Oracle addressed two security flaws in its E-Business Suite (EBS) business management solution that could allow attackers to carry out a broad range of malicious activities, including to tamper with an organization’s financial records.
Oracle EBS is currently used by tens of thousands of organizations worldwide, it is an all in one business management solution that includes applications for customer relationship management, finances, human resources, supply chain management, contracts, procurement, and planning.
The flaws were discovered last year by experts at Onapsis along with other security issues. Oracle addressed some of the flaws in April 2019, except two issues tracked as CVE-2020-2586 and CVE-2020-2587and dubbed “BigDebIT” that were fixed in January 2020.
Unfortunately, a large number of vulnerable Oracle systems are still exposed online.
Onapsis researchers reported that attackers could exploit the flaws to target the General Ledger application in EBS.
General Ledger is a financial management tool used to track financial transactions that take place during the life of an operating company.
Onapsis demonstrated that a remote and unauthenticated attacker could exploit the BigDebIT flaws to alter financial reports, even after the closure of a financial reporting period, bypassing security solutions in place and hiding its activity.
“Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process,” Onapsis explained in a report.
“Altered balances, depending on size and significance, may cause an alert during the audit period through common controls such as account reconciliations or variance reviews, and depending on the complexity of the changes, it could be really difficult (or even impossible) to identify and explain why financial balances do not match system data given that there is no record of the change that was made.”
“The level of effort required by internal resources, external resources (specialists and/or external auditors, etc.) in terms of labor hours and fees will be significant. Despite an organization’s best efforts this still may not uncover additional useful information indicating that this change was made by exploiting the General Ledger with these Oracle EBS vulnerabilities and not an actual business or accounting transaction,” the company added.
(SecurityAffairs – hacking, Oracle EBS)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.