ERPScan continues helping protect business-critical systems

ERPScan, a leading ERP security company, again helped Oracle protect its most critical enterprise business applications including PeopleSoft and JD Edwards by providing the information on 17 vulnerabilities affecting the vendor’s products.

Patches for these vulnerabilities have been released today as a part of Oracle’s quarterly Critical Patch Update (or CPU). Some have almost the highest rating of CVSS 9.8 (out of 10) and enable remote command execution along with an access to all business-critical resources.

The intimidating list of affected systems keeps almost all sensitive information – Financial data (e.g. bank account numbers), HR data (e.g. salary), Campus data (e.g. student grades and loans), Customer data (e.g. credit card data), Healthcare data (e.g. PHI), Operational data (e.g. data related to business processes, strategic plans, and intellectual property), etc.

17 vulnerabilities affected six business applications storing the above-mentioned pricing data

  • Oracle PeopleSoft (including FI, HCM, Campus Solutions, CRM, etc.)
  • Oracle JD Edwards EnterpriseOne (including all products on top of the platform)
  • Oracle WebLogic
  • Oracle Business Process Management
  • Oracle MapViewer
  • Oracle SOA for Healthcare

Most of the existing vulnerability types were identified in the products from the common ones to more specific – Remote Command Execution, SQL Injections, Directory traversals, XSS, XXE, Template Injections, Memory reading, Unauthorized File Upload, and Missing Authorizations.

We promised that we would continue helping enterprises secure software and educate them on vulnerabilities lurking in Oracle and SAP business applications. And we do it without any credit or recognition for our work.

Alexander Polyakov, CTO of ERPScan

Oracle closed the record number of vulnerabilities this quarter. It is recommended that Oracle customers update their business applications and take additional counter-measures.