• About Us
Sunday, 15 December, 2019
IT Security Guru
Advertisement
  • Latest News
  • About Us
  • Topics
    • Cloud Security
    • Compliance News
    • Contactless News
    • Breaking Cyber News
    • Data Protection
    • DDoS News
    • Featured
    • Guru Picks
    • Hacking News
    • Malware News
    • Mobile Security
    • Network Security
    • News
      • Editor’s News
      • Top 10 Stories
      • This Week’s Gurus
      • Opinions & Analysis
    • Security News
    • Threat Detection
  • Product Reviews
No Result
View All Result
  • Latest News
  • About Us
  • Topics
    • Cloud Security
    • Compliance News
    • Contactless News
    • Breaking Cyber News
    • Data Protection
    • DDoS News
    • Featured
    • Guru Picks
    • Hacking News
    • Malware News
    • Mobile Security
    • Network Security
    • News
      • Editor’s News
      • Top 10 Stories
      • This Week’s Gurus
      • Opinions & Analysis
    • Security News
    • Threat Detection
  • Product Reviews
No Result
View All Result
IT Security Guru
No Result
View All Result

Onapsis Reveals Oracle E-Business Suite Vulnerability

Malicious users can exploit the vulnerability by committing wire fraud or printing pre-approved cheques

by Colin Harper
November 20, 2019
in Featured, Hacking News, News
Onapsis Threat Report Oracle Payday

Onapsis, the leading provider of business application protection have revealed new threat research into a recently discovered vulnerability on Oracle E-Business Suite – Oracle PAYDAY.

The attack scenarios exploit two vulnerabilities with CVSS scores of 9.9 out of 10 in Oracle EBS, Oracle’s ERP software installed at up to 21,000 companies. Onapsis discovered and reported the vulnerabilities to Oracle, which issued patches earlier this year. Onapsis estimates that 50% of Oracle EBS customers have not deployed the patches. The fact that Oracle runs mostly on Java, means that the attack would be relatively simple to carry out by anyone with knowledge of Java and Oracle EBS.

The Onapsis threat research details two attack scenarios:

  • Malicious manipulation of the wire transfer payment process through unauthenticated access (which would bypass segregation of duties and access controls), though which an attacker can change approved EFTs in the EBS system to reroute invoice payments to an attacker’s bank account, leaving no trace.
  • Creating and printing approved bank checks through the Oracle EBS check printing process and disabling and erasing audit logs to cover up the activity.

The severity of this vulnerability is evident from the significance of ERP systems such as Oracle to global business function. Indeed, 77% of global revenue will pass through an ERP system at some point, of which Oracle’s several thousand EBS customers are just a proportion. In 2017, Oracle themselves conducted a simulation, Oracle selected a realistic financial structure derived from a typical large enterprise based on more than 25 years’ experience with ERP deployments. This simulation found that it was possible to create 1,000,000 payments per hour, through 7,000,000 Imported Invoice Lines. Therefore, successful PayDay exploits may go unnoticed amongst so many transactions.

Commenting on this threat report. Mariano Nunez, CEO and Co-founder of Onapsis said:

“This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world’s largest and most relied upon organisations are vulnerable to attackers stealing potentially billions. The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls.”             

The threat report is available here, and the demo video demonstrating how users can manipulate the process can be found here.

All companies using Oracle should ensure that they are running the latest patch to ensure complete protection against any vulnerability.

FacebookTweetLinkedIn
Previous Post

Genuine HR emails using common phishing tricks trigger suspicions

Next Post

Database leaked from PayMyTab PII on diners

Leave a Reply

avatar
500
This comment form is under antispam protection
avatar
500
This comment form is under antispam protection
  Subscribe  
Notify of
IT Security Guru

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

wpDiscuz

This site uses functional cookies and external scripts to improve your experience.

More information
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept