Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0090 Oracle E-Business Suite Critical Patch Update 21 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle E-Business Suite Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-2316 CVE-2021-2314 CVE-2021-2295 CVE-2021-2292 CVE-2021-2290 CVE-2021-2289 CVE-2021-2288 CVE-2021-2276 CVE-2021-2275 CVE-2021-2274 CVE-2021-2273 CVE-2021-2272 CVE-2021-2271 CVE-2021-2270 CVE-2021-2269 CVE-2021-2268 CVE-2021-2267 CVE-2021-2263 CVE-2021-2262 CVE-2021-2261 CVE-2021-2260 CVE-2021-2259 CVE-2021-2258 CVE-2021-2255 CVE-2021-2254 CVE-2021-2252 CVE-2021-2251 CVE-2021-2249 CVE-2021-2247 CVE-2021-2246 CVE-2021-2241 CVE-2021-2239 CVE-2021-2238 CVE-2021-2237 CVE-2021-2236 CVE-2021-2235 CVE-2021-2233 CVE-2021-2231 CVE-2021-2229 CVE-2021-2228 CVE-2021-2227 CVE-2021-2225 CVE-2021-2224 CVE-2021-2223 CVE-2021-2222 CVE-2021-2210 CVE-2021-2209 CVE-2021-2206 CVE-2021-2205 CVE-2021-2200 CVE-2021-2199 CVE-2021-2198 CVE-2021-2197 CVE-2021-2195 CVE-2021-2190 CVE-2021-2189 CVE-2021-2188 CVE-2021-2187 CVE-2021-2186 CVE-2021-2185 CVE-2021-2184 CVE-2021-2183 CVE-2021-2182 CVE-2021-2181 CVE-2021-2156 CVE-2021-2155 CVE-2021-2153 CVE-2021-2150 CVE-2020-1967 CVE-2017-14735 Reference: ASB-2021.0027 ASB-2019.0027 ESB-2021.1183 ESB-2021.1118 ESB-2021.0731 ESB-2020.2551 ESB-2020.1381 OVERVIEW Multiple vulnerabilities have been identified in : o Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 70 new security patches plus additional third party patches noted below for Oracle E-Business Suite. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2021-2200 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N The supported version that is affected is 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications Framework accessible data. Affects: o Oracle Applications Framework 12.2.10 CVE-2021-2205 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.2.7-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data as well as unauthorized access to critical data or complete access to all Oracle Marketing accessible data. Affects: o Oracle Marketing 12.2.7-12.2.10 CVE-2021-2209 8.5 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Email Center. While the vulnerability is in Oracle Email Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or delete access to some of Oracle Email Center accessible data. Affects: o Oracle Email Center 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2182 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2183 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2184 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2185 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2186 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2187 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2188 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2197 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2150 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2199 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2198 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Knowledge Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Knowledge Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Knowledge Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Knowledge Management accessible data. Affects: o Oracle Knowledge Management 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2195 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Partner Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Partner Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Partner Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Partner Management accessible data. Affects: o Oracle Partner Management 12.1.3, 12.2.3-12.2.10 CVE-2021-2206 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. Affects: o Oracle Trade Management 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2210 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Trade Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Trade Management accessible data. Affects: o Oracle Trade Management 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2247 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Collections. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Collections accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Collections accessible data. Affects: o Oracle Advanced Collections 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2269 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Pricing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Pricing accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Pricing accessible data. Affects: o Oracle Advanced Pricing 12.1.3 CVE-2021-2314 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Application Object Library accessible data as well as unauthorized access to critical data or complete access to all Oracle Application Object Library accessible data. Affects: o Oracle Application Object Library 12.1.3, 12.2.3-12.2.10 CVE-2021-2222 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Bill Presentment Architecture. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Bill Presentment Architecture accessible data as well as unauthorized access to critical data or complete access to all Oracle Bill Presentment Architecture accessible data. Affects: o Oracle Bill Presentment Architecture 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2288 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Bills of Material. