Q&A: BigDebIT Vulnerabilities Put Thousands of Oracle E-Business Suite Customers’ Financials at Risk
We sat down with Sebastian Bortnik, Director of Research at Onapsis to discuss the company's Threat Research Report about critical vulnerabilities that the Onapsis Research Labs found in the Oracle E-Business Suite. The company recently worked with the Oracle Security Response Team to fix these vulns in Oracle’s January 2020 Critical Patch Update.
How did you come across the vulnerability?
As the director of research for the Onapsis Research Labs, I lead a team of dedicated security experts focused on finding, sharing, and analyzing threats to mission-critical applications with a business context.
The team found two critical vulnerabilities with CVSS scores of 9.9 out of 10 in the Oracle E-Business Suite (EBS) application. We worked with the Oracle Security Response team to identify these vulnerabilities and they issued patches earlier in the year.
However, due to the shift to remote work, there has been a delay in security response, including patch management, and an increased level of unsafe remote access to Oracle EBS applications. These rapid changes have challenged IT and security teams so much that Onapsis estimates that 50% of Oracle’s 21,000 EBS customers are still at risk today.
What does this vulnerability mean for users?
The BigDebIT vulnerabilities can be exploited against any Oracle EBS application. The threat report we shared on June 16 shows a potential exploit against Oracle’s General Ledger - one of the financial application modules in Oracle EBS. A successful attacker could gain unauthenticated access (no username or password needed) to Oracle General Ledger to manipulate an organization’s financial statements, impacting its financial integrity and reputation.
For publicly traded companies, having the BigDebIT vulnerabilities on your Oracle EBS systems may present a deficiency in IT General Controls for Sarbanes-Oxley (SOX) compliance. This could result in a SOX compliance violation that could negatively impact the company’s financials, resulting in penalties and fines against the company and its executive leaders.
Beyond compliance, BigDebIT vulnerabilities can be exploited to perform many types of critical attack scenarios on all Oracle EBS applications, such as stealing sensitive information, modifying business data, and deleting information, which can cause severe business disruption. Potential exploits on these applications could lead to significant breaches and violate privacy regulations, such as GDPR, CCPA, and others.
What should users do to mitigate risk? Is there a patch available?
Segregation of duties, access controls, web application firewalls, and other traditional security products cannot prevent or detect unauthenticated exploits on the BigDebIT vulnerabilities because they do not require a username or password.
Onapsis recommends customers remain on actively supported versions of Oracle EBS, apply security updates promptly, and follow security best practices. Onapsis also recommends diligent vulnerability management and continuous assessment of mission-critical applications with a solution such as the Onapsis Platform. To ensure protection against the BigDebIT vulnerabilities, Onapsis encourages all Oracle EBS users to implement the following patches as soon as possible: CVE-2020-2586 and CVE-2020-2587.