Oracle E-Business Multiple Vulnerabilities (July 2016 CPU)

High Nessus Plugin ID 92461

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6

Synopsis

A web application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle E-Business installed on the remote host is missing the July 2016 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the Wireless Framework subcomponent within the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3491)

- An unspecified flaw exists in the Function Security subcomponent within the Customer Interaction History component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3512)

- An unspecified flaw exists in the AOL diagnostic tests subcomponent within the Application Object Library component that allows an authenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3520)

- An unspecified flaw exists in the Application Service subcomponent within the Web Applications Desktop Integrator component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3522)

- An unspecified flaw exists in the Application Service subcomponent within the Web Applications Desktop Integrator component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3523)

- An unspecified flaw exists in the Configuration subcomponent within the Applications Technology Stack component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3524)

- An unspecified flaw exists in the Cookie Management subcomponent within the Applications Manager component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3525)

- An unspecified flaw exists in the Expenses Admin Utilities subcomponent within the Internet Expenses component that allows an unauthenticated, remote attacker to cause a denial of service condition.
(CVE-2016-3528)

- An unspecified flaw exists in the SDK client integration subcomponent within the Advanced Inbound Telephony component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3532)

- An unspecified flaw exists in the Search subcomponent within the Knowledge Management component that allows an unauthenticated, remote attacker to impact integrity.
(CVE-2016-3533)

- An unspecified flaw exists in the Engineering Change Order subcomponent within the Installed Base component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3534)

- An unspecified flaw exists in the Remote Launch subcomponent within the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3535)

- An unspecified flaw exists in the Deliverables subcomponent within the Marketing component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3536)

- An unspecified flaw exists in the Notes subcomponent within the Common Applications Calendar component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3541)

- An unspecified flaw exists in the Search/Browse subcomponent within the Knowledge Management component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3542)

- An unspecified flaw exists in the Tasks subcomponent within the Common Applications Calendar component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3543)

- An unspecified flaw exists in the Web based help screens subcomponent within the Application Object Library component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3545)

- An unspecified flaw exists in the Report JSPs subcomponent within the Advanced Collections component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3546)

- An unspecified flaw exists in the Content Manager subcomponent within the One-to-One Fulfillment component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3547)

- An unspecified flaw exists in the Marketing activity collateral subcomponent within the Marketing component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3548)

- An unspecified flaw exists in the Search Integration Engine subcomponent within the E-Business Suite Secure Enterprise Search component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3549)

- Multiple unspecified flaws exist in the Email Center Agent Console subcomponent within the Email Center component that allow an unauthenticated, remote attacker to impact integrity. (CVE-2016-3558, CVE-2016-3559)

Solution

Apply the appropriate patch according to the July 2016 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?453b5f8c

Plugin Details

Severity: High

ID: 92461

File Name: oracle_e-business_cpu_jul_2016.nasl

Version: 1.7

Type: local

Family: Misc.

Published: 2016/07/20

Updated: 2019/11/19

Dependencies: 70177

Risk Information

Risk Factor: High

VPR Score: 6

CVSS Score Source: CVE-2016-3546

CVSS v2.0

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:e-business_suite

Required KB Items: Oracle/E-Business/Version, Oracle/E-Business/patches/installed

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/07/18

Vulnerability Publication Date: 2016/07/18

Reference Information

CVE: CVE-2016-3491, CVE-2016-3512, CVE-2016-3520, CVE-2016-3522, CVE-2016-3523, CVE-2016-3524, CVE-2016-3525, CVE-2016-3528, CVE-2016-3532, CVE-2016-3533, CVE-2016-3534, CVE-2016-3535, CVE-2016-3536, CVE-2016-3541, CVE-2016-3542, CVE-2016-3543, CVE-2016-3545, CVE-2016-3546, CVE-2016-3547, CVE-2016-3548, CVE-2016-3549, CVE-2016-3558, CVE-2016-3559

BID: 91838, 91839, 91841, 91843, 91845, 91848, 91852, 91857, 91861, 91865, 91870, 91873, 91878, 91882, 91886, 91888, 91893, 91896, 91899, 91903, 91907, 91909, 91911