Oracle 'took two years' to fix PeopleSoft errors - but just weeks when told flaws would be revealed at Black Hat conference
Web-facing applications ageing ERP systems all 'wide open' to security breaches, warns ERPScan CTO Alexander Polyakov
Software giant Oracle ignored reports of a major security flaw in its PeopleSoft enterprise resource planning (ERP) software for two years - but fixed another batch of flaws within weeks when it was informed that a company would be revealing them at the Black Hat security conference last week.
Alexander Polyakov, chief technology officer at security services company ERPScan, which specialises in examining the security of organisations' ERP systems, claimed that it took Oracle two years to respond to reports of a "password overflow bug" affecting modules across the PeopleSoft portfolio, along with a number of other flaws.
While the bug did not enable an attacker to take control of a system, it could have been used in a denial of service attack to bring down critical systems, said Polyakov.
"They were slow... but if you say that you are going to publish it [a reported security flaw] it seems they can patch it more quickly," he said.
Polyakov was referring to flaws reported to Oracle four years ago, which it only patched two years later. But for this year's Black Hat security conference ERPScan informed Oracle that it would be presenting wide-ranging details about a number of new security flaws in the PeopleSoft suite. In response, Oracle patched most of the flaws within three weeks of being informed, he told Computing.
"Most PeopleSoft applications are connected to the internet for providing access to suppliers. Simple Google search strings can find about 500 internet-enabled PeopleSoft applications. Shodan requests will show much more," according to ERPScan.
Many users of PeopleSoft's ERP suite have held off from upgrading to Oracle Fusion, the unified ERP suite intended to bring legacy JD Edwards, PeopleSoft and Oracle ERP software users together on one platform.
Part of the reason for the resistance is the upheaval and cost required to implement such a shift, while some object to the "forced march" from one system, with which they are satisfied, to another.
The attitude of Oracle, says Polyakov, contrasts with that at rival SAP, which has recently given security a much higher priority and embraced third party reports, and the work of security companies such as ERPScan.
"Three years ago, SAP was no different from Oracle. Recently, though, there have been some changes, making security one of the top priorities at the company," said Polyakov. As a result, SAP has become more open to security reports from third parties, and more responsive in dealing with them, since a spike in reports in 2010. The problem, he says, is the number of web-facing applications installed when SAP - or other software - is implemented or upgraded.
"For example, SAP installs the latest version of the SAP portal, which includes about 1,000 small web applications and most of them have vulnerabilities," said Polyakov.
Organisations ought to disable many of these applications manually if they are not being used. "It [SAP] is becoming more secure by default, but administrators and the people who implement it must care about security - but they don't," he added.
[Please turn to page 2]
Oracle 'took two years' to fix PeopleSoft errors - but just weeks when told flaws would be revealed at Black Hat conference
Web-facing applications ageing ERP systems all 'wide open' to security breaches, warns ERPScan CTO Alexander Polyakov
Polyakov also claimed that current versions of Microsoft's ERP software, called Dynamics, which is based on its Great Plains platform, is architecturally flawed from a security perspective. "We have information about Microsoft Dynamics, a critical architectural issue that cannot be patched," said Polyakov.
Legacy risks
Polyakov warned that companies still running legacy ERP software - especially 1990s client/server systems - should also be wary of attack.
Many organisations continue to use ageing platforms - such as PeopleSoft, Marcam, JBA System21, Baan and others - because they fulfill a role. But they are unaware of the inherent security flaws, especially if those systems are exposed in any way to the internet.
"People use old versions, which are sometimes not supported and also old versions that have some critical architectural issues," claims Polyakov.
For example, old-style two-tier client/server ERP applications typically have the security on the client side, which can be modified to, for example, escalate privileges, and making them vulnerable to phishing and email-borne malware attacks.
Polyakov recommended that the first thing that all organisations ought to do to improve security is to close ports and web applications not in use, to implement automated scanning tools to ensure that basic security is maintained, and to conduct regular penetration testing.