So long and thanks for all the fixes: ERPScan left out of credits on Oracle bug-bash list
App security firm sanctioned in US over ties with Russia
Oracle fixed 17 flaws in its products found by ERPScan researchers without acknowledging the application security firm, which was recently and controversially sanctioned in the US.
US tech companies sucked into Russian sanctions rowREAD MORE
ERPScan said vulnerabilities it uncovered affect six different business applications. Left unpatched, they potentially allow attackers access to sensitive business data. The bugs range from remote code execution and cross-site scripting to authentication bypass and memory corruption.
The flaws spotted by ERPScan are among a record 334 addressed by Big Red's latest quarterly patch batch. Some of these updates are cumulative but there's still a hell of a lot to chew through, as explained in an analysis by the security outfit.
Oracle's patch batch contained 61 vulnerabilities assessed as critical (CVSS base score 9.0-10.0). The most serious were in multiple Oracle products including Financial Services, Fusion Middleware, PeopleSoft, EBS, Retail Applications and more.
Among the bugs addressed was an authentication bypass vulnerability (CVE-2018-2894) that creates a remote code execution risk in WebLogic. The flaw, which scores 9.8/10, was discovered by noted bug hunter David Litchfield. "Oracle customers should test and roll out these patches as soon as possible," Litchfield advised.
Two of the most severe vulnerabilities were identified by ERPScan researchers in the Oracle Fusion Middleware (CVE-2018-2894 and CVE-2018-2943).
Litchfield – unlike ERPScan – is one of 40 or so researchers credited for their work in uncovering weaknesses addressed by the patch batch.
ERPScan's Elena Shapovalova was not best pleased that her firm had been left off the credit roll.
"Unfortunately, Oracle decided to dismiss ERPScan's contribution and did not give a credit since ERPScan were put on a Treasury sanctions list," she told El Reg.
"As we see it, Treasury sanctions only prevent financial transactions and do not prohibit non-financial relationships. It means that if research teams only send information on vulnerabilities to the vendor, nothing prevents this company to give them a credit."
An expansion of sanctions on companies connected with Russia last month pulled in Embedi and ERPScan, as previously reported. Even though both firms are substantially US-based, they are both owned by Russian company Digital Security, which allegedly supplies tech help to Russian intelligence services.
Sir, you've been using Kaspersky Lab antivirus. Please come with us, sirREAD MORE
Shapovalova said: "Sanctions always raise concerns, and the situation is not very promising for everybody," she said.
El Reg invited Oracle to comment on its policy for dealing with ERPScan. The imposition of sanctions might be interpreted to preclude normal business relationships even outside of those where money doesn't change hands. Oracle declined to comment.
ERPScan is one of few enterprise application security specialists in the industry. Finding flaws in enterprise resource planning packages and the like is a thinly covered area, particularly in comparison to the number of researchers looking for flaws in mobile apps, operating systems, browsers and elements of the Internet of Things.
ERPScan has been reporting security flaws in Oracle's enterprise software since 2008. "This year has marked 10 years. And it seems we aren't able to work this way any longer," Shapovalova said.
She warned: "If we cannot officially help vendors keep their systems safe, enterprises can have insecure business applications, and their customers data (yours, your friend's data, and mine) can be exposed to cybercriminals. It is debilitating for the whole industry." ®