Categories: Security

Researcher Warns Of ‘Major’ Backdoor In Oracle E-Business Suite

Versions of Oracle’s E-Business Suite contain a “major” backdoor that could be used to gain complete control of a database, according to Australian security researcher David Litchfield.

The vulnerability, which appears to be the result of a misconfiguration flaw, is one of the 167 bugs Oracle is patching across its product range on Tuesday, including 10 fixes for E-Business Suite. The suite includes enterprise resource planning (ERP), customer relationship management (CRM), and supply-chain management (SCM) applications.

Litchfield said he reported 11 of of the vulnerabilities to Oracle last year. “Some are critical and one of them I’m just gobsmacked by,” he said in a Twitter post.

The flaw allows any user to create a function that can execute with system administrator privileges, giving them complete control over the software, Litchfield said.

He discovered the error during a security review of a client’s systems, and at first thought it was a backdoor left by a hacker, since there appeared to be no good reason for it to exist.

Moreover, Oracle told Litchfield it was unable to explain why the privilege had been granted.

“There is no indication of when or why the grants were originally added,” Oracle said in its original response to Litchfield. “Development is going with the assumption that it was not necessary and removing the added grants.”

Critical rating

Oracle didn’t give technical details on these flaws, but in a pre-patch announcement it said six of the bugs could be exploited without authentication by remote attackers, and that the vulnerabilities have a maximum CVSS Base Score of 6.4 out of 10.

The patches affect Oracle E-Business Suite versions, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3 and 12.2.4, Oracle said.

As part of its security efforts, Oracle recently added Leon Panetta, former US secretary of defense and former director of the Central Intelligence Agency (CIA), to its board of directors.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Orders Staff Back To Office, Three Days A Week

Memo from Tim Cook tells Apple staff in the Bay area, that from next month,…

30 mins ago

Silicon UK In Focus Podcast: Configuring Security

Do businesses need a radical change in how they approach access security? Does a shift…

1 hour ago

New US Export Controls Target China Semiconductor Firms

US introduces export controls on design software and substrate materials to block Chinese companies from…

1 day ago

US Judge Approves Apple Settlement In Retail Class Action Lawsuit

US federal judge approves settlement offered by Apple in nearly decade-old case over compensation for…

1 day ago

Ola Plans Premium Electric Car For Indian Market

SoftBank-backed ride-hailing firm Ola Electric announces range of electric cars starting in 2024 following success…

1 day ago

Faraday Future Raises Fresh Backing For Electric SUV Debut

Electric car start-up Faraday Future looks to raise up to $600m in new funds as…

1 day ago