Oracle E-Business compromised by hole


Oracle E-Business compromised by hole

Integrigy has detected multiple, highly critical vulnerabilities in Oracle E-Business Suite and Oracle Applications.

According to the company, immediate patching is the only answer since, any user with browser access and specialised knowledge can exploit these vulnerabilities.

The vulnerabilities affect E-Business Suite release 11i and all releases from 11.5.1 through 11.5.8, plus Oracle Applications 11.0, all releases.

They are caused by errors in the input validation process and allow a malicious code writer to inject arbitrary SQL code into an input box. This will provide access to, and the ability to compromise, the entire database and application.

And that means unauthorised manipulation of a company’s data, exposure of system information, exposure of sensitive business information and general system access.

In announcing its discovery, Integrigy noted that "customers with internet-facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser".

"Since attacks can be specially crafted for Oracle Applications and an attack may only be a single HTTP Get or Post, successful attacks can be easily designed that will evade most intrusion detection and prevention systems," it added.

Integrigy sells Oracle-specific security tools, and has included the ability to check for the vulnerabilities in question in its AppSentry package, as well as the ability to block intrusions in AppDefend, its application IPS offering.

Oracle has already made patches available and advises their immediate application.

Rik Turner writes for

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy