And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

By John Leyden


A third Oracle enterprise package has been patched against a crypto-mining exploit.

Security outfit Onapsis warns that Oracle E-Business Suite (EBS) is vulnerable to the cryptocurrency miner exploit that was recently used to hack Oracle's PeopleSoft and WebLogic servers. Campaigns based on these security shortcomings have netted crooks $250K in digital currency, according to some estimates.

Onapsis is warning of two highly critical vulnerabilities affecting Oracle EBS, released in Oracle's latest quarterly patch batch on Tuesday. Both were SQL injection vulnerabilities, one of the most common class of web application security flaws.

The January patch batch collectively tackles 237 security vulnerabilities.

"While PeopleSoft contains sensitive HR information, Oracle E-Business Suite can potentially host HR, Finance, Purchase and other types of critical information to the business making the risk to these systems even greater," Onapsis warns. "Enterprises that fail to install Oracle's critical WebLogic patch from last October could now find their EBS, PeopleSoft and cloud-based servers churning out cryptocurrency - and even worse allowing attackers to gain access into the Oracle ERP system."

A representative of Oracle responded promptly to El Reg's query to say the firm had no immediate comment on Onapsis's findings. We’ll update this story as and when any new information comes to hand.

An Oracle WebLogic vulnerability fixed last October abused an unpatched server to mine Monero and other lesser-known cryptocurrencies, the SANS Technology Institute warned earlier this month.

Poor input sanitisation in a WebLogic component created a means for an unauthenticated attacker to run arbitrary commands. The vulnerability also affects Oracle's PeopleSoft software, which can include WebLogic as a server, as previously reported by El Reg. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Sewerage department pinches off big brown puff for Big Red

Firefighters choke on Oracle's alleged smoke-and-mirrors cloud

Pension fund cries fraud over database giant's boasts about its off-prem biz performance

Is someone chopping onions? Oracle cloud boss bids colleagues emotional farewell

Thomas Kurian to take 'extended leave' from Big Red

No do-overs! Appeals court won’t hear $8.8bn Oracle v Google rehash

Only thing left now is a Supreme Court bid in row over Android and Java copyright

Oracle puts release of new freebie mini-database on ice to work out kinks

Issues 'too severe' to launch this summer

Oracle tells students: You're not going to solve the world's problems – but AI and ML might

Big Red's free educational curriculum gets 2018 reboot

Supremes agree to hear Rimini Street's bid to claw back costs in Oracle copyright battle

Top US court will resolve circuit courts' split over non-taxable costs