Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Critical Flaws in Oracle E-Business Suite
Image
Published : 21/11/2019
Reference:
Advisory #2019-024
Version:
1.0
Affected software:
Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8.
Type:
Remote access to data and remote data manipulation
CVE/CVSS:
CVE-2019-2638 - https://nvd.nist.gov/vuln/detail/CVE-2019-2638 CVE-2019-2633 - https://nvd.nist.gov/vuln/detail/CVE-2019-2633
Sources
https://www.oracle.com/security-alerts/cpuapr2019.html#AppendixEM
Risks
Successful attacks using this vulnerability can result in unauthorized creation, deletion or modification of access to critical data or complete access to all Oracle General Ledger and Oracle Work in Process accessible data. Vulnerable components are the ''Consolidation Hierarchy Viewer'' for the Oracle General Ledger module and the ''message'' component for the Oracle Work in Process module of the Oracle E-Business Suite.
Description
Two critical security vulnerabilities discovered in Oracle's E-Business Suite (EBS) could allow potential attackers to take full control over a company's entire enterprise resource planning (ERP) solution.
The Oracle EBS improper access control flaws come with CVSS scores of 9.9 out of 10 and are tracked as CVE-2019-2638 (in the Consolidation Hierarchy Viewer component of the Oracle General Ledger) and CVE-2019-2633 (in the Messages component of the Oracle Work in Process product).
If successfully exploited in an attack, the two security flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers.
Recommended Actions
CERT.be recommends to system administrators to patch their systems immediately to at least the April 2019 Oracle Critical Patch.