Security holes found in Oracle's ERP applications

Flaws could provide an easy route into corporate databases for hackers

Security researchers have discovered eight flaws in Oracle's JD Edwards enterprise resource planning (ERP) applications.

Enterprise software security specialist Onapsis discovered the security holes and released details of them on the security advisories page of its web site last week.

The flaws could allow attackers to view and modify private corporate data, and even deny access to legitimate users.

Describing one of the flaws, Onapsis said: "By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure."

Mariano Nunez di Croce, director of research and development at Onapsis, believes that ERP systems are increasingly becoming a target for cyber criminals.

"Attackers have begun to realise that [ERP systems] are no longer a black box, and that they contain sensitive business information. So if you are a cyber criminal, why would you attack a regular Windows server if you can just take over the systems containing the company's most valuable data?" said di Croce, according to security news web site Dark Reading.

Oracle patched these vulnerabilities after being alerted to them by Onapsis.