SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Oracle E-Business Suite Vendors:   Oracle
Oracle E-Business Suite Multiple Bugs Let Remote Users Partially Access and Modify Data and Partially Deny Service
SecurityTracker Alert ID:  1034726
SecurityTracker URL:  http://securitytracker.com/id/1034726
CVE Reference:   CVE-2015-4926, CVE-2016-0454, CVE-2016-0456, CVE-2016-0457, CVE-2016-0459, CVE-2016-0507, CVE-2016-0509, CVE-2016-0510, CVE-2016-0511, CVE-2016-0512, CVE-2016-0513, CVE-2016-0514, CVE-2016-0515, CVE-2016-0516, CVE-2016-0517, CVE-2016-0518, CVE-2016-0519, CVE-2016-0520, CVE-2016-0521, CVE-2016-0523, CVE-2016-0524, CVE-2016-0525, CVE-2016-0526, CVE-2016-0527, CVE-2016-0528, CVE-2016-0529, CVE-2016-0530, CVE-2016-0531, CVE-2016-0532, CVE-2016-0533, CVE-2016-0534, CVE-2016-0536, CVE-2016-0537, CVE-2016-0538, CVE-2016-0539, CVE-2016-0542, CVE-2016-0543, CVE-2016-0544, CVE-2016-0545, CVE-2016-0547, CVE-2016-0548, CVE-2016-0549, CVE-2016-0550, CVE-2016-0551, CVE-2016-0552, CVE-2016-0553, CVE-2016-0554, CVE-2016-0555, CVE-2016-0556, CVE-2016-0557, CVE-2016-0558, CVE-2016-0559, CVE-2016-0560, CVE-2016-0561, CVE-2016-0562, CVE-2016-0563, CVE-2016-0564, CVE-2016-0565, CVE-2016-0566, CVE-2016-0567, CVE-2016-0568, CVE-2016-0569, CVE-2016-0570, CVE-2016-0571, CVE-2016-0575, CVE-2016-0576, CVE-2016-0578, CVE-2016-0579, CVE-2016-0580, CVE-2016-0581, CVE-2016-0582, CVE-2016-0583, CVE-2016-0584, CVE-2016-0585, CVE-2016-0586, CVE-2016-0588, CVE-2016-0589   (Links to External Site)
Date:  Jan 20 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
Description:   Multiple vulnerabilities were reported in Oracle E-Business Suite. A remote user can partially access and modify data on the target system. A remote user can cause partial denial of service conditions on the target system. A local user can partially access data on the target system.

A remote user can exploit a flaw in the Oracle Application Object Library ICX LOVs component to partially access and partially modify data [CVE-2016-0576].

A remote user can exploit a flaw in the Oracle Application Object Library Menu component to partially access and partially modify data [CVE-2016-0589].

A remote user can exploit a flaw in the Oracle Approvals Management AME Page rendering component to partially access and partially modify data [CVE-2016-0581].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation BIS Common Components component to partially access and partially modify data [CVE-2016-0514, CVE-2016-0515].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation CRM HTML Administration component to partially access and partially modify data [CVE-2016-0550].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation Common Techstack component to partially access and partially modify data [CVE-2016-0563].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation Security Assignments component to partially access and partially modify data [CVE-2016-0532].

A remote user can exploit a flaw in the Oracle CRM Technology Foundation BIS Common Components component to partially access and partially modify data [CVE-2016-0578].

A remote user can exploit a flaw in the Oracle Customer Intelligence Data Issues component to partially access and partially modify data [CVE-2016-0545, CVE-2016-0551, CVE-2016-0552, CVE-2016-0559, CVE-2016-0560].

A remote user can exploit a flaw in the Oracle Customer Interaction History User GUI component to partially access and partially modify data [CVE-2016-0527, CVE-2016-0528, CVE-2016-0529, CVE-2016-0530].

A remote user can exploit a flaw in the Oracle E-Business Intelligence Business Views Catalog component to partially access and partially modify data [CVE-2016-0510].

