Oracle E-Business Multiple Vulnerabilities (October 2015 CPU)

critical Nessus Plugin ID 86479

Synopsis

A web application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle E-Business installed on the remote host is missing the October 2015 Oracle Critical Patch Update (CPU). It is, therefore, affected by vulnerabilities in the following components :

- An unspecified flaw exists in the Online Patching subcomponent in the Applications DBA. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4762)

- Unspecified flaws exist in the DB Listener subcomponent in the Applications Technology Stack. An authenticated, remote attacker can exploit these to cause a denial of service. (CVE-2015-4798, CVE-2015-4839)

- An unspecified flaw exists in the Application Object Library related to the 'Java APIs - AOL/J' subcomponent.
An unauthenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4845)

- An unspecified flaw exists in the SQL Extensions subcomponent in the Applications Manager. An authenticated, remote attacker can exploit this to impact integrity and confidentiality. (CVE-2015-4846)

- An unspecified flaw exists in the Punch-in subcomponent in the Oracle Payments component. An unauthenticated, remote attacker can exploit this to impact integrity.
(CVE-2015-4849)

- An unspecified flaw exists in the XML Input subcomponent in the iSupplier Portal. An unauthenticated, remote attacker can exploit this to impact integrity.
(CVE-2015-4851)

- An unspecified flaw exists in the Application Object Library related to the Single Signon subcomponent.
An unauthenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4854)

- An unspecified flaw exists in the Applications Framework related to the 'Business Objects - BC4J' subcomponent.
An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4865)

- An unspecified flaw exists in the Single Signon subcomponent in the Application Object Library. An unauthenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4884)

- An unspecified flaw exists in the Reports Security subcomponent in the Report Manager. An unauthenticated, remote attacker can exploit this to impact integrity and confidentiality.(CVE-2015-4886)

- An unspecified flaw exists in the Applications Framework related to the 'Diagnostics, DMZ' subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4898)

Solution

Apply the appropriate patch according to the October 2015 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?9d408555

Plugin Details

Severity: Critical

ID: 86479

File Name: oracle_e-business_cpu_oct_2015.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 10/21/2015

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-4839

Vulnerability Information

CPE: cpe:/a:oracle:e-business_suite

Required KB Items: Oracle/E-Business/Version, Oracle/E-Business/patches/installed

Exploit Ease: No known exploits are available

Patch Publication Date: 10/20/2015

Vulnerability Publication Date: 10/20/2015

Reference Information

CVE: CVE-2015-4762, CVE-2015-4798, CVE-2015-4839, CVE-2015-4845, CVE-2015-4846, CVE-2015-4849, CVE-2015-4851, CVE-2015-4854, CVE-2015-4865, CVE-2015-4884, CVE-2015-4886, CVE-2015-4898

BID: 77243, 77244, 77245, 77247, 77248, 77249, 77250, 77251, 77252, 77253, 77254, 77255