And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

By John Leyden

Posted in Security, 18th January 2018 13:26 GMT

A third Oracle enterprise package has been patched against a crypto-mining exploit.

Security outfit Onapsis warns that Oracle E-Business Suite (EBS) is vulnerable to the cryptocurrency miner exploit that was recently used to hack Oracle's PeopleSoft and WebLogic servers. Campaigns based on these security shortcomings have netted crooks $250K in digital currency, according to some estimates.

Onapsis is warning of two highly critical vulnerabilities affecting Oracle EBS, released in Oracle's latest quarterly patch batch on Tuesday. Both were SQL injection vulnerabilities, one of the most common class of web application security flaws.

The January patch batch collectively tackles 237 security vulnerabilities.

"While PeopleSoft contains sensitive HR information, Oracle E-Business Suite can potentially host HR, Finance, Purchase and other types of critical information to the business making the risk to these systems even greater," Onapsis warns. "Enterprises that fail to install Oracle's critical WebLogic patch from last October could now find their EBS, PeopleSoft and cloud-based servers churning out cryptocurrency - and even worse allowing attackers to gain access into the Oracle ERP system."

A representative of Oracle responded promptly to El Reg's query to say the firm had no immediate comment on Onapsis's findings. We’ll update this story as and when any new information comes to hand.

An Oracle WebLogic vulnerability fixed last October abused an unpatched server to mine Monero and other lesser-known cryptocurrencies, the SANS Technology Institute warned earlier this month.

Poor input sanitisation in a WebLogic component created a means for an unauthenticated attacker to run arbitrary commands. The vulnerability also affects Oracle's PeopleSoft software, which can include WebLogic as a server, as previously reported by El Reg. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Terix boss thrown in the cooler for TWO years for peddling pirated Oracle firmware, code patches

Big Red all smiles after black-market support biz bosses jailed

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

Oracle open-sources DTrace under the GPL

Which makes lots of sysadmins' fave tracing tool cool for Linux

Oracle demands dev tear down iOS app that has 'JavaScript' in its name

Ordinary folk may be confused by title, takedown demand suggests

'Extreme, unnecessary, overheated': US judge slams Oracle salvo in HPE Solaris squabble

Big, red and very, very angry

Rimini Street attempts to claw back more cash in Oracle copyright dispute

Support biz files court petition to recover additional $32m

Oracle slurps bot-wrangling security minnow Zenedge

Buy price not revealed

Oracle sued over claims of shoddy service, licensing designed to force adoption of its kit

A&E Adventures sues Oracle America for breach of contract over point-of-sale shenanigans

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score