A remote user can exploit a flaw in the Oracle E-Business Intelligence Common Components component to partially access and partially modify data [CVE-2016-0511, CVE-2016-0547, CVE-2016-0548, CVE-2016-0549].

A remote user can exploit a flaw in the Oracle E-Business Intelligence Definition component to partially access and partially modify data [CVE-2016-0553].

A remote user can exploit a flaw in the Oracle Human Resources General utilities component to partially access and partially modify data [CVE-2016-0517, CVE-2016-0518].

A remote user can exploit a flaw in the Oracle Human Resources Person component to partially access and partially modify data [CVE-2016-0537].

A remote user can exploit a flaw in the Oracle Human Resources Self Service - Common Modules component to partially access and partially modify data [CVE-2016-0512].

A remote user can exploit a flaw in the Oracle Interaction Center Intelligence Business Intelligence component to partially access and partially modify data [CVE-2016-0554].

A remote user can exploit a flaw in the Oracle Marketing Architecture component to partially access and partially modify data [CVE-2016-0544].

A remote user can exploit a flaw in the Oracle Marketing Preview component to partially access and partially modify data [CVE-2016-0543].

A remote user can exploit a flaw in the Oracle Quality QA / Order Management Integration component to partially access and partially modify data [CVE-2016-0516].

A remote user can exploit a flaw in the Oracle Universal Work Queue Work Provider Administration component to partially access and partially modify data [CVE-2016-0524, CVE-2016-0525].

A remote authenticated user can exploit a flaw in the Oracle Advanced Collections Administration component to partially access and partially modify data [CVE-2016-0556, CVE-2016-0557].

A remote authenticated user can exploit a flaw in the Oracle E-Business Intelligence Definition component to partially access and partially modify data [CVE-2016-0561].

A remote authenticated user can exploit a flaw in the Oracle E-Business Intelligence Overview Page/Report Rendering component to partially access and partially modify data [CVE-2016-0564].

A remote authenticated user can exploit a flaw in the Oracle Interaction Blending Blending Administration component to partially access and partially modify data [CVE-2016-0523].

A remote user can exploit a flaw in the Application Mgmt Pack for E-Business Suite REST Framework component to partially access data [CVE-2016-0456, CVE-2016-0457].

A remote user can exploit a flaw in the Oracle Application Object Library ICX Error component to cause partial denial of service conditions [CVE-2016-0585].

A remote user can exploit a flaw in the Oracle Balanced Scorecard Scorecard Security component to partially access data [CVE-2016-0571].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation Wireless Framework component to partially modify data [CVE-2016-0526].

A remote user can exploit a flaw in the Oracle E-Business Intelligence Embedded Data Warehouse component to partially access data [CVE-2016-0567].

A remote user can exploit a flaw in the Oracle E-Business Intelligence Overview Page/Report Rendering component to partially access data [CVE-2016-0569].

A remote user can exploit a flaw in the Oracle Email Center Server Components component to partially access data [CVE-2016-0568].

A remote user can exploit a flaw in the Oracle Financial Consolidation Hub Business Intelligence component to partially access data [CVE-2016-0538].

A remote user can exploit a flaw in the Oracle HCM Configuration Workbench Internal Operations component to partially access data [CVE-2016-0570].

A remote user can exploit a flaw in the Oracle Marketing Deliverables component to partially access data [CVE-2016-0566].

A remote user can exploit a flaw in the Oracle Marketing Marketing Administration component to partially modify data [CVE-2016-0565].

A remote user can exploit a flaw in the Oracle Report Manager Publishing component to cause partial denial of service conditions [CVE-2016-0580].

A remote user can exploit a flaw in the Oracle Report Manager Report Display component to partially access data [CVE-2016-0539].

A remote user can exploit a flaw in the Oracle Application Object Library Java APIs component to partially modify data [CVE-2016-0520].

A remote user can exploit a flaw in the Oracle Application Object Library iHelp component to partially modify data [CVE-2016-0586].

