View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 20, 2015updated 19 Aug 2016 12:21pm

Pseudo-backdoor found on Oracle E-Business suite

Security researcher "flabbergasted" at flaw granting admin rights to all.

By Jimmy Nicholls

Oracle’s E-Business suite has come under scrutiny after a researcher discovered what appeared to be a backdoor in certain versions of the software that could lead to a fully compromised database server.

While conducting a security assessment for a client, David Litchfield found that every user had mistakenly been granted the ability to create an index in the DUAL table, a "dummy" table on which administrative functions can be executed.

"There is no legitimate reason to create an index on DUAL. None whatsoever," he said. "If you wanted to leave a very subtle backdoor it does make perfect sense, however."

Litchfield and his company thought a hacker might have inserted the apparent backdoor into their systems, but on investigation discovered that Oracle was responsible for the security hole.

Stranger still, the software vendor found no record of why the flaw existed or what purpose it served.

"I looked through the bug and there is no indication of when or why the grants were originally added," a spokesman from Oracle told Litchfield in an email.

"Development is going with the assumption that it was not necessary and removing the added grants. However, it is hard to tell for certain. As you can imagine, this requires a lot of additional testing to ensure it does not break existing functionality." The Oracle spokesperson concluded.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Litchfield said that he was "flabbergasted" at the story, and hoped it was merely an error.

"I’ll leave the conspiracy theories for others," he added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU