Vulnerabilities found in E-Business Suite 11i

Oracle this morning released a patch for multiple, critical SQL injection vulnerabilities in the Oracle E-Business Suite 11i.

Multiple SQL injection vulnerabilities have been discovered in the Oracle E-Business Suite 11i and Oracle Applications 11.0 that could allow an attacker to take control of the database and applications.

The vulnerabilities were discovered in Oracle E-Business Suite 11i versions 11.5.1 through 11.5.8 and all Oracle Applications 11.0.

If you do a SQL injection, it will let you run pretty much any query that you choose -- and it can be very damaging.
Aaron Newman
chief technology officer and founderApplication Security Inc.

The vulnerabilities can be remotely exploited by an unauthenticated user with a browser by sending a specially crafted URL to the Web server, according to a security bulletin issued by Chicago-based Integrigy Corp. A patch from Oracle is required to solve the security issues.

The vulnerability was discovered by Stephen Kost, who said the vulnerability can be exploited by conducting SQL injection attacks. The vulnerabilities are caused due to unspecified input validation errors.

For more information

Check out these tips for securing your Oracle database

 


Visit our Oracle security center

A SQL injection hole in software can be very serious, according to security experts. A security lapse in Oracle E-Business Suite could place financial data and other information in the hands of an attacker.

"There is generally some very sensitive data that is vulnerable here," said security expert Aaron Newman, chief technology officer and founder, New York-based Application Security Inc. "If you do a SQL injection, it will let you run pretty much any query that you choose and it can be very damaging."

Newman said that so far the specific location of the vulnerability remains unclear, making it somewhat more difficult for a hacker to discover the hole.

In an advisory issued by Oracle, the company said risk to exposure is high since anyone with a browser can exploit the vulnerability. There are no workarounds for the specific vulnerabilities, Oracle said.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataManagement

SearchBusinessAnalytics

SearchSAP

SearchSQLServer

TheServerSide

SearchDataCenter

SearchContentManagement

SearchFinancialApplications

Close