[July 28, 2016] |
|
Onapsis Issues 12 Advisories Affecting Oracle E-Business Suite and Oracle JD Edwards
Onapsis,
the global experts in business-critical application security, today
released new security advisories detailing vulnerabilities in Oracle (News - Alert)
E-Business Suite and Oracle JD Edwards. Included in the advisories are
three "critical risk" vulnerabilities for Oracle JD Edwards that could
be used to achieve administrative rights and potentially compromise the
entire JDE landscape. These vulnerabilities pose a potential risk to
Oracle JD Edwards customers who use JD Edwards 9.1 EnterpriseOne Server
software to run their business.
"In addition to the urgent 'critical risk' vulnerabilities, these
advisories are the first of dozens to be released for Cross Site
Scripting vulnerabilities that we've reported to Oracle. When an
attacker exploits this type of vulnerability, code is executed on the
end users machine. If an organization uses more of the suite's
applications and has larger deployments, there are a greater number of
users who have access to the system - therefore creating greater risk
for the organization. Remediation for this type of attack is extremely
critical to prioritize as it poses a higher risk to the organization
compared to other types of vulnerabilities," said Matias Mevied, Senior
Oracle Security Researcher, Onapsis.
As a core business application, Oracle E-Business Suite manages critical
information such as Financial, Human Resources and Customer data,
Project Portfolio Management, Procurement, and Supply Chain Management.
Oracle's JD Edwards EnterpriseOne is an integrated applications suite of
comprehensive enterprise resource planning software that combines
business value, standards-based technology, and deep industry experience
into a business solution with a low total cost of ownership.
Vulnerabilities affecting Oracle E-Business Suite include: High
Risk - Oracle E-Business Suite Cross Site Scripting (XSS)
-
By exploiting this vulnerability, a remote attacker could steal
sensitive business information by targeting other users connected to
the system.
Vulnerabilities affecting Oracle JD Edwards include: Critical
Risk - JD Edwards JDENet Password Disclosure
-
By exploiting this vulnerability, an unauthenticated attacker could
achieve administrative rights and would be able to potentially
compromise all information stored and processed on the JDE System.
- JD Edwards Server Manager Password Disclosure
-
By exploiting this vulnerability, an unauthenticated attacker could
retrieve the administration user and passwords from the Server
Manager. This could lead to a potential compromise of the entire JDE
landscape hence all of its information and processes.
- JD Edwards Server Manager Create users
-
By exploiting this vulnerability, an unauthenticated attacker could
create users in the Server Manager, ultimately compromising the entire
JDE landscape and all of its information and processes.
The advisories are released by the Onapsis Research Labs, a team of
security experts who combine in-depth knowledge and exerience to
deliver technical analysis with business-context, and provide sound
security guidance to the market. The team has reported more than 300 SAP (News - Alert)
and Oracle vulnerabilities, has released over 150 advisories to date and
has worked with DHS on the release of the first ever US-CERT
Alert for SAP Business Applications. In Oracle's July Critical Patch
Update, 15 of the vulnerabilities patched were disclosed by the Onapsis
Research Labs.
Each advisory details the business-context relevance of an identified
vulnerability, including impact on a business, a description of the
affected components, and steps to resolution such as patch download
links and recommended security fixes.
The advisories are publicly available at: http://www.onapsis.com/research/advisories.
About Onapsis Research Labs™
SAP and Oracle Security Threat Intelligence is produced by Onapsis
Research Labs, a team of leading security experts who combine in-depth
knowledge and experience to deliver technical analysis with business
context, and provide sound security judgment to the market. The team
works closely with SAP and Oracle product security teams to responsibly
deliver the information to customers and has released over 150
advisories to date, with over 35 affecting SAP HANA; has consulted on
impact with over 180 Onapsis enterprise customers; and regularly
presents at leading security and SAP conferences around the world.
Onapsis was the first to deliver "SAP Security In Depth" publications
that provide detailed analysis on security risks impacting SAP and SAP
HANA. The latest SAP Security In-Depth, Volume XII: SAP HANA
System Security Review Part 1, is now available for download: https://www.onapsis.com/research/publications/volume-xii-sap-hana-system-security-review-part-1.
About Onapsis
Onapsis provides the most comprehensive solutions for securing SAP and
Oracle enterprise applications. As the leading experts in SAP and Oracle
cyber-security, Onapsis' patented solutions enable security and audit
teams to have visibility, confidence and control of advanced threats,
cyber-risks and compliance gaps affecting their enterprise applications.
Headquartered in Boston, MA, Onapsis serves over 200 customers including
many of the Global 2000. Onapsis' solutions are also the de-facto
standard for leading consulting and audit firms such as Accenture,
Deloitte (News - Alert), E&Y, IBM, KPMG and PwC.
Onapsis' solutions include the Onapsis Security Platform, which is the
most widely-used SAP-certified cyber-security solution in the market.
Unlike generic security products, Onapsis' context-aware solutions
deliver both preventative vulnerability and compliance controls, as well
as real-time detection and incident response capabilities to reduce
risks affecting critical business processes and data. Through open
interfaces, the platform can be integrated with leading SIEM, GRC and
network security products, seamlessly incorporating enterprise
applications into existing vulnerability, risk and incident response
management programs.
These solutions are powered by the Onapsis Research Labs, which
continuously provide leading intelligence on security threats affecting
SAP and Oracle enterprise applications. Experts of the Onapsis Research
Labs were the first to lecture on SAP cyber-attacks and have uncovered
and helped fix hundreds of security vulnerabilities to-date affecting
SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as
well as Oracle JD Edwards and Oracle E-Business Suite platforms.
Onapsis has been issued U.S. Patent No. 9,009,837 entitled "Automated
Security Assessment of Business-Critical Systems and Applications,"
which describes certain algorithms and capabilities behind the
technology powering the Onapsis Security Platform™ and Onapsis X1™
software platforms. This patented technology is recognized industry wide
and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.
For more information, please visit www.onapsis.com,
or connect with us on Twitter,
Google+,
or LinkedIn.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis,
Inc. All other company or product names may be the registered trademarks
of their respective owners.
View source version on businesswire.com: http://www.businesswire.com/news/home/20160728005602/en/
[ Back To Mobile World Congress's Homepage ]
|