If your business operations and security of sensitive data rely on Oracle’s E-Business Suite (EBS), make sure you recently updated and are running the latest available version of the software.
In a report released by enterprise cybersecurity firm Onapsis and shared with The Hacker News, the firm today disclosed technical details for vulnerabilities it reported in Oracle’s E-Business Suite (EBS), an integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations.
The two vulnerabilities, dubbed “BigDebIT” and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. But the company said an estimated 50 percent of Oracle EBS customers have not deployed the patches to date.
The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud.
According to the researchers, “an unauthenticated hacker could perform an automated exploit on the General Ledger module to extract assets from a company (such as cash) and modify accounting tables, without leaving a trace.”
“Successful exploitation of this vulnerability would allow an attacker to steal financial data and cause delays in any financial reporting related to the company’s compliance processes,” it added.
It’s worth noting that the BigDebIT attack vectors add to the already reported PAYDAY vulnerabilities in EBS discovered by Onapsis three years ago, following which Oracle released a series of patches as late as April 2019.
Targeting General Ledger for Financial Fraud
Tracked as CVE-2020-2586 and CVE-2020-2587, the new flaws reside in its Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer that enables users to create organization and position hierarchies associated with an enterprise. Together, they can be exploited even if EBS customers have deployed patches released in April 2019.
“The difference is that with these patches, it is confirmed that even with the systems up to date are vulnerable to these attacks, and therefore need to prioritize the installation of January’s CPU,” the company had stated in a note posted back in January.
One consequence of these bugs, if left unpatched, is the possibility of financial fraud and confidential information theft by attacking a firm’s accounting systems.
Oracle General Ledger is an automated financial processing software that acts as a repository of accounting information and is offered as part of E-Business Suite, the company’s integrated suite of applications — spanning enterprise resource planning (ERP), supply chain management (SCM), and customer relationship management (CRM) — that users can implement into their own businesses.
General Ledger is also used to generate corporate financial reports as well as carry out audits to ensure compliance with the SOX Act of 2002.
An attacker could break this trust by exploiting the flaws to modify critical reports in the ledger, including fraudulently manipulating transactions on a firm’s balance sheets.
“For example, an attacker could modify the Trial Balance Report, which summarizes accounting balances in a given period, virtually unnoticed, resulting in inaccurately reported results flowing undetected into the financial statements. This could result in inaccurately filed or reported financial results,” Onapsis said.
The Importance of Patching Critical Software
Given the financial risk involved, it is highly recommended that companies using Oracle EBS run an immediate assessment to ensure they are not exposed to these vulnerabilities, and apply the patches to fix them.
“Organizations need to be aware that current GRC tools and other traditional security methods (firewalls, access controls, SoD and others) would be ineffective against preventing this type of attack on vulnerable Oracle EBS systems,” the researchers cautioned.
“If organizations have internet-facing Oracle EBS systems, the potential threat likelihood would be significantly magnified. Organizations under attack will be unaware of the attack and not know the extent of the damage until evidence is found by a very extensive internal or external audit.”
I have learned quite a few important things via your post. I might also like to say that there is a situation that you will have a loan and never need a co-signer such as a Fed Student Support Loan. When you are getting a loan through a standard banker then you need to be able to have a co-signer ready to make it easier for you. The lenders will base their very own decision over a few aspects but the most significant will be your credit worthiness. There are some loan companies that will additionally look at your job history and make up your mind based on this but in most cases it will be based on on your scores.
We stumbled over here different website and thought I may as well check things out. I like what I see so now i am following you. Look forward to looking into your web page repeatedly.