Oracle E-Business compromised by hole

News

Oracle E-Business compromised by hole

Integrigy has detected multiple, highly critical vulnerabilities in Oracle E-Business Suite and Oracle Applications.

According to the company, immediate patching is the only answer since, any user with browser access and specialised knowledge can exploit these vulnerabilities.

The vulnerabilities affect E-Business Suite release 11i and all releases from 11.5.1 through 11.5.8, plus Oracle Applications 11.0, all releases.

They are caused by errors in the input validation process and allow a malicious code writer to inject arbitrary SQL code into an input box. This will provide access to, and the ability to compromise, the entire database and application.

And that means unauthorised manipulation of a company’s data, exposure of system information, exposure of sensitive business information and general system access.

In announcing its discovery, Integrigy noted that "customers with internet-facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser".

"Since attacks can be specially crafted for Oracle Applications and an attack may only be a single HTTP Get or Post, successful attacks can be easily designed that will evade most intrusion detection and prevention systems," it added.

Integrigy sells Oracle-specific security tools, and has included the ability to check for the vulnerabilities in question in its AppSentry package, as well as the ability to block intrusions in AppDefend, its application IPS offering.

Oracle has already made patches available and advises their immediate application.

Rik Turner writes for Techworld.com


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy