Oracle E-Business Suite Multiple Vulnerabilities

by Carol~ Moderator - 1/16/13 12:39 PM

In Reply to: VULNERABILITIES / FIXES - January 16, 2013 by Carol~ Moderator

Release Date : 2013-01-16

Criticality level : Moderately critical
Impact: Manipulation of data
Exposure of sensitive information
Where: From remote
Solution Status : Vendor Patch

Software: Oracle E-Business Suite 11i
Oracle E-Business Suite 12.x

Description:
Multiple vulnerabilities have been reported in Oracle E-Business Suite, which can be exploited by malicious users and malicious people to disclose potentially sensitive information and manipulate certain data.

1) An error within the Diagnostics subcomponent of Oracle Applications Framework can be exploited to read, update, insert, or delete certain Oracle Applications Framework accessible data.

2) An error within the Application Framework subcomponent of Oracle CRM Technical Foundation can be exploited to read, update, insert, or delete Oracle CRM Technical Foundation accessible data.

3) An error within the Campaign Management subcomponent of Oracle Marketing can be exploited to read, update, insert, or delete Oracle Marketing accessible data.

4) An error within the UWQ Server Issues subcomponent of Oracle Universal Work Queue can be exploited to read, update, insert, or delete Oracle Universal Work Queue accessible data.

5) An error within the Security Groups subcomponent of Human Resources can be exploited to read, update, insert, or delete certain Human Resources accessible data.

6) An error within the Diagnostics subcomponent of Oracle Applications Framework can be exploited to update, insert, or delete certain Oracle Applications Framework accessible data.

7) An error within the Client System Analyzer subcomponent of Oracle Applications Technology Stack can be exploited to update, insert, or delete certain Oracle Applications Technology Stack accessible data.

8) An error within the View Payslip subcomponent of Oracle Payroll can be exploited to update, insert, or delete certain Oracle Payroll accessible data.

9) An error within the Bookmarkable Pages subcomponent of Oracle Applications Framework can be exploited to update, insert, or delete certain Oracle Applications Framework accessible data.

The vulnerabilities are reported in versions 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2013 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixEBS

http://secunia.com/advisories/51886/