Oracle E-Business Suite servers vulnerable to full data leaks

By

Patch now or risk regulatory data breach wrath.

Critical flaws in Oracle's E-Business Suite can be exploited to easily access and capture any documents stored in the enterprise software platform.

Oracle E-Business Suite servers vulnerable to full data leaks

Security vendor Onapsis discovered the issue, and said it is easy to exploit.

Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are exposed to an arbitrary documents download vulnerability.

Anyone who can connect to an E-Business Suite web server can access any document stored there with a single HTTP request. No access credentials are required to make the server fulfil the request, Onapsis said.

"This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it," chief technology officer of Onapsis, Juan Perez-Etchegoyen, said.

Any number of critical documents could be stored in the system, including invoices, purchase orders, HR information, and design drafts.

Even systems in isolated demilitarised zone mode are vulnerable, Perez-Etchegoyen said.

Oracle addressed the vulnerability in its most recent critcal patch update (CPU) set of security fixes. In total, the E-Business Suite had 22 vulnerabilities that have been patched.

Onapsis said it had identified over a thousand networked E-Business systems that could be affected by the flaw, and is advising Oracle customers to immediately apply the security patches.

It warned that a failure to secure vulnerable systems could violate data storage and privacy regulation compliance and lead to legal and financial liabilities for organisations.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise

Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul

VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys

Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip

Log In

  |  Forgot your password?