Oracle E-Business Suite servers vulnerable to full data leaks

By

Patch now or risk regulatory data breach wrath.

Critical flaws in Oracle's E-Business Suite can be exploited to easily access and capture any documents stored in the enterprise software platform.

Oracle E-Business Suite servers vulnerable to full data leaks

Security vendor Onapsis discovered the issue, and said it is easy to exploit.

Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are exposed to an arbitrary documents download vulnerability.

Anyone who can connect to an E-Business Suite web server can access any document stored there with a single HTTP request. No access credentials are required to make the server fulfil the request, Onapsis said.

"This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it," chief technology officer of Onapsis, Juan Perez-Etchegoyen, said.

Any number of critical documents could be stored in the system, including invoices, purchase orders, HR information, and design drafts.

Even systems in isolated demilitarised zone mode are vulnerable, Perez-Etchegoyen said.

Oracle addressed the vulnerability in its most recent critcal patch update (CPU) set of security fixes. In total, the E-Business Suite had 22 vulnerabilities that have been patched.

Onapsis said it had identified over a thousand networked E-Business systems that could be affected by the flaw, and is advising Oracle customers to immediately apply the security patches.

It warned that a failure to secure vulnerable systems could violate data storage and privacy regulation compliance and lead to legal and financial liabilities for organisations.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Log In

  |  Forgot your password?