Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0154
Oracle E-Business Suite Critical Patch Update
21 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle E-Business Suite
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Modify Arbitrary Files -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Read-only Data Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-2436 CVE-2021-2434 CVE-2021-2415
CVE-2021-2406 CVE-2021-2405 CVE-2021-2398
CVE-2021-2393 CVE-2021-2380 CVE-2021-2365
CVE-2021-2364 CVE-2021-2363 CVE-2021-2362
CVE-2021-2361 CVE-2021-2360 CVE-2021-2359
CVE-2021-2355 CVE-2021-2343
Reference: ASB-2021.0047
ESB-2021.1308
ESB-2021.1060
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 17 new security patches for
Oracle E-Business Suite. 3 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials." [1]
CVE-2021-2355
9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Marketing. Successful attacks of this vulnerability can result
in unauthorized creation, deletion or modification access to critical
data or all Oracle Marketing accessible data as well as unauthorized
access to critical data or complete access to all Oracle Marketing
accessible data.
Affects:
o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2436
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Common Applications. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Common Applications, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Common Applications accessible data as
well as unauthorized update, insert or delete access to some of
Oracle Common Applications accessible data.
Affects:
o Oracle Common Applications 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2359
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Marketing. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle Marketing, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Marketing accessible data as well as unauthorized update, insert or
delete access to some of Oracle Marketing accessible data.
Affects:
o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2361
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle
Advanced Inbound Telephony. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access
to critical data or all Oracle Advanced Inbound Telephony accessible
data as well as unauthorized access to critical data or complete
access to all Oracle Advanced Inbound Telephony accessible data.
Affects:
o Oracle Advanced Inbound Telephony 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2398
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle
Advanced Outbound Telephony. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access
to critical data or all Oracle Advanced Outbound Telephony accessible
data as well as unauthorized access to critical data or complete
access to all Oracle Advanced Outbound Telephony accessible data.
Affects:
o Oracle Advanced Outbound Telephony 12.1.1-12.1.3,
12.2.3-12.2.10
CVE-2021-2360
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Approvals Management. Successful
attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Oracle
Approvals Management accessible data as well as unauthorized access
to critical data or complete access to all Oracle Approvals
Management accessible data.
Affects:
o Oracle Approvals Management 12.1.1-12.1.3
CVE-2021-2406
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Collaborative Planning.
Successful attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data or all
Oracle Collaborative Planning accessible data as well as unauthorized
access to critical data or complete access to all Oracle
Collaborative Planning accessible data.
Affects:
o Oracle Collaborative Planning 12.1.1-12.1.3
CVE-2021-2393
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle
E-Records. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all Oracle E-Records accessible data as well as unauthorized
access to critical data or complete access to all Oracle E-Records
accessible data.
Affects:
o Oracle E-Records 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2405
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.2.3-12.2.10. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Engineering. Successful attacks
of this vulnerability can result in unauthorized creation, deletion
or modification access to critical data or all Oracle Engineering
accessible data as well as unauthorized access to critical data or
complete access to all Oracle Engineering accessible data.
Affects:
o Oracle Engineering 12.2.3-12.2.10
CVE-2021-2362
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Field Service. Successful
attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Oracle Field
Service accessible data as well as unauthorized access to critical
data or complete access to all Oracle Field Service accessible data.
Affects:
o Oracle Field Service 12.1.1-12.1.3
CVE-2021-2365
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Human Resources. Successful
attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Oracle Human
Resources accessible data as well as unauthorized access to critical
data or complete access to all Oracle Human Resources accessible
data.
Affects:
o Oracle Human Resources 12.1.1-12.1.3
CVE-2021-2364
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle
iSupplier Portal. Successful attacks of this vulnerability can result
in unauthorized creation, deletion or modification access to critical
data or all Oracle iSupplier Portal accessible data as well as
unauthorized access to critical data or complete access to all Oracle
iSupplier Portal accessible data.
Affects:
o Oracle iSupplier Portal 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2363
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Public Sector Financials
(International). Successful attacks of this vulnerability can result
in unauthorized creation, deletion or modification access to critical
data or all Oracle Public Sector Financials (International)
accessible data as well as unauthorized access to critical data or
complete access to all Oracle Public Sector Financials
(International) accessible data.
Affects:
o Oracle Public Sector Financials (International) 12.1.1-12.1.3
CVE-2021-2415
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle
Time and Labor. Successful attacks of this vulnerability can result
in unauthorized creation, deletion or modification access to critical
data or all Oracle Time and Labor accessible data as well as
unauthorized access to critical data or complete access to all Oracle
Time and Labor accessible data.
Affects:
o Oracle Time and Labor 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2434
8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise Oracle Web Applications Desktop
Integrator. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all Oracle Web Applications Desktop Integrator accessible
data as well as unauthorized access to critical data or complete
access to all Oracle Web Applications Desktop Integrator accessible
data.
Affects:
o Oracle Web Applications Desktop Integrator 12.1.3,
12.2.3-12.2.10
CVE-2021-2380
7.6 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise Oracle Applications Framework.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle Applications
Framework, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle Applications
Framework accessible data as well as unauthorized update, insert or
delete access to some of Oracle Applications Framework accessible
data.
Affects:
o Oracle Applications Framework 12.1.3, 12.2.3-12.2.10
CVE-2021-2343
4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise Oracle Workflow. Successful
attacks of this vulnerability can result in unauthorized read access
to a subset of Oracle Workflow accessible data.
Affects:
o Oracle Workflow 12.1.3, 12.2.3-12.2.10
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2021
https://www.oracle.com/security-alerts/cpujul2021.html
[2] Text Form of Oracle Critical Patch Update - July 2021 Risk Matrices
https://www.oracle.com/security-alerts/cpujul2021verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYPetLONLKJtyKPYoAQiYMg//WKpJX5bbXLtwACcnHRAiKu3u83TtMdrJ
Q0dtJ68grXuQW8y19c8VNDY+FfaT5F2sSZr6zRHqZspFRknjWqzAk9WD/ONrwnpv
QMIvUEbfUtzCcUpE3XNpp0RgATGKwEEXvB04C95Nvul8J7N2pqa40GmPXIVDjFc3
vAKNke4XnXwXqXgG0uTlKF8j/5S7G1faLCmhZswb0+ybbNUYLdIpsj6+lFmucKhT
R9BRUJG0Tup4euAgr4Yki7fPAbxDuTc1+PU4Nkj1/tZGPCvJOfOQRtbdYj5x7+WH
nJS7a+U1YV+BYc/yAPFiBYWKTp44MT/vF3CvUMDd4GIc60dgf9B4UFXH7bm++oGg
WQPfSrnZYR+D0GJOsr2ATprTDWcUgOjppyCi46OfZ5skp8Lx4EmAPn/AxvTcfkBa
duiKbhBoDVea0JnLqhWQC1YzD3Deh67me1iUVHhoCrpMB/6jVa7GRQX5/2w26UJf
owriS78BVxFIfN5rXTCAAUK+31X1kAL/eTOPAAD/GMo1tUPb3JyB0iHgsjMEayal
LLWnioVjMrbCC6qZsKFXDNZHBnWePZA7EiCd+HqEWO3sOwRYi1/Ugsgnm45tXOrJ
9k2VoMqZOx5gq+1qzLeEKBispOewUAdaAmb1oZclcByB2J1b6aigsZ0bsUSvA5P9
QtpjMQHuRHg=
=orhI
-----END PGP SIGNATURE-----