Oracle ERP Vulnerabilities

Monday, February 27, 2012 @ 12:02 PM gHale

There are eight vulnerabilities, some of them critical, in a popular Oracle enterprise resource planning (ERP) application.

The flaws range from holes that could allow an attacker to access all business information and files, query for passwords, and alter business information processed by the ERP, basically taking complete control of the system, said researchers at firm Onapsis, which found the holes. Patches for the vulnerabilities were in Oracle’s latest Critical Patch Update release, and these are the first public details of the flaws.

Patched Flaw; Unpatched System Brings Attacks
Survey: Enterprise Unprepared for Security
IT Vendors Slower to Patch
Google Looks at HTTPS Security
Patched Adobe Still has Victims

“We strongly suggest that all users apply the patches as soon as possible. Honestly, I don’t think they will do so,” said Mariano Nunez, chief executive of Onapsis.

“Many customers in our experience do not even apply security patches at all. Some only do when they upgrade, some once or twice a year, and some every quarter,” Nunez said. “We have still not seen any customers fully updated to the latest patches” in their ERP systems, he said.

That’s because ERP applications, like their closely coupled database applications, pose a patching conundrum for users. Applying patches to systems that run business-critical functions such as finances, sales, customer relationship management, and manufacturing, can be disruptive, time-consuming, and complicated. An ERP also undergoes a level of customization, so there’s always the danger of breaking some piece of the business process when installing a patch.

“The issue with ERP is complexity — [a] vastly complex core application, a very complicated database structure to support it, and you’ve got most companies using a huge number of customizations sitting on top of the application,” said Adrian Lane, CTO for Securosis.

Lane says the dependencies between the application and the database also present challenges when it comes to patching. He recommends patching the ERP application and its database at the same time so everything syncs up properly and users do not end up with downtime disruptions.

Onapsis first reported the flaws to Oracle in the fall of 2010. The bugs are technically design flaws versus pure security vulnerabilities, according to Juan Pablo Perez-Etchegoyen, CTO at Onapsis. “That is why they are hard to fix,” he said.

The critical or high-risk flaws include an arbitrary file-write flaw in JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 and older versions, which if exploited, would let an unauthenticated attacker remotely access or alter any business information in the ERP system. Onapsis said this in effect would mean a total compromise of the ERP infrastructure.

Another flaw found in the same products is an information disclosure flaw, which could allow an unauthenticated attacker to steal passwords of authorized users of the system. And a kernel flaw found by the researchers would allow an attacker to change configuration files and take over the ERP system.

Leave a Reply

You must be logged in to post a comment.