Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0161
Security Advisory: Oracle E-Business Suite
18 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle E-Business Suite
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-3018 CVE-2018-3017 CVE-2018-3012
CVE-2018-3008 CVE-2018-2997 CVE-2018-2996
CVE-2018-2995 CVE-2018-2994 CVE-2018-2993
CVE-2018-2991 CVE-2018-2988 CVE-2018-2954
CVE-2018-2953 CVE-2018-2934
Member content until: Friday, August 17 2018
OVERVIEW
Multiple vulnerabilities have been identified in
Oracle E-Business Suite, versions 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
[1]
IMPACT
The vendor has provided the following information regarding
the vulnerabilities:
"This Critical Patch Update contains 14 new security fixes
for the Oracle E-Business Suite. 13 of these
vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network
without requiring user credentials." [1]
"CVE-2018-2993
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle CRM
Technical Foundation. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in Oracle CRM Technical Foundation,
attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to
all Oracle CRM Technical Foundation accessible data as well
as unauthorized update, insert or delete access to some of
Oracle CRM Technical Foundation accessible data.
CVE-2018-3017
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle CRM
Technical Foundation. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in Oracle CRM Technical Foundation,
attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to
all Oracle CRM Technical Foundation accessible data as well
as unauthorized update, insert or delete access to some of
Oracle CRM Technical Foundation accessible data.
CVE-2018-2995
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle iStore.
Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in
Oracle iStore, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all Oracle iStore accessible data as well as
unauthorized update, insert or delete access to some of
Oracle iStore accessible data.
CVE-2018-3018
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle iStore.
Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in
Oracle iStore, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all Oracle iStore accessible data as well as
unauthorized update, insert or delete access to some of
Oracle iStore accessible data.
CVE-2018-3008
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2 and
12.1.3. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle Marketing. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in Oracle Marketing, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle Marketing
accessible data as well as unauthorized update, insert or
delete access to some of Oracle Marketing accessible data.
CVE-2018-2953
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle One-to-One
Fulfillment. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle One-to-One Fulfillment, attacks
may significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle
One-to-One Fulfillment accessible data as well as
unauthorized update, insert or delete access to some of
Oracle One-to-One Fulfillment accessible data.
CVE-2018-2997
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2 and
12.1.3. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle Scripting. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in Oracle Scripting, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle Scripting
accessible data as well as unauthorized update, insert or
delete access to some of Oracle Scripting accessible data.
CVE-2018-2991
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle Trade
Management. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle Trade Management, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle Trade
Management accessible data as well as unauthorized update,
insert or delete access to some of Oracle Trade Management
accessible data.
CVE-2018-3012
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle Trade
Management. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle Trade Management, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle Trade
Management accessible data as well as unauthorized update,
insert or delete access to some of Oracle Trade Management
accessible data.
CVE-2018-2996
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.1.3, 12.2.3,
12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable
vulnerability allows unauthenticated attacker with network
access via HTTP to compromise Oracle Applications Manager.
Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to
all Oracle Applications Manager accessible data.
CVE-2018-2954
7.0
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7.
Difficult to exploit vulnerability allows low privileged
attacker with logon to the infrastructure where Oracle Order
Management executes to compromise Oracle Order Management.
Successful attacks of this vulnerability can result in
takeover of Oracle Order Management.
CVE-2018-2988
6.9
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7.
Difficult to exploit vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle
Marketing. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle Marketing, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle Marketing
accessible data as well as unauthorized update, insert or
delete access to some of Oracle Marketing accessible data.
CVE-2018-2934
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
The supported version that is affected is 12.1.3. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Object Library. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle Application Object Library
accessible data.
CVE-2018-2994
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle iStore.
Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle iStore
accessible data." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2018
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
[2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW07LDmaOgq3Tt24GAQhfVhAA2weRzJqqzJwl/uS8sRAP7djBD/PymkDS
dTLsTK0Fg6q8hv/P0f/XKzOCt7HuGJcWGZZ6TPNBNR11UYirNjWzpUyj0jb4oIgf
bbNLeIoj2IIiDVCGrQjxg9m398PSr5P13f05YZeWXcfNTog0NqN3557VfYFcq4lo
yxcpeZOju9Z00CudtkgdaxLx1B4uebn6DtL2PRqOUlp6IMFnIgNVgjDVHDLszp4O
W62Oar4AC67e39YlcG8ZXwgeilsU4+kaF2XjfMu48Hhxs60iaifxBZ7LVbKeE4M5
QmZqjRUDeAjwFA/4+xh3hLVlHXZKXTBzZ3NyOxGIDz8UuH6p6MB65ZQcnFWqPegL
zCIb13Jk+ZKpKHHJV/2g/PI+U8kvyMOdzADY2fvAwxopiRxubeEXgcx9Q/vK30Dq
clA5fHHJUSFx9dcGJRRgP87x2RmVkP+/zsH93iSfVxgcQxYXao6G8nH0lqdX++vi
MowV5Tki7bEz+TySLy288YNPbQPgb6qaNJbnpoIl/9Nqsqrsxg25Xi1UiqAZlCDr
7vGAwod/3jOeZbxHsPo88nYbjUNAbdABu6AvDJrg+SgUB6+kpQZCAsQqwFCFQgsY
DnKFQiavqculGSR4q6dCc7YibGqKLmp6sAXld+ybUo9s9DEhzMucyiiesqIX7EaN
E56UOIFXMeU=
=6CGJ
-----END PGP SIGNATURE-----