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Bills of Material accessible data as well as unauthorized access to critical data or complete access to all Oracle Bills of Material accessible data. Affects: o Oracle Bills of Material 12.1.1-12.1.3 CVE-2021-2227 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cash Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Cash Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Cash Management accessible data. Affects: o Oracle Cash Management 12.1.1-12.1.3 CVE-2021-2224 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Compensation Workbench. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Compensation Workbench accessible data as well as unauthorized access to critical data or complete access to all Oracle Compensation Workbench accessible data. Affects: o Oracle Compensation Workbench 12.1.1-12.1.3 CVE-2021-2295 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Concurrent Processing accessible data as well as unauthorized access to critical data or complete access to all Oracle Concurrent Processing accessible data. Affects: o Oracle Concurrent Processing 12.1.3, 12.2.3-12.2.10 CVE-2021-2251 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle CRM Technical Foundation accessible data as well as unauthorized access to critical data or complete access to all Oracle CRM Technical Foundation accessible data. Affects: o Oracle CRM Technical Foundation 12.1.3, 12.2.3-12.2.10 CVE-2021-2156 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Customers Online. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customers Online accessible data as well as unauthorized access to critical data or complete access to all Oracle Customers Online accessible data. Affects: o Oracle Customers Online 12.1.3, 12.2.3-12.2.10 CVE-2021-2229 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Depot Repair. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Depot Repair accessible data as well as unauthorized access to critical data or complete access to all Oracle Depot Repair accessible data. Affects: o Oracle Depot Repair 12.1.1-12.1.3 CVE-2021-2292 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Document Management and Collaboration. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Document Management and Collaboration accessible data as well as unauthorized access to critical data or complete access to all Oracle Document Management and Collaboration accessible data. Affects: o Oracle Document Management and Collaboration 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2225 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle E-Business Intelligence. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle E-Business Intelligence accessible data as well as unauthorized access to critical data or complete access to all Oracle E-Business Intelligence accessible data. Affects: o Oracle E-Business Intelligence 12.1.1-12.1.3 CVE-2021-2274 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle E-Business Tax. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle E-Business Tax accessible data as well as unauthorized access to critical data or complete access to all Oracle E-Business Tax accessible data. Affects: o Oracle E-Business Tax 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2290 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Engineering. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Engineering accessible data as well as unauthorized access to critical data or complete access to all Oracle Engineering accessible data. Affects: o Oracle Engineering 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2233 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. Affects: o Oracle Enterprise Asset Management 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2236 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financials Common Modules accessible data as well as unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. Affects: o Oracle Financials Common Modules 12.1.1-12.1.3 CVE-2021-2237 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle General Ledger. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle General Ledger accessible data as well as unauthorized access to critical data or complete access to all Oracle General Ledger accessible data. Affects: o Oracle General Ledger 12.1.1-12.1.3 CVE-2021-2316 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HRMS (France). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HRMS (France) accessible data as well as unauthorized access to critical data or complete access to all Oracle HRMS (France) accessible data. Affects: o Oracle HRMS (France) 12.1.1-12.1.3 CVE-2021-2260 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. Affects: o Oracle Human Resources 12.1.3 CVE-2021-2228 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Incentive Compensation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Incentive Compensation accessible data as well as unauthorized access to critical data or complete access to all Oracle Incentive Compensation accessible data. Affects: o Oracle Incentive Compensation 12.1.3, 12.2.3-12.2.10 CVE-2021-2231 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Installed Base accessible data as well as unauthorized access to critical data or complete access to all Oracle Installed Base accessible data. Affects: o Oracle Installed Base 12.1.3 CVE-2021-2276 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle iSetup accessible data as well as unauthorized access to critical data or complete access to all Oracle iSetup accessible data. Affects: o Oracle iSetup 12.1.3, 12.2.3-12.2.10 CVE-2021-2241 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iStore. