Understanding the Oracle E-Business Suite Unauthorized Business Data Exfiltration Vulnerability
As part of our commitment to protect business critical applications and key business data, the Onapsis Research Labs continuously analyze threats and attack vectors affecting these critical applications.
In April 2017, the Onapsis Research Labs discovered and reported to Oracle numerous vulnerabilities, some of them critical, affecting Oracle E-Business Suite applications. One of these vulnerabilities enables attackers to exfiltrate sensitive business data without requiring a valid user account in the victim applications and can be exploitable over the Internet. This vulnerability has been fixed in the Oracle CPU July 2017, that was released on Tuesday, July 18th, 2017. This threat report aims to help Oracle EBS customers secure their systems from this critical vulnerability
Frequently Asked Questions about the Oracle E-Business Suite Unauthorized Business Data Exfiltration Vulnerability
Q1: How critical is this vulnerability?
A1: Oracle E-Business Suite is exposed to an arbitrary documents download vulnerability, meaning that anyone who is able to connect to the web server (not requiring any access credentials) and send a single, specific HTTP request, will be able to access any document stored in the database. Based on what information is stored in these tables, it could be highly critical to an organization.
Q2: How do I know if I am exposed?
A2: Any Oracle EBS System whether connected to the internet or not is initially exposed to this vulnerability.
Q3: Where can I find this critical Patch?
A3: Organizations can protect themselves by applying the below security patch in the July 2017 Oracle CPU
- Oracle Patch ID 2270270.1
Q4: What data and processes can be compromised if this vulnerability is exploited?
A4: By compromising these vulnerabilities attackers will have the capability to exfiltrate sensitive business data.
Q5: How did the Onapsis Research Labs discover this vulnerability?
A5: As part of our commitment to protect business critical applications and key business data, the Onapsis Research Labs continuously analyze threats and attack vectors affecting these critical applications. Based on the critical nature of Oracle EBS our team has been researching this and helping fix security vulnerabilities for the past two years.
Q6: What is Oracle E-Business Suite?
A6: Oracle's E-Business Suite consists of a collection of enterprise resource planning (ERP), customer relationship management (CRM), and supply-chain management (SCM) computer applications either developed or acquired by Oracle. The software utilizes Oracle's core Oracle relational database management system technology.
Most of Oracle EBS functionality is exposed through a web server, meaning that EBS users will connect using a browser to access the business data and execute the business processes. These processes daily handle the critical information an organization needs to operate on a daily basis. Some key business processes housed in Oracle E-Business Suite Include:
- Customer Relationship Management
- Service Management
- Financial Management
- Human Capital Management
- Project Portfolio Management
- Advanced Procurement
- Supply Chain Management
- Value Chain Planning and Execution
Q7: Has this vulnerability been compromised in any Oracle Customers?
A7: We have no evidence of this vulnerability being exploited in the wild to date.
Q8: How is this vulnerability more critical than others released for Oracle E-Business Suite (EBS)?
A8: These vulnerabilities are more critical based on the level of access to the system that an attacker can potentially achieve. By exploiting these vulnerabilities attackers will have the capability to exfiltrate sensitive business data which could include invoices, purchase orders, HR information and design documents to start
Q9: How do I mitigate this vulnerability in Oracle EBS systems?
A9: Organizations should immediately implement the corresponding security Oracle Patch ID 2270270.1 released by Oracle in the July CPU.
Oracle’s Response to the Vulnerability Submission
Q11: When did you notify Oracle about these vulnerabilities and how quickly did they patch?
A11: The Onapsis Research Labs reported this vulnerability in April 2017. Oracle’s security response team worked diligently to patch the vulnerability and remained in constant communication with Onapsis to confirm they fully understood the technical aspects in order to create the correct patch to include in the July CPU. Below you can see a short timeline and dates of correspondence between Onapsis and Oracle.
- April 2017: Onapsis Submits Vulnerabilities to Oracle
- July 2017: Oracle Confirms Vulnerabilities to be Patched in next CPU
- July 18, 2017: Oracle Releases CPU containing Patches
About Onapsis’ Oracle E-Business Suite Expertise
Q12: How many vulnerabilities in Oracle EBS has the Onapsis Research Labs helped Oracle fix to date?
A12: The Onapsis Research Labs have discovered more than 240 vulnerabilities in Oracle business applications, has helped Oracle secure over 57% of all EBS vulnerabilities reported, and has released over 150 advisories to date. Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.
Q13: How does the Onapsis Research Labs work with Oracle?
A12: When the Onapsis Research Labs identifies a potential weakness, we immediately notify Oracle so they can begin fixing the vulnerability. The Onapsis Research Labs provides all necessary information to the vendor in order to confirm that they have what they need to produce the patch in the quickest amount of time.