High-profile cyber-risks reveal unauthorized users could perform Cross Site Scripting, Denial of Service, Password Disclosure and User Creation attacks
Boston, MA – July 28, 2016 – Onapsis, the global experts in business-critical application security, today released new security advisories detailing vulnerabilities in Oracle E-Business Suite and Oracle JD Edwards. Included in the advisories are three “critical risk” vulnerabilities for Oracle JD Edwards that could be used to achieve administrative rights and potentially compromise the entire JDE landscape. These vulnerabilities pose a potential risk to Oracle JD Edwards customers who use JD Edwards 9.1 EnterpriseOne Server software to run their business.
“In addition to the urgent ‘critical risk’ vulnerabilities, these advisories are the first of dozens to be released for Cross Site Scripting vulnerabilities that we’ve reported to Oracle. When an attacker exploits this type of vulnerability, code is executed on the end users machine. If an organization uses more of the suite’s applications and has larger deployments, there are a greater number of users who have access to the system – therefore creating greater risk for the organization. Remediation for this type of attack is extremely critical to prioritize as it poses a higher risk to the organization compared to other types of vulnerabilities,” said Matias Mevied, Senior Oracle Security Researcher, Onapsis.
As a core business application, Oracle E-Business Suite manages critical information such as Financial, Human Resources and Customer data, Project Portfolio Management, Procurement, and Supply Chain Management. Oracle's JD Edwards EnterpriseOne is an integrated applications suite of comprehensive enterprise resource planning software that combines business value, standards-based technology, and deep industry experience into a business solution with a low total cost of ownership.
Vulnerabilities affecting Oracle E-Business Suite include:
- Oracle E-Business Suite Cross Site Scripting (XSS)
· By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system.
Vulnerabilities affecting Oracle JD Edwards include:
- JD Edwards JDENet Password Disclosure
· By exploiting this vulnerability, an unauthenticated attacker could achieve administrative rights and would be able to potentially compromise all information stored and processed on the JDE System.
- JD Edwards Server Manager Password Disclosure
· By exploiting this vulnerability, an unauthenticated attacker could retrieve the administration user and passwords from the Server Manager. This could lead to a potential compromise of the entire JDE landscape hence all of its information and processes.
- JD Edwards Server Manager Create users
· By exploiting this vulnerability, an unauthenticated attacker could create users in the Server Manager, ultimately compromising the entire JDE landscape and all of its information and processes.
The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security guidance to the market. The team has reported more than 300 SAP and Oracle vulnerabilities, has released over 150 advisories to date and has worked with DHS on the release of the first ever US-CERT Alert for SAP Business Applications. In Oracle’s July Critical Patch Update, 15 of the vulnerabilities patched were disclosed by the Onapsis Research Labs.
Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.
The advisories are publicly available at: http://www.onapsis.com/research/advisories.
About Onapsis Research Labs™
SAP and Oracle Security Threat Intelligence is produced by Onapsis Research Labs, a team of leading security experts who combine in-depth knowledge and experience to deliver technical analysis with business context, and provide sound security judgment to the market. The team works closely with SAP and Oracle product security teams to responsibly deliver the information to customers and has released over 150 advisories to date, with over 35 affecting SAP HANA; has consulted on impact with over 180 Onapsis enterprise customers; and regularly presents at leading security and SAP conferences around the world. Onapsis was the first to deliver “SAP Security In Depth” publications that provide detailed analysis on security risks impacting SAP and SAP HANA. The latest SAP Security In-Depth, Volume XII: SAP HANA System Security Review Part 1, is now available for download: https://www.onapsis.com/research/publications/volume-xii-sap-hana-system-security-review-part-1.
Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ patented solutions enable security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications.
Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.
Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.
These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.
Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.
For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.