Oracle E-Business Multiple Vulnerabilities (July 2016 CPU)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

A web application installed on the remote host is affected by multiple
vulnerabilities.

Description :

The version of Oracle E-Business installed on the remote host is
missing the July 2016 Oracle Critical Patch Update (CPU). It is,
therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the Wireless Framework
subcomponent within the CRM Technical Foundation
component that allows an unauthenticated, remote
attacker to impact confidentiality and integrity.
(CVE-2016-3491)

- An unspecified flaw exists in the Function Security
subcomponent within the Customer Interaction History
component that allows an unauthenticated, remote
attacker to impact confidentiality and integrity.
(CVE-2016-3512)

- An unspecified flaw exists in the AOL diagnostic tests
subcomponent within the Application Object Library
component that allows an authenticated, remote attacker
to disclose potentially sensitive information.
(CVE-2016-3520)

- An unspecified flaw exists in the Application Service
subcomponent within the Web Applications Desktop
Integrator component that allows an unauthenticated,
remote attacker to impact confidentiality and integrity.
(CVE-2016-3522)

- An unspecified flaw exists in the Application Service
subcomponent within the Web Applications Desktop
Integrator component that allows an unauthenticated,
remote attacker to impact integrity. (CVE-2016-3523)

- An unspecified flaw exists in the Configuration
subcomponent within the Applications Technology Stack
component that allows an unauthenticated, remote
attacker to impact confidentiality and integrity.
(CVE-2016-3524)

- An unspecified flaw exists in the Cookie Management
subcomponent within the Applications Manager component
that allows an unauthenticated, remote attacker to
disclose potentially sensitive information.
(CVE-2016-3525)

- An unspecified flaw exists in the Expenses Admin
Utilities subcomponent within the Internet Expenses
component that allows an unauthenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-3528)

- An unspecified flaw exists in the SDK client integration
subcomponent within the Advanced Inbound Telephony
component that allows an unauthenticated, remote
attacker to impact confidentiality and integrity.
(CVE-2016-3532)

- An unspecified flaw exists in the Search subcomponent
within the Knowledge Management component that allows an
unauthenticated, remote attacker to impact integrity.
(CVE-2016-3533)

- An unspecified flaw exists in the Engineering Change
Order subcomponent within the Installed Base component
that allows an unauthenticated, remote attacker to
impact integrity. (CVE-2016-3534)

- An unspecified flaw exists in the Remote Launch
subcomponent within the CRM Technical Foundation
component that allows an unauthenticated, remote
attacker to impact confidentiality and integrity.
(CVE-2016-3535)

- An unspecified flaw exists in the Deliverables
subcomponent within the Marketing component that allows
an unauthenticated, remote attacker to impact
confidentiality and integrity. (CVE-2016-3536)

- An unspecified flaw exists in the Notes subcomponent
within the Common Applications Calendar component that
allows an unauthenticated, remote attacker to impact
confidentiality and integrity. (CVE-2016-3541)

- An unspecified flaw exists in the Search/Browse
subcomponent within the Knowledge Management component
that allows an authenticated, remote attacker to
impact confidentiality and integrity. (CVE-2016-3542)

- An unspecified flaw exists in the Tasks subcomponent
within the Common Applications Calendar component that
allows an unauthenticated, remote attacker to impact
confidentiality and integrity. (CVE-2016-3543)

- An unspecified flaw exists in the Web based help screens
subcomponent within the Application Object Library
component that allows an unauthenticated, remote
attacker to disclose potentially sensitive information.
(CVE-2016-3545)

- An unspecified flaw exists in the Report JSPs
subcomponent within the Advanced Collections component
that allows an unauthenticated, remote attacker to
impact confidentiality and integrity. (CVE-2016-3546)

- An unspecified flaw exists in the Content Manager
subcomponent within the One-to-One Fulfillment component
that allows an unauthenticated, remote attacker to
disclose potentially sensitive information.
(CVE-2016-3547)

- An unspecified flaw exists in the Marketing activity
collateral subcomponent within the Marketing component
that allows an unauthenticated, remote attacker to
disclose potentially sensitive information.
(CVE-2016-3548)

- An unspecified flaw exists in the Search Integration
Engine subcomponent within the E-Business Suite Secure
Enterprise Search component that allows an
unauthenticated, remote attacker to disclose potentially
sensitive information. (CVE-2016-3549)

- Multiple unspecified flaws exist in the Email Center
Agent Console subcomponent within the Email Center
component that allow an unauthenticated, remote
attacker to impact integrity. (CVE-2016-3558,
CVE-2016-3559)

See also :

http://www.nessus.org/u?453b5f8c

Solution :

Apply the appropriate patch according to the July 2016 Oracle
Critical Patch Update advisory.

Risk factor :

High / CVSS Base Score : 9.4
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
CVSS Temporal Score : 7.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false