Security researcher has last laugh over Oracle
'The best way to make researchers mad is to tell them you don't need them', says ERPScan as Oracle plugs six vulnerabilities it discovered in its code
Two months after effectively being told to mind its own business by Oracle, a security research firm says six vulnerabilities it discovered in Oracle's software were patched by the vendor this month.
In a blog post that Oracle swiftly removed, Oracle CSO Mary Ann Davidson revealed in August that the vendor was clamping down on customers and consultants who "reverse engineer" its code in an effort to find vulnerabilities in it.
Of the 12 vulnerabilities Oracle closed in its flagship E-Business Suite in its recent Critical Patch Update for October 2015, six were exposed by ERPScan, the security research firm has claimed.
Alexander Polyakov, chief technology officer at ERPScan, who was among those who criticised Davidson's blog post at the time, claimed Oracle needs all the help it can get finding flaws in its code.
"The best way to make researchers mad is to tell them you don't need them," Polyakov (pictured) told CRN.
"It took us less than a day to find a dozen issues in Oracle's most critical Business application - Oracle E-Business Suite - and I can't say that it was really hard. XSS, SQL Injection, XXS and User enumeration vulnerabilities - the basics of Application Security are here. All of them were identified by interns from our research team easily. What else can I add?"
The six vulnerabilities discovered by ERPScan that Oracle plugged were related to XSS Vulnerability, SQL Injection vulnerability, XXE Injection Vulnerabilities and User Enumeration vulnerability, according to ERPScan. Some of those issues (SQL Injection and XXE Injections) allow an attacker to gain unauthorised access to the business application with administrator rights, ERPScan claimed.
Back in August, Davidson argued that the practice of reverse-engineering breaches Oracle's Ts and Cs, adding that Oracle is "pretty good" at analysing its own code and finds 87 per cent of security vulnerabilities itself.
But some argued at the time that Oracle should be encouraging - rather than condemning - researchers for finding chinks in its code at a time when ERP software is coming under increasingly widespread attack from cybercriminals.
Oracle declined to comment but made it clear at the time that it pulled Davidson's post because it did not "reflect its beliefs".