Oracle E-Business Multiple Vulnerabilities (Jan 2019 CPU)

critical Nessus Plugin ID 121250

Synopsis

A web application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle E-Business installed on the remote host is missing the January 2019 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities as noted in the January 2019 Critical Patch Update advisory :

- Oracle CRM Technical Foundation Messages component is easily exploited by an unauthenticated attacker. A successful attack requires human interaction from a person other than the attacker. Successful attacks can result in unauthorized update, insert, or delete access. (CVE-2019-2396)

- Oracle iStore User Registration component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert, or delete access. (CVE-2019-2400)

- Oracle Marketing User Interface component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert, or delete access. (CVE-2019-2440)

- Oracle Content Manager Cover Letter component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker to compromise Oracle Content Manager. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to critical data or complete access to all Oracle Content Manager accessible data as well as unauthorized update, insert or delete access. (CVE-2019-2445)

- Oracle Partner Management Partner Detail component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with network access via HTTP to compromise Oracle Partner Management. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to critical data or complete access to all Oracle Partner Management accessible data as well as unauthorized update, insert or delete. (CVE-2019-2447)

- Oracle Performance Management Performance Management Plan component of Oracle E-Business Suite is easily exploited and allows unauthorized creation, deletion or modification access to critical data and complete access to all Oracle Performance Management accessible data. (CVE-2019-2453)

- Oracle Partner Management Partner Detail component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker to gain unauthorized access to critical data as well as unauthorized update, insert or delete access to some of Oracle Partner Management accessible data. (CVE-2019-2470)

- Oracle Mobile Field Service Administration component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker the ability to perform unauthorized update, insert or delete of data. (CVE-2019-2485)
- Oracle CRM Technical Foundation Session Management component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker to obtain unauthorized read access data.
(CVE-2019-2488)

- Oracle One-to-One Fulfillment OCM Query component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform unauthorized creation, deletion or modification access to critical data as well as unauthorized access all data. (CVE-2019-2489)

- Oracle Email Center Message Display component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform an unauthorized update, insert or delete access to some of Oracle Email Center accessible data. (CVE-2019-2491)

- Oracle Email Center Message Display component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform an unauthorized update, insert or delete access to some of Oracle Email Center accessible data. (CVE-2019-2492)

- Oracle CRM Technical Foundation Messages component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform an unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. (CVE-2019-2496)

- Oracle CRM Technical Foundation Messages component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform an unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. (CVE-2019-2497)

- Oracle Partner Management Partner Dash board component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform an unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. (CVE-2019-2498)

- Oracle Applications Manager SQL Extensions component of Oracle E-Business Suite is easily exploited and allows an unauthenticated attacker with the ability to perform an unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. (CVE-2019-2546)

In addition, Oracle E-Business is also affected by multiple additional vulnerabilities. Please consult the CVRF details for the applicable CVEs for additional information.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the January 2019 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?799b2d05

Plugin Details

Severity: Critical

ID: 121250

File Name: oracle_e-business_cpu_jan_2019.nasl

Version: 1.6

Type: remote

Family: Misc.

Published: 1/18/2019

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-2489

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:e-business_suite

Required KB Items: Oracle/E-Business/Version, Oracle/E-Business/patches/installed

Exploit Ease: No known exploits are available

Patch Publication Date: 1/16/2019

Vulnerability Publication Date: 1/16/2019

Reference Information

CVE: CVE-2019-2396, CVE-2019-2400, CVE-2019-2440, CVE-2019-2445, CVE-2019-2447, CVE-2019-2453, CVE-2019-2470, CVE-2019-2485, CVE-2019-2488, CVE-2019-2489, CVE-2019-2491, CVE-2019-2492, CVE-2019-2496, CVE-2019-2497, CVE-2019-2498, CVE-2019-2546

BID: 106620, 106624