SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Oracle E-Business Suite Vendors:   Oracle
Oracle E-Business Suite Multiple Flaws Let Remote and Local Users Access and Modify Data on the Target System
SecurityTracker Alert ID:  1037639
SecurityTracker URL:  http://securitytracker.com/id/1037639
CVE Reference:   CVE-2016-8325, CVE-2017-3246, CVE-2017-3274, CVE-2017-3275, CVE-2017-3277, CVE-2017-3278, CVE-2017-3279, CVE-2017-3280, CVE-2017-3281, CVE-2017-3282, CVE-2017-3283, CVE-2017-3284, CVE-2017-3285, CVE-2017-3286, CVE-2017-3287, CVE-2017-3303, CVE-2017-3326, CVE-2017-3327, CVE-2017-3328, CVE-2017-3333, CVE-2017-3359, CVE-2017-3361, CVE-2017-3362, CVE-2017-3368, CVE-2017-3369, CVE-2017-3372, CVE-2017-3373, CVE-2017-3415, CVE-2017-3418, CVE-2017-3421, CVE-2017-3440, CVE-2017-3443   (Links to External Site)
Date:  Jan 19 2017
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle E-Business Suite. A remote or local user can access and modify data on the target system.

A remote user can exploit a flaw in the Oracle One-to-One Fulfillment Internal Operations component to access and modify data [CVE-2016-8325].

A remote user can exploit a flaw in the Oracle Advanced Outbound Telephony User Interface component to access and partially modify data [CVE-2017-3373].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation User Interface component to access and partially modify data [CVE-2017-3418].

A remote user can exploit a flaw in the Oracle Common Applications Resources Module component to access and partially modify data [CVE-2017-3327, CVE-2017-3328].

A remote user can exploit a flaw in the Oracle Common Applications Role Summary component to access and partially modify data [CVE-2017-3326].

A remote user can exploit a flaw in the Oracle Common Applications User Interface component to access and partially modify data [CVE-2017-3443].

A remote user can exploit a flaw in the Oracle Customer Intelligence User Interface component to access and partially modify data [CVE-2017-3359].

A remote user can exploit a flaw in the Oracle Customer Interaction History User Interface component to access and partially modify data [CVE-2017-3440].

A remote user can exploit a flaw in the Oracle Email Center User Interface component to access and partially modify data [CVE-2017-3274, CVE-2017-3275].

A remote user can exploit a flaw in the Oracle Fulfillment Manager User Interface component to access and partially modify data [CVE-2017-3284].

A remote user can exploit a flaw in the Oracle Installed Base User Interface component to access and partially modify data [CVE-2017-3361].

A remote user can exploit a flaw in the Oracle Interaction Blending User Interface component to access and partially modify data [CVE-2017-3372].

A remote user can exploit a flaw in the Oracle Knowledge Management User Interface component to access and partially modify data [CVE-2017-3362].

A remote user can exploit a flaw in the Oracle Leads Management User Interface component to access and partially modify data [CVE-2017-3279].

A remote user can exploit a flaw in the Oracle Marketing User Interface component to access and partially modify data [CVE-2017-3333].

A remote user can exploit a flaw in the Oracle One-to-One Fulfillment Request Confirmatoin component to access and partially modify data [CVE-2017-3278].

A remote user can exploit a flaw in the Oracle One-to-One Fulfillment User Interface component to access and partially modify data [CVE-2017-3421].

A remote user can exploit a flaw in the Oracle Service Fulfillment Manager User Interface component to access and partially modify data [CVE-2017-3285].

A remote user can exploit a flaw in the Oracle Universal Work Queue User Interface component to access and partially modify data [CVE-2017-3415].

A remote user can exploit a flaw in the Oracle XML Gateway Oracle Transport Agent component to access and partially modify data [CVE-2017-3303].

A remote user can exploit a flaw in the Oracle iStore Address Book component to access and partially modify data [CVE-2017-3368].

A remote user can exploit a flaw in the Oracle iStore User Interface component to access and partially modify data [CVE-2017-3287].

A remote user can exploit a flaw in the Oracle iSupport User Interface component to access and partially modify data [CVE-2017-3369].

A local user can exploit a flaw in the Oracle Application Object Library Patching component to access and modify data [CVE-2017-3246].

A local user can exploit a flaw in the Oracle Applications DBA Patching component to access and modify data [CVE-2017-3286].

A remote authenticated user can exploit a flaw in the Oracle Applications Manager OAM Client component to access data [CVE-2017-3277].

A remote user can exploit a flaw in the Oracle Partner Management User Interface component to partially modify data [CVE-2017-3280, CVE-2017-3281, CVE-2017-3282, CVE-2017-3283].

The following researchers reported these and other Oracle product vulnerabilities:

Aleksandar Nikolic of Cisco Talos; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of Hewlett Packard Enterprise; Andrew Fowler of Lithium; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; Blessen Thomas of EY Global Delivery Services; Brian Martin of Tenable Network Security;
Daniel Bleichenbacher of Google; Daniel Fahlgren; David Litchfield formerly of Google; Dawid Golunski of Legal Hackers; Deniz Cevik of Biznet Bilisim A.S.; Dmitry Yudin of ERPScan; Emiliano J. Fausto of Onapsis; Gaston Traberg of Onapsis; Jacob Baines - Tenable Network Security (via Trend Micro's Zero Day Initiative); John Page (hyp3rlinx); Kristian Hermansen at undisclosed; Li Qiang of the Qihoo 360 Gear Team;
ma.la of LINE Corporation; Mala; Maris Elsins of Google; Matias Mevied of Onapsis; Moritz Bechler; Nicholas Lemonias of Advanced Information Security Corporation; Owais Mehtab of IS; Per Lindberg; Red Hat Product Security; Roman Shalymov of ERPScan; Shannon Hickey of Adobe; Tayeeb Rana of IS; Ubais PK of EY Global Delivery Services; Wladislaw Mitzel; Wolfgang Hotwagner; Xiejingwei Fei of FINRA;
XOR19 of Trend Micro's Zero Day Initiative; and Zuozhi Fan formerly of Alibaba.

Impact:   A remote or local user can access and modify data on the target system.
Solution:   The vendor has issued a fix as part of the January 2017 Oracle Critical Patch Update.

The vendor advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Vendor URL:  www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC