Jump to content

Oracle patches Hyperion security hole putting financial data at risk

Recommended Posts

Oracle has issued a patch to fix several bugs in its Hyperion Product Management financial consolidation and reporting application that could be remotely exploited by hackers.

Oracle's Proactive Support team announced the fixes, confirming that they address a number of flaws in the Hyperion Planning part of the application.

The company does not offer firm details about the patch to non-registered customers, and had not responded to V3's request for further details at the time of publishing.

However, TK Keanini, chief technology officer at Lancope, told V3 that the user base and nature of data handled within Hyperion means customers should be concerned by the flaw.

"If you are running this software, it contains up-to-date business intelligence that you must keep secure. So if you are running this software it is incredibly important to keep it up to date and patched," he said. ?

"Ask yourself this: if the information in your Hyperion system was compromised and posted to the internet for all to see, would you be OK with that? ?

"The problem most companies face is that they sometimes don't know what is running on their network and this is problem number one that must be solved."

Keanini explained that companies should patch the remote access vulnerabilities as soon as possible, but added that he has yet to see any evidence of the flaws being actively exploited by hackers.

"This is not just one vulnerability but several. The CVEs that have remote access are the most important to fix first," he said. ?

"I have not [seen the flaws being exploited] but when data is published to the internet, it is not like attackers take the time to show their timeline and the provenance of the data. ?

"This is always interesting data but also a dangerous indicator because it is a lagging indicator at best."

The Hyperion patch is one of many critical fixes issued by Oracle this year. The firm released a critical update in January addressing 167 vulnerabilities across hundreds of its products, including Java.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...