Oracle E-Business Multiple Vulnerabilities (October 2015 CPU)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

A web application installed on the remote host is affected by multiple
vulnerabilities.

Description :

The version of Oracle E-Business installed on the remote host is
missing the October 2015 Oracle Critical Patch Update (CPU). It is,
therefore, affected by vulnerabilities in the following components :

- An unspecified flaw exists in the Online Patching
subcomponent in the Applications DBA. An authenticated,
remote attacker can exploit this to gain access to
sensitive information. (CVE-2015-4762)

- Unspecified flaws exist in the DB Listener subcomponent
in the Applications Technology Stack. An authenticated,
remote attacker can exploit these to cause a denial of
service. (CVE-2015-4798, CVE-2015-4839)

- An unspecified flaw exists in the Application Object
Library related to the 'Java APIs - AOL/J' subcomponent.
An unauthenticated, remote attacker can exploit this to
gain access to sensitive information. (CVE-2015-4845)

- An unspecified flaw exists in the SQL Extensions
subcomponent in the Applications Manager. An
authenticated, remote attacker can exploit this to
impact integrity and confidentiality. (CVE-2015-4846)

- An unspecified flaw exists in the Punch-in subcomponent
in the Oracle Payments component. An unauthenticated,
remote attacker can exploit this to impact integrity.
(CVE-2015-4849)

- An unspecified flaw exists in the XML Input subcomponent
in the iSupplier Portal. An unauthenticated, remote
attacker can exploit this to impact integrity.
(CVE-2015-4851)

- An unspecified flaw exists in the Application Object
Library related to the Single Signon subcomponent.
An unauthenticated, remote attacker can exploit this to
impact integrity. (CVE-2015-4854)

- An unspecified flaw exists in the Applications Framework
related to the 'Business Objects - BC4J' subcomponent.
An authenticated, remote attacker can exploit this to
gain access to sensitive information. (CVE-2015-4865)

- An unspecified flaw exists in the Single Signon
subcomponent in the Application Object Library. An
unauthenticated, remote attacker can exploit this to
gain access to sensitive information. (CVE-2015-4884)

- An unspecified flaw exists in the Reports Security
subcomponent in the Report Manager. An unauthenticated,
remote attacker can exploit this to impact integrity
and confidentiality.(CVE-2015-4886)

- An unspecified flaw exists in the Applications Framework
related to the 'Diagnostics, DMZ' subcomponent. An
authenticated, remote attacker can exploit this to
impact integrity. (CVE-2015-4898)

See also :

http://www.nessus.org/u?9d408555

Solution :

Apply the appropriate patch according to the October 2015 Oracle
Critical Patch Update advisory.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now