And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

By John Leyden


A third Oracle enterprise package has been patched against a crypto-mining exploit.

Security outfit Onapsis warns that Oracle E-Business Suite (EBS) is vulnerable to the cryptocurrency miner exploit that was recently used to hack Oracle's PeopleSoft and WebLogic servers. Campaigns based on these security shortcomings have netted crooks $250K in digital currency, according to some estimates.

Onapsis is warning of two highly critical vulnerabilities affecting Oracle EBS, released in Oracle's latest quarterly patch batch on Tuesday. Both were SQL injection vulnerabilities, one of the most common class of web application security flaws.

The January patch batch collectively tackles 237 security vulnerabilities.

"While PeopleSoft contains sensitive HR information, Oracle E-Business Suite can potentially host HR, Finance, Purchase and other types of critical information to the business making the risk to these systems even greater," Onapsis warns. "Enterprises that fail to install Oracle's critical WebLogic patch from last October could now find their EBS, PeopleSoft and cloud-based servers churning out cryptocurrency - and even worse allowing attackers to gain access into the Oracle ERP system."

A representative of Oracle responded promptly to El Reg's query to say the firm had no immediate comment on Onapsis's findings. We’ll update this story as and when any new information comes to hand.

An Oracle WebLogic vulnerability fixed last October abused an unpatched server to mine Monero and other lesser-known cryptocurrencies, the SANS Technology Institute warned earlier this month.

Poor input sanitisation in a WebLogic component created a means for an unauthenticated attacker to run arbitrary commands. The vulnerability also affects Oracle's PeopleSoft software, which can include WebLogic as a server, as previously reported by El Reg. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

New Zealand health boards write down losses on Oracle implementation

End-of-year reports show impairment costs running into millions

Oracle's in-house lawyer denied access to Uncle Sam's procurement docs in JEDI legal battle

You can’t stop the change: Chalk one up to AWS as judge agrees with Big Red's rival

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

What now, Larry? AWS boss insists Amazon will have dumped Oracle database by end of 2019

re:Invent Clock's ticking on Ellison's smack talk

Fed up with Oracle's Sith, AWS wades into Big Red's lawsuit over Pentagon JEDI contract

Long-standing cloud enemies to do battle in the courts

Oracle snaffles up a chunk of SD-WAN market with Talari Networks buyout

As shareholders sign off on Big Red's big pay packet for first time in seven years

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Sewerage department pinches off big brown puff for Big Red

Firefighters choke on Oracle's alleged smoke-and-mirrors cloud

Pension fund cries fraud over database giant's boasts about its off-prem biz performance