Two highly critical vulnerabilities in Oracle's E-Business Suite could put firms who haven't patched the flaws at risk of their systems getting hacked for illicit payments and other financial fraud.
Exploitation of the vulnerabilities could allow, for examples, an attacker to create a supplier in the system, add a bank account, and then issue payments to that supplier — all without approvals, according to cybersecurity firm Onapsis, which issued an advisory today that details the possible exploitation techniques attackers could employ against the EBS vulnerabilities.
Oracle fixed the EBS issues in its April 2019 critical patch update, but companies are often slow to apply such fixes, because they cannot risk disruption to their enterprise resource planning (ERP) software, a critical component of operations, says Juan-Perez Etchegoyen, chief technology officer for Onapsis.
The vulns, which affect two components of Oracle's EBS, are "easily exploitable," according to the official description in the National Vulnerability Database.
"We don't have any numbers, but we know that customers tend to take months to years to apply (ERP software) patches — that is a reality for ERP customers," he says. "They need to get into a more frequent cadence, because otherwise it is just too slow.".
The issues are the latest to plague enterprise resource planning (ERP) software, highly complex platforms that are often critical to business operations. The platforms have often been only used on-premise, with Internet capabilities added afterwards, exposing them to t ..
Support the originator by clicking the read the rest link below.
