By now, most Oracle Agile PLM users are aware the software is rapidly approaching its end of life. Version 9.3.6 will be the last major release of Agile PLM—and that was originally released in early 2017.
While a number of companies using Agile PLM have moved or are moving to a modern cloud PLM, some have decided to wait for as long as possible. Those who’ve chosen this route should be concerned about putting their companies—and by extension their own careers—at risk given the security vulnerabilities present with Agile.
In the past 12 months alone, the National Institute of Standards and Technology (NIST) Vulnerability Database has reported three Oracle Agile vulnerabilities with a Common Vulnerability Scoring System (CVSS) severity of “High” and a fourth with a severity of “Medium.”
Although Oracle continues to issue patches for Agile—such as these three issued in April and these seven issued in July—IT leaders should be asking if a code base that’s approaching eight years of life can provide the security required to protect the crown jewel that is product data.
Code and User Capabilities Stuck in Time
Let’s pause for a moment to consider what has happened since the last major Agile PLM release.
Two presidents served almost their entire four years in office, with some major policy differences between them. We had a global pandemic that impacted supply chains across the world and spurred the work-from-home trend, which is now a return-to-office trend. Generative AI from providers like ChatGPT, Google, and Salesforce rose to prominence. And green tech has exploded, with EVs surpassing 10 million sales last year while the cost of lithium-ion batteries has dropped 80% since 2010.
Through all of this and many more challenges, Agile PLM users have remained on the same code, with the same capabilities. A once-great software that has failed to keep up with changing user needs because Oracle decided not to invest in additional versions since 2017.
This leads to many problems for IT leaders to solve. How does an eight-year-old code base maintain compatibility with browsers and operating systems that have multiple version updates each year? How do remote workers access an on-premise Agile PLM solution that was developed before cloud solutions became the industry standard? How can data and workflows extend from Agile PLM to other cloud solutions to maximize productivity?
IT leaders are a resilient bunch, and they have found workarounds for these problems and more. But each represents another potential entry point for bad actors, on top of the vulnerabilities with Agile PLM itself.
The Impact of Agile PLM Vulnerabilities
Those wanting to learn more about these security issues can visit the NIST vulnerability database and search “Oracle Agile” or “Agile PLM”. The software contains multiple vulnerabilities that are easily exploitable, often with minimal technical skill.
Malicious actors can leverage these flaws using tactics like phishing, stolen VPN credentials, malware on remote devices, or third-party vendor access. While securing network boundaries, enforcing strong identity management, and monitoring external access are essential defenses, these measures fall short when a zero-day exploit is combined with known vulnerabilities in Oracle Agile PLM.
By chaining a zero-day exploit with these known vulnerabilities, attackers can bypass security layers, escalate privileges, and gain deep access. For instance, an attacker could use a zero-day to breach an initial entry point such as routers, then pivot to the Oracle Agile PLM system using existing vulnerabilities, allowing them to:
- Make unauthorized changes to product designs or lifecycle data, leading to flawed or counterfeit production.
- Steal proprietary data or blueprints, causing competitive losses.
- Disrupt or corrupt critical data, resulting in production delays, quality issues, and expensive recovery processes.
These risks are not theoretical—real-world incidents illustrate the consequences. For example, Boeing’s PLM system was compromised, exposing sensitive aircraft designs, including technical specifications for the C-17 military transport aircraft, which highlighted the importance of securing PLM systems against IP theft. Similarly, Hoya Corporation suffered a ransomware attack that disrupted its PLM systems, impacting production lines and its ability to manage critical lifecycle data.
Such breaches underscore the urgent need for a modern software platform with built-in, foundational security measures to protect critical product data and intellectual property.
Why You Should Be Concerned
Manufacturers know that product data is vital to their success, and their PLM provider should provide a level of security that is commensurate with the value of their intellectual property. Only IT and business leaders can decide if the level of security provided by Oracle Agile is up to the task of protecting their crown jewels of product data. This includes vulnerabilities from the many workarounds needed to support an aging code base, as well as vulnerabilities in the code base itself.
Those who plan to remain on Agile PLM as long as possible should develop a plan to address inevitable future vulnerabilities and have a team in place to address them as quickly as possible. Those who have moved off Agile to modern cloud providers can sleep easy knowing constant security updates are an integral part of their cloud solution.
Secure Your Future with Propel Software
Your product data is your competitive edge—and it deserves more than aging, vulnerable software. Propel’s modern cloud PLM is built with security at its core, ensuring your intellectual property stays protected from evolving threats. With automatic updates, advanced encryption, and robust compliance measures, you can leave legacy vulnerabilities behind and safeguard your most critical assets.
Don’t risk your innovation. Make the switch to Propel for unmatched security.
NOV. 19, 2024 UPDATE: Since time of writing, Oracle disclosed an unauthenticated file disclosure flaw in Agile PLM. See details.