A remote user can exploit a flaw in the Oracle CADView-3D Studio component to partially modify data [CVE-2016-0555].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation BIS Common Components component to partially modify data [CVE-2016-0513].

A remote user can exploit a flaw in the Oracle CRM Technical Foundation Messaging component to partially modify data [CVE-2016-0533].

A remote user can exploit a flaw in the Oracle CRM Technology Foundation BIS Common Components component to partially modify data [CVE-2016-0579, CVE-2016-0582, CVE-2016-0583, CVE-2016-0584].

A remote user can exploit a flaw in the Oracle Field Service Field Service Map component to partially modify data [CVE-2016-0542].

A remote user can exploit a flaw in the Oracle General Ledger Consolidation Hierarchy Viewer component to partially modify data [CVE-2016-0588].

A remote user can exploit a flaw in the Oracle Internet Expenses AP Web Utilities component to partially modify data [CVE-2016-0509].

A remote user can exploit a flaw in the Oracle Learning Management OTA Self Service component to partially modify data [CVE-2016-0575].

A remote user can exploit a flaw in the Oracle Project Contracts Printing component to partially modify data [CVE-2016-0534].

A remote user can exploit a flaw in the Oracle Service Contracts Renewals component to partially modify data [CVE-2016-0558].

A remote user can exploit a flaw in the Oracle Universal Work Queue Error Messages component to partially modify data [CVE-2016-0536].

A remote user can exploit a flaw in the Oracle iProcurement Redirection component to partially modify data [CVE-2016-0521].

A remote user can exploit a flaw in the Oracle iReceivables AR Web Utilities component to partially modify data [CVE-2016-0507, CVE-2016-0519].

A remote authenticated user can exploit a flaw in the Oracle Applications Framework Popup Windows component to partially modify data [CVE-2016-0459].

A remote authenticated user can exploit a flaw in the Oracle Applications Manager Oracle Diagnostics Interfaces component to partially modify data [CVE-2016-0531].

A remote authenticated user can exploit a flaw in the Oracle Common Applications CRM User Management Framework component to partially modify data [CVE-2016-0562].

A remote user can exploit a flaw in the Oracle Applications Framework UIX component to partially modify data [CVE-2015-4926].

A local user can exploit a flaw in the Oracle Mobile Application Servlet MWA Server Manager component to partially access data [CVE-2016-0454].

The following researchers reported these and other Oracle product vulnerabilities:

Adam Willard of Raytheon Foreground Security; Alexey Tyurin of ERPScan; Andrea Micalizzi aka rgod (via HP's Zero Day Initiative); Anonymous (via HP's Zero Day Initiative); Brandon Vincent; Cybersecurity-upv; David Litchfield of Google;
Dmitry Janushkevich of Secunia Research; Fernando Russ of Onapsis; FortiGuard Labs of Fortinet, Inc.; Francois Goichon of Context Information Security; Igor Kopylenko of McAfee Database Security Research Team; Ivan Chalykin of ERPScan;
Jakub Palaczynski from ING Services Polska; Karthikeyan Bhargavan, Gaetan Leurent of INRIA; Lovi Yu of Salesforce.com; Luca Carettoni; Matias Mevied of Onapsis; Mike Arnold (Bruk0ut) (via HP's Zero Day Initiative); Nassim Bouali; Nicholas Lemonias of Advanced Information Security Corporation; Nikita Kelesis of ERPScan;
Peter Kostiuk of Salesforce.com; Ryan Giobbi of American Eagle Outfitters; Sergey Gorbaty of Salesforce.com; Shai Meir of McAfee Security Research; Spyridon Chatzimichail of COSMOTE - Mobile Telecommunications S.A.; Stefan Kanthak; Stephen Kost of Integrigy; Travis Emmert of Salesforce.com; and Will Dormann of CERT/CC.

Impact:   A remote user can partially access data on the target system.

A remote user can partially modify data on the target system.

A remote user can cause partial denial of service conditions.

A local user can partially access data on the target system.

Solution:   The vendor has issued a fix as part of the January 2016 Oracle Critical Patch Update.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Vendor URL:  www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC