Infosys’ blog on industry solutions, trends, business process transformation and global implementation in Oracle.

« Hyperion planning Metadata Management using Smartview | Main | OTBI ON ORACLE CLOUD FUSION APPS - AN OVERVIEW »

Security vulnerability in Hyperion EPM

This blog lists the security vulnerabilities and threats present in the EPM system, which can lead to misuse of highly sensitive financial data and information.

Data and Information security is an important concern for every organization, and when a system stores, processes and manages highly sensitive financial data - it becomes even more critical for organizations to opt for the highest controls to ensure system and data security.

EPM suite helps to deliver a comprehensive, integrated suite of applications featuring common Web interface and reporting tools. It stores and processes financial information of organizations belonging to various fields (some of the example could be banking, manufacturing, Medical, Public sectors).  Vulnerabilities and threat present in such a system can lead to a huge negative impact on the organizations.

I am listing few critical security vulnerabilities which are present in EPM system:

  • Reflected Cross-Site Scripting: EPM Hyperion processes the user inputs on the server without performing the validations on the inputs. This behaviour of EPM makes it vulnerable to reflected cross-site scripting. The malicious input reflects back in the subsequent HTTP response. With a compromised user session, an attacker can perform unauthorized actions in system, like tracking the user operations, redirecting the user to a fake site, modifying the web page, and exploiting the browser.

  • Unrestricted File Upload to Hyperion system: The Hyperion web application does not validate the type and content of files before they are uploaded to the server. Executable files can be loaded and downloaded on the server. This allows an attacker to upload malicious files (including viruses, malware, trojans or executable files) with the intention of them being downloaded by other users.
  • Clear Text Traffic: The Hyperion application servers/infrastructure is not configured to enforce to use encryption when communicating with other hosts. Having secured communication not enforced in a highly sensitive system can be subjected to a number of passive and active network attacks that may result in the interception and/or modification of the transmitted data.

  • Web Server Version Disclosure: The Hyperion web servers expose sensitive information in their headers.

    As part of the HTTP/1.1 standard, web application servers append information about the software used to handle the request in the response headers. These headers unintentionally reveal sensitive information like server type and version. Knowing the server type and versions allows an attacker to research published vulnerabilities associated with that specific server.  Information gained can be used to launch more targeted, sophisticated attacks against the system.

  • Client Side Control Bypass: The Hyperion web application relies on client side controls to prevent users accessing certain functionality.

    By modifying HTML elements and JavaScript responses, it is possible for users without authorization to access the Configuration Settings and Credentials Used For Pass-Through functionality.

    A malicious user can modify the configuration settings and pass-through credentials without the required permissions, which may cause integrity and non-repudiation issues.

  • Improper SSO Token Expiration : Upon a disconnect command (click on disconnect button) is issued by a user, the Hyperion SmartView/Disclosure Management plugin does not invalidate a user's SSO Token. Hijackers can use this opportunity to perform session hijacking in the application. The hijacker can then view the sensitive information and perform actions on behalf of the victim user in the application.

Few of these vulnerabilities can be remediated by implementing the fix provided by Vendor and hence it is highly recommended to raise these vulnerabilities with vendor to seek remediation.


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles