www.belgium.be Logo of the federal government

Critical Flaws in Oracle E-Business Suite

Reference: 
Advisory #2019-024
Version: 
1.0
Affected software: 
Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8.
Type: 
Remote access to data and remote data manipulation
CVE/CVSS: 

CVE-2019-2638 - https://nvd.nist.gov/vuln/detail/CVE-2019-2638

CVE-2019-2633 - https://nvd.nist.gov/vuln/detail/CVE-2019-2633

Date: 
21/11/2019

Sources

https://www.oracle.com/security-alerts/cpuapr2019.html#AppendixEM

https://www.bleepingcomputer.com/news/security/thousands-of-enterprises-at-risk-due-to-oracle-ebs-critical-flaws/

Risks

Successful attacks using this vulnerability can result in unauthorized creation, deletion or modification of access to critical data or complete access to all Oracle General Ledger and Oracle Work in Process accessible data. Vulnerable components are the ''Consolidation Hierarchy Viewer'' for the Oracle General Ledger module and the ''message'' component for the Oracle Work in Process module of the Oracle E-Business Suite.

 

Description

Two critical security vulnerabilities discovered in Oracle's E-Business Suite (EBS) could allow potential attackers to take full control over a company's entire enterprise resource planning (ERP) solution.

The Oracle EBS improper access control flaws come with CVSS scores of 9.9 out of 10 and are tracked as CVE-2019-2638 (in the Consolidation Hierarchy Viewer component of the Oracle General Ledger) and CVE-2019-2633 (in the Messages component of the Oracle Work in Process product).

If successfully exploited in an attack, the two security flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers.

Recommended Actions

CERT.be recommends to system administrators to patch their systems immediately to at least the April 2019 Oracle Critical Patch.