Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017. The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite. Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2. Many of the 250 security vulnerabilities fixed are high risk vulnerabilities such as SQL injection, cross-site scripting (XSS), XML external entity attacks, and privilege escalation.
Unless your organization is applying the CPU patches immediately and have hardened the application, the Oracle E-Business Suite is extremely vulnerable and easily exploitable. Significant defensive measures are required to protect Oracle E-Business Suite especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport. A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.