Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication.
The vulnerability, CVE-2017-10244, was addressed in today’s quarterly Critical Patch Update, but given the critical apps and data moving through the suite, and the potential downtime required to patch, it’s unknown how long it would take for the bulk of installations to be update and the risk be mitigated completely.
Researchers at Onapsis privately disclosed the flaw to Oracle in April, and published some details today. Chief technology officer Juan Perez-Etchegoyen told Threatpost that attackers looking to exploit the vulnerability are able to find exposed Oracle EBS instances through Google or Shodan searches.
He said an attacker would need to know the structure and EBS parameters to exploit the vulnerability.
“They would need to send a request with specific parameters, and those parameters skip the authentication process,” Perez-Etchegoyen said, adding that the vulnerable functionality in EBS could be exposed to the internet. “Many companies expose different modules to the internet if they need their vendors or customers to access different business processes. In that case, they would expose and application server, and when they do, multiple [Java] servlets and JSPs [Java Server Pages] are internet facing.”
Perez-Etchegoyen said that initial searches conducted by Onapsis found more than 1,000 EBS systems connected to the internet, but he estimates that number could be much higher.
Oracle EBS can be accessed through the browser and users can reach business data and also execute processes to handle critical business information. The suite includes applications that handle CRM, financials, service and supply chain management, procurement apps and much more, making it a juicy target for criminals looking to monetize stolen business data.
By successfully exploiting the vulnerability, an attacker could download all business documents stored in EBS using a single HTTP request. Onapsis said Oracle EBS versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 are affected; this was patched along with 21 other EBS vulnerabilities, 10 of which were privately reported by Onapsis.
“This vulnerability allows anyone to capture documents that have been digitalized into the platform,” Perez-Etchegoyen said. “In real implementations, we’ve seen all sorts of different documents that stored in EBS. We’ve even seen configuration files that could possible be downloaded, along with resumes, PII, you name it, to anyone without credentials.”
Patching EBS, and other similar suites, is a challenge give the customizations and integrations involved.
“In terms of patching, the real challenge is understanding if the patch is breaking some real functionality or business process,” Perez-Etchegoyen said. “It requires a lot of testing and approvals. It’s not easier or harder; it will face the same challenges other types of patches face: finding the right change management window and the right resources to analyze potential impact and do the testing to make sure there is no business disruption.”
Researchers have increased their attention on ferretting out vulnerabilities in these critical business app suites from Oracle, SAP and others; renowned Oracle bug-hunter David Litchfield talked about the EBS attack surface last year during a Black Hat talk. These software bundles are critical to any business running them, and there is relatively little knowledge available on how to secure them, Onapsis said.
“We believe there will be more relevance to these attacks over time,” Perez-Etchegoyen said. “It may take more time to start seeing compromises and companies exposing information about breaches, but you can see that there are more patches and vulnerabilities identified by researchers and it’s getting more attention.”