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle iStore accessible data as well as unauthorized access to critical data or complete access to all Oracle iStore accessible data. Affects: o Oracle iStore 12.1.1-12.1.3 CVE-2021-2267 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Labor Distribution. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Labor Distribution accessible data as well as unauthorized access to critical data or complete access to all Oracle Labor Distribution accessible data. Affects: o Oracle Labor Distribution 12.1.1-12.1.3 CVE-2021-2249 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Landed Cost Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Landed Cost Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Landed Cost Management accessible data. Affects: o Oracle Landed Cost Management 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2261 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Lease and Finance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Lease and Finance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data. Affects: o Oracle Lease and Finance Management 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2273 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Legal Entity Configurator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Legal Entity Configurator accessible data as well as unauthorized access to critical data or complete access to all Oracle Legal Entity Configurator accessible data. Affects: o Oracle Legal Entity Configurator 12.1.1-12.1.3 CVE-2021-2252 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Loans. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Loans accessible data as well as unauthorized access to critical data or complete access to all Oracle Loans accessible data. Affects: o Oracle Loans 12.1.1-12.1.3 CVE-2021-2238 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing accessible data as well as unauthorized access to critical data or complete access to all Oracle MES for Process Manufacturing accessible data. Affects: o Oracle MES for Process Manufacturing 12.1.3 CVE-2021-2259 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payables. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payables accessible data as well as unauthorized access to critical data or complete access to all Oracle Payables accessible data. Affects: o Oracle Payables 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2289 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Product Hub. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Product Hub accessible data as well as unauthorized access to critical data or complete access to all Oracle Product Hub accessible data. Affects: o Oracle Product Hub 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2254 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Contracts. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Project Contracts accessible data as well as unauthorized access to critical data or complete access to all Oracle Project Contracts accessible data. Affects: o Oracle Project Contracts 12.1.1-12.1.3 CVE-2021-2258 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Projects. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Projects accessible data as well as unauthorized access to critical data or complete access to all Oracle Projects accessible data. Affects: o Oracle Projects 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2262 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Purchasing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Purchasing accessible data as well as unauthorized access to critical data or complete access to all Oracle Purchasing accessible data. Affects: o Oracle Purchasing 12.1.3 CVE-2021-2268 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quoting. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Quoting accessible data as well as unauthorized access to critical data or complete access to all Oracle Quoting accessible data. Affects: o Oracle Quoting 12.1.1-12.1.3 CVE-2021-2223 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Receivables. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Receivables accessible data as well as unauthorized access to critical data or complete access to all Oracle Receivables accessible data. Affects: o Oracle Receivables 12.1.1-12.1.3 CVE-2021-2255 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Service Contracts. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Service Contracts accessible data as well as unauthorized access to critical data or complete access to all Oracle Service Contracts accessible data. Affects: o Oracle Service Contracts 12.1.1-12.1.3 CVE-2021-2270 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Site Hub. