Security News > 2020 > June > Oracle EBS Vulnerabilities Allow Hackers to Tamper With Financial Records
Two vulnerabilities patched recently by Oracle in its E-Business Suite solution can be exploited by hackers for various purposes, including to tamper with an organization's financial records.
Researchers at Onapsis, a company that specializes in protecting business-critical applications, last year discovered several vulnerabilities in Oracle EBS. Some of the flaws were patched by the vendor in April 2019, but two of them, which Onapsis has dubbed "BigDebIT," were only fixed with the critical patch update released by Oracle in January 2020.
An attacker who has successfully exploited these security holes, tracked as CVE-2020-2586 and CVE-2020-2587, can take control of the EBS environment, but Onapsis has highlighted an exploitation scenario targeting the General Ledger application in EBS. General Ledger is a popular financial management tool designed to help organizations keep track of transactions and ensure compliance.
"Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process," Onapsis explained in a report.
"The level of effort required by internal resources, external resources in terms of labor hours and fees will be significant. Despite an organization's best efforts this still may not uncover additional useful information indicating that this change was made by exploiting the General Ledger with these Oracle EBS vulnerabilities and not an actual business or accounting transaction," the company added.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-01-15 | CVE-2020-2586 | Unspecified vulnerability in Oracle Human Resources Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). | 9.9 |
2020-01-15 | CVE-2020-2587 | Unspecified vulnerability in Oracle Human Resources Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). | 9.9 |