Security issue in ERP 10


(Nikhil Patwa) #1

I would like to report a security issue and want to know whom to talk to in Epicor @Bart_Elia

This security issue has been noticed since the early ERP 10.0 release all the way to ERP 10.2.100

Regards,
Nikhil


(Mark Wonsil) #2

If it were me, I’d file a case in EpicCare and then post the case number here so several Epicor employees might see it.

Mark W.


(Bart Elia) #3

Agreed but most security stuff ends up in my lap anyways. We treat that quite serious - BEliaAtEpicor.com please


(Gil Violette) #4

As do we, Bart. I’d be interested in knowing the details of the security issue, as we are investigating upgrading to 10.


(Nathan your friendly neighborhood Support Engineer) #5

When in doubt, speak with Support–that is what we’re here for :slight_smile: We know all the right people to speak to about it.


(K White) #6

What is the security issue? We are getting ready to upgrade and be interested in what you found.
thanks Kim


(Gil Violette) #7

If there is a known security issue, the right people to speak to about it are the customers looking to upgrade.


(Mark Wonsil) #8

Mmm, I’m not so sure Gil. I’m for responsible disclosure to the vendor FIRST or you’re actually increasing the risk to the customer base.

Also, customers should be focusing on internal security practices like changing default passwords to service accounts (sysprogress or manager), blank passwords, weak ODBC logins, never using “Access All” in menu programs, etc.

At least in my experience, 10.2 is the most secure version of Epicor I have used and .200 will add multifactor authentication with Azure AD.

Mark W.


(Gil Violette) #9

Hey, I’m not locked into anything, all I can bring is my perspective.

I will say this - if upgrading to 10 introduces a security issue (and we are heavily regulated), it’s not gonna be pretty.

From a customer perspective, I’d prefer the software manufacturer be honest about the features that might not work when upgrading. Much easier to mitigate an issue when you know about it.


(Jose C Gomez) #10

A couple of things to keep in mind while talking about this topic

This forum isn’t necessarily the appropriate avenue to report an issue with security. Reaching out to support would be the best bet. As @aidacra said when in doubt call support. An open forum is certainly not the right place for that type of disclaimer and discussion. I’m glad to see that @nikhil is trying to reach the right people.

Just because someone is claiming there is a potential security issue doesn’t mean it is actually there nor do we know what the scope of it is. So we should let Epicor do what it does and they will determine if and when to inform the users after they’ve had a chance internally to vet the information and mitigation (if required). No need to go running around like a chicken with out head cut off. Epicor is a major software company and as such they know and understand how to handle these issues and disclosures if necessary.

So please don’t worry about it until you absolutely need to and let Epicor do their job :slight_smile:


(Mark Wonsil) #11

I agree with you Gil. Once the vendor knows about an issue, it’s their responsibility to let the customer base know about a fix or how to mitigate an issue as soon as one is possible. I just don’t want script-kiddies racing the vendor to get into my system before there’s a solution.

While we have seen new releases of software by Microsoft, Progress, Apple, Google, and, yes Epicor introduce security problems, the general trend is the most recent versions are the most secure. The whole Equifax debacle was caused by them not staying current with their software…

Mark W.


(Bart Elia) #12

We have had a major issue happen before - There was a SQL Injection vector that occurred a few years we addressed against a gazillion versions and we pushed out the notice to update immediately when we had the fix tested, immediate blocks if you can’t update, etc.
The process is well in place and understood. It’s been awhile since anything real although we have had false reports before due to incorrect configuration, etc. I never discount it though and want to help even if it’s an admin shooting themselves in the foot. That is still a learning moment on how we can improve UX, etc to not have that happen.


(Bart Elia) #13

FYI - the customer is in Africa so probably in bed. We reached out to them and will start the due diligence


(Bart Elia) #14

FYI - lunch so taking off my Epicor hat a sec…

I love a ton of the discussions around security, data breach handling, the tech behind HaveIBeenPwned. Troy Hunt does a great service to the industry for his efforts in highlighting security and data breach issues. We’ve never had one knock on wood but I love how Discus handling matters and his discussion on it. Definitely a standard to follow:


(MIGUEL S.) #15

I think this would have been a good use of PM’s until the potential issue could have been verified.


(Joshua Giese) #16

The majority of the ones I’ve ever been aware of were due to issues with .NET or Microsoft libraries LOL


(Rob Bucek) #17

OH NO!!!

giphy


(Nikhil Patwa) #18

Thank you and I request the moderator to close the topic


(Rob Bucek) #19