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Site Hub accessible data as well as unauthorized access to critical data or complete access to all Oracle Site Hub accessible data. Affects: o Oracle Site Hub 12.1.1-12.1.3 CVE-2021-2263 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Sourcing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Sourcing accessible data as well as unauthorized access to critical data or complete access to all Oracle Sourcing accessible data. Affects: o Oracle Sourcing 12.1.1-12.1.3 CVE-2021-2272 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Subledger Accounting accessible data as well as unauthorized access to critical data or complete access to all Oracle Subledger Accounting accessible data. Affects: o Oracle Subledger Accounting 12.1.1-12.1.3 CVE-2021-2239 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Time and Labor. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Time and Labor accessible data as well as unauthorized access to critical data or complete access to all Oracle Time and Labor accessible data. Affects: o Oracle Time and Labor 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2235 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Execution. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Transportation Execution accessible data as well as unauthorized access to critical data or complete access to all Oracle Transportation Execution accessible data. Affects: o Oracle Transportation Execution 12.1.1-12.1.3 CVE-2021-2246 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Universal Work Queue accessible data as well as unauthorized access to critical data or complete access to all Oracle Universal Work Queue accessible data. Affects: o Oracle Universal Work Queue 12.1.1-12.1.3 CVE-2021-2271 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.8. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Work in Process. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Work in Process accessible data as well as unauthorized access to critical data or complete access to all Oracle Work in Process accessible data. Affects: o Oracle Work in Process 12.1.3, 12.2.3-12.2.8 CVE-2021-2181 7.6 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Document Management and Collaboration. While the vulnerability is in Oracle Document Management and Collaboration, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Document Management and Collaboration accessible data as well as unauthorized update, insert or delete access to some of Oracle Document Management and Collaboration accessible data. Affects: o Oracle Document Management and Collaboration 12.1.3, 12.2.3-12.2.10 CVE-2020-1967 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Application Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Application Server. Affects: o Application Server 12.1.3 CVE-2021-2189 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Sales Offline. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Sales Offline. Affects: o Oracle Sales Offline 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2190 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Sales Offline. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Sales Offline. Affects: o Oracle Sales Offline 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2275 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications Manager accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data. Affects: o Oracle Applications Manager 12.1.3, 12.2.3-12.2.10 CVE-2017-14735 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite Technology Stack. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle E-Business Suite Technology Stack, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle E-Business Suite Technology Stack accessible data as well as unauthorized read access to a subset of Oracle E-Business Suite Technology Stack accessible data. Affects: o Oracle E-Business Suite Technology Stack 12.1.3, 12.2.3-12.2.10 CVE-2021-2153 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Supported versions that are affected are 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Expenses. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Internet Expenses accessible data. Affects: o Oracle Internet Expenses 12.2.3-12.2.10 CVE-2021-2155 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle One-to-One Fulfillment accessible data. Affects: o Oracle One-to-One Fulfillment 12.1.1-12.1.3, 12.2.3-12.2.10 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2021 https://www.oracle.com/security-alerts/cpuapr2021.html [2] Text Form of Oracle Critical Patch Update - April 2021 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2021verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYH/HZONLKJtyKPYoAQgLgw//dZT9yKfvjIFshtUo75f0vnAxXEdazlSz rmRbeKFFSTBdKdB0pzhpfSh1eKZIYCePokXfa/f2J5MpiwVos4SGQVRAlvNXoh2b J+qsJihEzolQAy31+3nyEJxG79pZHljgJz+Lh/5+bkFEViYRSLE+nZybXoYeoxVJ aqj2To2ENf/dRoE96C3p0KtWOef8O/437yKKm7z5rz5HvGPjfDCHIXRAYeAaJF6k M+LZfubkOd/0hnsLdA4Lr4IcxjoapsyjVFXXC8WzcgbVxBlSASKsSWDL3J2gDXRJ kUh6t2mUfnW+TrCtDG+zysADoKBcj1PqLc+Gd9NMiI56mJUhh5XQcm10Kzxxn7Z4 gkedUoULuV5wHIsqWTzF8pP9GtmY+2QQ/XgCyFHxLDH1m8Qc4Kwu2hbn/R9iPebW ccgccUQdaC1VqjAwx147WqkC9uI9j6ExyzhquasNPSCqpJIWLxnAcsAsF/bsEO7k pXwX6xHIOo6SmU23cH2OeC/uPwO7tp2WzLfLxkEKmq69XvXemjQGra4fZCmhqKWD C2O50Q394kdcIvmlWB5h+AKSiXJawanV/9vOPCJgK0vVX1KIqWeHcltBiizxel7Y jZDBLEkkVr7Z5onpPfpFdGcLzroajF09dsBGaQ0aGjNDZJun49DVL+SnLBKFv+v0 RspoD2KuYu4= =i7Cg -----END PGP SIGNATURE-----