If your business is based on Oracle's E-Business Suite (EBS), make sure you have recently updated and are running the latest version of the software.
In a report released by cybersecurity company Onapsis, the company today unveiled technical details on vulnerabilities in Oracle's E-Business Suite (EBS), a comprehensive group of applications designed to automate the operations of CRM, ERP and SCM for organizations.
The two vulnerabilities, described as "BigDebIT" and rated 9,9, were fixed by Oracle in a critical code update (CPU) released earlier this January. However, the company said about 50 percent of Oracle EBS customers have not yet developed patches.
Security vulnerabilities could be exploited by hackers to target accounting tools such as General Ledger in an attempt to steal sensitive information and commit financial fraud.
According to the researchers, “an unauthorized hacker it could carry out an automated operation in the General Ledger section to extract data from a company (such as cash) and modify the spreadsheets without leaving any traces. ”
"Successful exploitation of this vulnerability would allow an intruder to steal financial data and cause delays in any financial report related to the compliance procedures of a companyThe researchers added.
It is worth noting that the BigDebIT attack vectors "add" to the already mentioned PAYDAY vulnerabilities in EBS that were discovered by Onapsis three years ago, with Oracle releasing a series of updates by April 2019.
Having been identified as CVE-2020-2586 and CVE-2020-2587, the new defects are found in the Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer, which allows users to create organograms related to a business. But in combination, they can be used even if EBS customers have updated their systems with updates released in April 2019.
"The difference is that with these code updates, it is confirmed that even systems that are up to date are vulnerable to these attacks, and therefore priority should be given to installing the CPU in January," the company said in a statement. in January.
One consequence of these errors, if not reported, is the possibility of financial fraud and theft of a company's confidential information.
Oracle General Ledger is an automated software financial processing which acts as a repository of accounting information and is offered as part of the E-Business Suite, the company's comprehensive line of applications - covering corporate resource planning (ERP), supply chain management (SCM), and customer relationship management (CRM) - that users can apply to their own businesses.
General Ledger is also used to create corporate financial reports.
An intruder could exploit any of the defects and modify critical elements in a company's balance sheet.
The news has not yet been officially confirmed by the company.