Specialists in a cyber security course report finding at least two vulnerabilities in E-Business Suite (EBS), an Oracle product for business operations and security of sensitive business data. The vulnerabilities were reported by security firm Onapsis and reported to Oracle in a timely manner.
The two reported vulnerabilities, dubbed “BigDebIT“, received a 9.9/10 score on the Common Vulnerability Scoring System (CVSS) scale and were corrected in early 2020 through the release of a critical patch. It should be noted that Oracle estimates that more than 50% of users of the affected software have not yet installed the update.
According to the specialists of a cybersecurity course, these flaws could be exploited by threat actors to compromise Oracle’s accounting tools for the purpose of extracting sensitive information and committing electronic fraud: “An unauthenticated hacker could exploit these vulnerabilities to steal sensitive information in the General Ledger module, which would put the assets of the affected companies at risk” , mentioned by experts.
The flaws, tracked as CVE-2020-2586 and CVE-2020-2587, reside in Oracle’s Human Resources Management System (HRMS), specifically in a component called Hierarchy Diagrammer, which allows users to establish organizations and hierarchies based on the company’s infrastructure. The flaws can be exploited together, even on Oracle systems that received last year’s update: “Systems upgraded in April 2019 could also be exploited, so it is vital that users install the emergency patches, released in January 2020,” oracle’s report says.
The consequences of exploitation could be disastrous, the experts of the cybersecurity course mention, as Oracle General Ledger is an automated financial processing software that acts as a repository of accounting information. This tool is contained in E-Business Suite, the suite of applications for enterprise resource planning, supply chain management, and business relationship management.
General Ledger is also used to generate corporate financial reports, as well as to perform audits to ensure compliance with the SOX Act. Threat actors could compromise this process of trust by exploiting flaws to modify critical reports, including fraudulent manipulation of transactions in financial balance sheets.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.