Security News > 2020 > June > Oracle EBS Vulnerabilities Allow Hackers to Tamper With Financial Records

Oracle EBS Vulnerabilities Allow Hackers to Tamper With Financial Records
2020-06-16 12:36

Two vulnerabilities patched recently by Oracle in its E-Business Suite solution can be exploited by hackers for various purposes, including to tamper with an organization's financial records.

Researchers at Onapsis, a company that specializes in protecting business-critical applications, last year discovered several vulnerabilities in Oracle EBS. Some of the flaws were patched by the vendor in April 2019, but two of them, which Onapsis has dubbed "BigDebIT," were only fixed with the critical patch update released by Oracle in January 2020.

An attacker who has successfully exploited these security holes, tracked as CVE-2020-2586 and CVE-2020-2587, can take control of the EBS environment, but Onapsis has highlighted an exploitation scenario targeting the General Ledger application in EBS. General Ledger is a popular financial management tool designed to help organizations keep track of transactions and ensure compliance.

"Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process," Onapsis explained in a report.

"The level of effort required by internal resources, external resources in terms of labor hours and fees will be significant. Despite an organization's best efforts this still may not uncover additional useful information indicating that this change was made by exploiting the General Ledger with these Oracle EBS vulnerabilities and not an actual business or accounting transaction," the company added.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/XpB4cAQKatM/oracle-ebs-vulnerabilities-allow-hackers-tamper-financial-records

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-15 CVE-2020-2586 Unspecified vulnerability in Oracle Human Resources
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers).
network
low complexity
oracle
critical
9.9
2020-01-15 CVE-2020-2587 Unspecified vulnerability in Oracle Human Resources
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers).
network
low complexity
oracle
critical
9.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Oracle 698 249 2225 1709 366 4549