Oracle E-Business Suite Multiple Vulnerabilities (Oct 2021 CPU)

high Nessus Plugin ID 154291

Synopsis

The remote host is affected by multiple vulnerabilities

Description

The version of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory, including the following:

- An easily exploitable vulnerability in the Oracle Content Manager product's Content Item Manager component that allows a low privileged, remote attacker to compromise confidentiality and integrity. (CVE-2021-2483)

- An easily exploitable vulnerability in the Oracle Applications Manager Diagnostics component that allows a low privileged, remote attacker to compromise confidentiality and integrity. (CVE-2021-35566)
- An easily exploitable vulnerability in a Miscellaneous component of the Oracle Deal Management product that allows a low privileged, remote attacker to compromise confidentiality and integrity.
(CVE-2021-35536)


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the October 2021 Oracle Critical Patch Update advisory.

See Also

https://www.oracle.com/a/tech/docs/cpuoct2021cvrf.xml

https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixEBS

Plugin Details

Severity: High

ID: 154291

File Name: oracle_e-business_cpu_oct_2021.nasl

Version: 1.7

Type: remote

Family: Misc.

Published: 10/21/2021

Updated: 11/28/2023

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2021-35570

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-35585

Vulnerability Information

CPE: cpe:/a:oracle:e-business_suite

Required KB Items: Oracle/E-Business/Version, Oracle/E-Business/patches/installed

Exploit Ease: No known exploits are available

Patch Publication Date: 10/20/2021

Vulnerability Publication Date: 10/20/2021

Reference Information

CVE: CVE-2021-2474, CVE-2021-2477, CVE-2021-2482, CVE-2021-2483, CVE-2021-2484, CVE-2021-2485, CVE-2021-35536, CVE-2021-35554, CVE-2021-35562, CVE-2021-35563, CVE-2021-35566, CVE-2021-35569, CVE-2021-35570, CVE-2021-35580, CVE-2021-35581, CVE-2021-35582, CVE-2021-35585, CVE-2021-35611

IAVA: 2021-A-0485-S