etchegoyen said.

Oracle addressed the vulnerability in its most recent critcal patch update (CPU) set of security fixes. In total, the E-Business Suite had 22 vulnerabilities that have been patched.

Onapsis said it had identified over a thousand networked E-Business systems that could be affected by the flaw, and is advising Oracle customers to immediately apply the security patches.

It warned that a failure to secure vulnerable systems could violate data storage and privacy regulation compliance and lead to legal and financial liabilities for organisations.