And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

By John Leyden


A third Oracle enterprise package has been patched against a crypto-mining exploit.

Security outfit Onapsis warns that Oracle E-Business Suite (EBS) is vulnerable to the cryptocurrency miner exploit that was recently used to hack Oracle's PeopleSoft and WebLogic servers. Campaigns based on these security shortcomings have netted crooks $250K in digital currency, according to some estimates.

Onapsis is warning of two highly critical vulnerabilities affecting Oracle EBS, released in Oracle's latest quarterly patch batch on Tuesday. Both were SQL injection vulnerabilities, one of the most common class of web application security flaws.

The January patch batch collectively tackles 237 security vulnerabilities.

"While PeopleSoft contains sensitive HR information, Oracle E-Business Suite can potentially host HR, Finance, Purchase and other types of critical information to the business making the risk to these systems even greater," Onapsis warns. "Enterprises that fail to install Oracle's critical WebLogic patch from last October could now find their EBS, PeopleSoft and cloud-based servers churning out cryptocurrency - and even worse allowing attackers to gain access into the Oracle ERP system."

A representative of Oracle responded promptly to El Reg's query to say the firm had no immediate comment on Onapsis's findings. We’ll update this story as and when any new information comes to hand.

An Oracle WebLogic vulnerability fixed last October abused an unpatched server to mine Monero and other lesser-known cryptocurrencies, the SANS Technology Institute warned earlier this month.

Poor input sanitisation in a WebLogic component created a means for an unauthenticated attacker to run arbitrary commands. The vulnerability also affects Oracle's PeopleSoft software, which can include WebLogic as a server, as previously reported by El Reg. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

CIOs planning to snub Oracle for other cloudy vendors – analyst

Drop for Big Red shares as biz prepares to announce Q4 financial results

Oracle tells court: Boss man Mark Hurd didn't have docs relevant to HPE spat over Solaris

If he did, HPE has to prove he deliberately deleted them

Oracle launches its very own 'net threat map

Pew! Pew! The whole world is connected, and the Internet is super-dangerous

Oracle's new Java SE subs: Code and support for $25/processor/month

Poll Prepare for audit after inevitable change, says Oracle licensing consultant

Oracle wants to improve Linux load balancing and failover

Native to ordinary interfaces, Big Red reckons bonded channels are needed for RDMA

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Terix boss thrown in the cooler for TWO years for peddling pirated Oracle firmware, code patches

Big Red all smiles after black-market support biz bosses jailed

Platinum partner had 'affair' with my wife – then Oracle screwed me, ex-sales boss claims

Regional director takes giant to court in discrimination row