Integrigy has detected multiple, highly critical vulnerabilities in Oracle E-Business Suite and Oracle Applications. Immediate patching is the only answer since, as Oracle itself puts it, any user with browser access and specialised knowledge can exploit these vulnerabilities.
The vulnerabilities discovered by the security company's Stephen Kost affect E-Business Suite release 11i and all releases from 11.5.1 through 11.5.8, plus Oracle Applications 11.0, all releases. They are caused by errors in the input validation process and allow a malicious code writer to inject arbitrary SQL code into an input box. This will provide access to, and the ability to compromise, the entire database and application.
And that means unauthorised manipulation of a companys data, exposure of system information, exposure of sensitive business information and general system access.
In announcing its discovery, Integrigy noted that "customers with Internet facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser." Furthermore, "since attacks can be specially crafted for Oracle Applications and an attack may only be a single HTTP Get or Post, successful attacks can be easily designed that will evade most intrusion detection and prevention systems."
Integrigy sells Oracle-specific security tools, and has included the ability to check for the vulnerabilities in question in its AppSentry package, as well as the ability to block intrusions in AppDefend, its application IPS offering.
Oracle has otherwise said nothing about the extremely embarassing incident save a short statement which reads: "Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems. To that end, Oracle is informing customers about vulnerabilities in some versions of the Oracle E-Business Suite. Oracle recommends that customers apply the patches for these vulnerabilities."