Oracle eBusiness Suite has 'huge, massive, ginormous' pwn surface
When all the features are bugs
Auscert Oracle has a 'huge, massive, ginormous' attack surface, according to one prolific and proven researcher who reckoned he gave up looking because there are too many vulns.
The security tester (who requested anonymity because his presentation wasn't approved by his employer) for one of the biggest tech firms found 50 vulnerabilities in eBusiness Suite versions 11.5 to the current 12.2 over a week's worth of probing, as part of internal threat assessment.
The flaws are easy to find but harder to exploit, and all were reported by the researcher to Oracle.
The company has fixed some, but will not repair those in 11.5 which was abandoned in January this year.
"It is installed by default with a lot of stuff and has a huge, massive, ginormous attack surface, and if it looks like I'm laboring the point, I don't think that's hyperbole -- it's actually bigger than that," the penetration tester told the AusCERT security conference last week.
"I started an in-depth security review of eBusiness Suite 11.5 in November, sat down and took some samples … after finding 50 flaws, I decided that was enough."
The researcher found and reported the same number of bugs in the latest version 12 of the platform, most of which he says have not been fixed.
He showed a slide in which Oracle reportedly states that 'of all the SQL injection flaws we have reported to us none were confirmed examples'.
"In the equivalent time it took me to type that I found a SQL injection flaw -- they are that easy to find in eBusiness Suite unfortunately."
He says there would be far too many bugs to fix with patches so the defensive focus should fall to attack surface reduction.
The horrid attack surface, well known among security types, is thanks to the 1500 odd JavaServer Pages .
These can and should be whittled down to as few as possible by finding those not in use. In the researcher's case he cut out some 1300 pages leaving a trim and harder-to-hack 200 behind.
The hacker also ripped out about 700 SQL packages and 80 servlets, further reducing the attack surface. ®