Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

So long and thanks for all the fixes: ERPScan left out of credits on Oracle bug-bash list

App security firm sanctioned in US over ties with Russia

Oracle fixed 17 flaws in its products found by ERPScan researchers without acknowledging the application security firm, which was recently and controversially sanctioned in the US.

hole

US tech companies sucked into Russian sanctions row

READ MORE

ERPScan said vulnerabilities it uncovered affect six different business applications. Left unpatched, they potentially allow attackers access to sensitive business data. The bugs range from remote code execution and cross-site scripting to authentication bypass and memory corruption.

The flaws spotted by ERPScan are among a record 334 addressed by Big Red's latest quarterly patch batch. Some of these updates are cumulative but there's still a hell of a lot to chew through, as explained in an analysis by the security outfit.

Oracle's patch batch contained 61 vulnerabilities assessed as critical (CVSS base score 9.0-10.0). The most serious were in multiple Oracle products including Financial Services, Fusion Middleware, PeopleSoft, EBS, Retail Applications and more.

Among the bugs addressed was an authentication bypass vulnerability (CVE-2018-2894) that creates a remote code execution risk in WebLogic. The flaw, which scores 9.8/10, was discovered by noted bug hunter David Litchfield. "Oracle customers should test and roll out these patches as soon as possible," Litchfield advised.

Two of the most severe vulnerabilities were identified by ERPScan researchers in the Oracle Fusion Middleware (CVE-2018-2894 and CVE-2018-2943).

Litchfield – unlike ERPScan – is one of 40 or so researchers credited for their work in uncovering weaknesses addressed by the patch batch.

ERPScan's Elena Shapovalova was not best pleased that her firm had been left off the credit roll.

"Unfortunately, Oracle decided to dismiss ERPScan's contribution and did not give a credit since ERPScan were put on a Treasury sanctions list," she told El Reg.

"As we see it, Treasury sanctions only prevent financial transactions and do not prohibit non-financial relationships. It means that if research teams only send information on vulnerabilities to the vendor, nothing prevents this company to give them a credit."

An expansion of sanctions on companies connected with Russia last month pulled in Embedi and ERPScan, as previously reported. Even though both firms are substantially US-based, they are both owned by Russian company Digital Security, which allegedly supplies tech help to Russian intelligence services.

Secret service agent in silhouette on white background

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

READ MORE

Shapovalova said: "Sanctions always raise concerns, and the situation is not very promising for everybody," she said.

El Reg invited Oracle to comment on its policy for dealing with ERPScan. The imposition of sanctions might be interpreted to preclude normal business relationships even outside of those where money doesn't change hands. Oracle declined to comment.

ERPScan is one of few enterprise application security specialists in the industry. Finding flaws in enterprise resource planning packages and the like is a thinly covered area, particularly in comparison to the number of researchers looking for flaws in mobile apps, operating systems, browsers and elements of the Internet of Things.

ERPScan has been reporting security flaws in Oracle's enterprise software since 2008. "This year has marked 10 years. And it seems we aren't able to work this way any longer," Shapovalova said.

She warned: "If we cannot officially help vendors keep their systems safe, enterprises can have insecure business applications, and their customers data (yours, your friend's data, and mine) can be exposed to cybercriminals. It is debilitating for the whole industry." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like