A third Oracle enterprise package has been patched against a crypto-mining exploit.
Security outfit Onapsis warns that Oracle E-Business Suite (EBS) is vulnerable to the cryptocurrency miner exploit that was recently used to hack Oracle's PeopleSoft and WebLogic servers. Campaigns based on these security shortcomings have netted crooks $250K in digital currency, according to some estimates.
Onapsis is warning of two highly critical vulnerabilities affecting Oracle EBS, released in Oracle's latest quarterly patch batch on Tuesday. Both were SQL injection vulnerabilities, one of the most common class of web application security flaws.
The January patch batch collectively tackles 237 security vulnerabilities.
"While PeopleSoft contains sensitive HR information, Oracle E-Business Suite can potentially host HR, Finance, Purchase and other types of critical information to the business making the risk to these systems even greater," Onapsis warns. "Enterprises that fail to install Oracle's critical WebLogic patch from last October could now find their EBS, PeopleSoft and cloud-based servers churning out cryptocurrency - and even worse allowing attackers to gain access into the Oracle ERP system."
A representative of Oracle responded promptly to El Reg's query to say the firm had no immediate comment on Onapsis's findings. We’ll update this story as and when any new information comes to hand.
An Oracle WebLogic vulnerability fixed last October abused an unpatched server to mine Monero and other lesser-known cryptocurrencies, the SANS Technology Institute warned earlier this month.
Poor input sanitisation in a WebLogic component created a means for an unauthenticated attacker to run arbitrary commands. The vulnerability also affects Oracle's PeopleSoft software, which can include WebLogic as a server, as previously reported by El Reg. ®