Positive Technologies — Information Security, Compliance Management, Consulting. MaxPatrol Compliance and Vulnerability Management System.

Positive Technologies Uncovers Security Vulnerabilities in Oracle Siebel CRM

24 February 2014

Oracle Siebel leads the CRM market by number of deployments, and has more than 5 million users at more than 4,500 of the biggest energy, telecom, industrial and other companies all over the world.

During a study of Oracle Siebel CRM security, Positive Technologies’ experts detected multiple security flaws that could trigger remote command execution, internal network resources and file system availability, denial of service and sensitive data disclosure. Such vulnerabilities as CVE-2013-3841, CVE-2013-5761, CVE-2013-3840, CVE-2013-1510 and CVE-2013-5867 were detected in Oracle Siebel CRM versions 8.1.1 and 8.2.2.

In addition, the oldest and most well-known DBMS Oracle Database was found to contain CVE-2013-5771, a vulnerability which allows a malware user to access remote resource contents and conduct DoS attacks. This issue is common for Oracle Database 11.1.0.7, 11.2.0.2, 11.2.0.3 and 12.1.0.1.

A Critical Patch Update (CPU), a cumulative security patch fixing the above mentioned flaws, was released by Oracle in mid-October. It is worth noting that checks for the vulnerabilities detected were added to the knowledge base of Positive Technologies Compliance and Vulnerability Management System; MaxPatrol. Also, some of these security flaws were discovered by MaxPatrol heuristic mechanisms before the knowledge base update.

"Positive Technologies is actively integrating business applications and ERP systems support into its products," commented Alexey Yudin, the Head of Database and Business Application Security at Positive Technologies. “Oracle Siebel CRM is maintained by Oracle EBS and SAP systems now. The system's key feature is its significant integration with business processes and multiple connections with other enterprise applications. Unfortunately, the system security issues are usually ignored due to system complexity. The goal we set is to help companies assess and improve their critical systems' security level.”

Back to the list