Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0154 Oracle E-Business Suite Critical Patch Update 21 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle E-Business Suite Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Modify Arbitrary Files -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Read-only Data Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-2436 CVE-2021-2434 CVE-2021-2415 CVE-2021-2406 CVE-2021-2405 CVE-2021-2398 CVE-2021-2393 CVE-2021-2380 CVE-2021-2365 CVE-2021-2364 CVE-2021-2363 CVE-2021-2362 CVE-2021-2361 CVE-2021-2360 CVE-2021-2359 CVE-2021-2355 CVE-2021-2343 Reference: ASB-2021.0047 ESB-2021.1308 ESB-2021.1060 OVERVIEW Multiple vulnerabilities have been identified in : o Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 17 new security patches for Oracle E-Business Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2021-2355 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data as well as unauthorized access to critical data or complete access to all Oracle Marketing accessible data. Affects: o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2436 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Common Applications, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Common Applications accessible data as well as unauthorized update, insert or delete access to some of Oracle Common Applications accessible data. Affects: o Oracle Common Applications 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2359 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. Affects: o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2361 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Inbound Telephony accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Inbound Telephony accessible data. Affects: o Oracle Advanced Inbound Telephony 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2398 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Outbound Telephony accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data. Affects: o Oracle Advanced Outbound Telephony 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2360 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Approvals Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Approvals Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Approvals Management accessible data. Affects: o Oracle Approvals Management 12.1.1-12.1.3 CVE-2021-2406 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Collaborative Planning. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Collaborative Planning accessible data as well as unauthorized access to critical data or complete access to all Oracle Collaborative Planning accessible data. Affects: o Oracle Collaborative Planning 12.1.1-12.1.3 CVE-2021-2393 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle E-Records. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle E-Records accessible data as well as unauthorized access to critical data or complete access to all Oracle E-Records accessible data. Affects: o Oracle E-Records 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2405 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Engineering. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Engineering accessible data as well as unauthorized access to critical data or complete access to all Oracle Engineering accessible data. Affects: o Oracle Engineering 12.2.3-12.2.10 CVE-2021-2362 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Field Service accessible data. Affects: o Oracle Field Service 12.1.1-12.1.3 CVE-2021-2365 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. Affects: o Oracle Human Resources 12.1.1-12.1.3 CVE-2021-2364 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle iSupplier Portal accessible data as well as unauthorized access to critical data or complete access to all Oracle iSupplier Portal accessible data. Affects: o Oracle iSupplier Portal 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2363 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Public Sector Financials (International). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Public Sector Financials (International) accessible data as well as unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. Affects: o Oracle Public Sector Financials (International) 12.1.1-12.1.3 CVE-2021-2415 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Time and Labor. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Time and Labor accessible data as well as unauthorized access to critical data or complete access to all Oracle Time and Labor accessible data. Affects: o Oracle Time and Labor 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2434 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Web Applications Desktop Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Web Applications Desktop Integrator accessible data. Affects: o Oracle Web Applications Desktop Integrator 12.1.3, 12.2.3-12.2.10 CVE-2021-2380 7.6 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Framework accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. Affects: o Oracle Applications Framework 12.1.3, 12.2.3-12.2.10 CVE-2021-2343 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Workflow accessible data. Affects: o Oracle Workflow 12.1.3, 12.2.3-12.2.10 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - July 2021 https://www.oracle.com/security-alerts/cpujul2021.html [2] Text Form of Oracle Critical Patch Update - July 2021 Risk Matrices https://www.oracle.com/security-alerts/cpujul2021verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYPetLONLKJtyKPYoAQiYMg//WKpJX5bbXLtwACcnHRAiKu3u83TtMdrJ Q0dtJ68grXuQW8y19c8VNDY+FfaT5F2sSZr6zRHqZspFRknjWqzAk9WD/ONrwnpv QMIvUEbfUtzCcUpE3XNpp0RgATGKwEEXvB04C95Nvul8J7N2pqa40GmPXIVDjFc3 vAKNke4XnXwXqXgG0uTlKF8j/5S7G1faLCmhZswb0+ybbNUYLdIpsj6+lFmucKhT R9BRUJG0Tup4euAgr4Yki7fPAbxDuTc1+PU4Nkj1/tZGPCvJOfOQRtbdYj5x7+WH nJS7a+U1YV+BYc/yAPFiBYWKTp44MT/vF3CvUMDd4GIc60dgf9B4UFXH7bm++oGg WQPfSrnZYR+D0GJOsr2ATprTDWcUgOjppyCi46OfZ5skp8Lx4EmAPn/AxvTcfkBa duiKbhBoDVea0JnLqhWQC1YzD3Deh67me1iUVHhoCrpMB/6jVa7GRQX5/2w26UJf owriS78BVxFIfN5rXTCAAUK+31X1kAL/eTOPAAD/GMo1tUPb3JyB0iHgsjMEayal LLWnioVjMrbCC6qZsKFXDNZHBnWePZA7EiCd+HqEWO3sOwRYi1/Ugsgnm45tXOrJ 9k2VoMqZOx5gq+1qzLeEKBispOewUAdaAmb1oZclcByB2J1b6aigsZ0bsUSvA5P9 QtpjMQHuRHg= =orhI -----END PGP SIGNATURE-----