Detections
Analytics

Oracle E-Business Suite Multiple Vulnerabilities (Jan 2021 CPU)

critical Nessus Plugin ID 145220

Language:

Synopsis

The remote host is affected by multiple vulnerabilities

Description

The versions of Oracle E-Business Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2021 CPU advisory.

 - Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Miscellaneous).
 Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks of this vulnerability can result in takeover of Oracle Scripting. (CVE-2021-2029)

 - Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E-Business Suite (component: Print Server). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. (CVE-2021-2100, CVE-2021-2101)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the January 2021 Oracle Critical Patch Update advisory.

See Also

https://www.oracle.com/a/tech/docs/cpujan2021cvrf.xml

https://www.oracle.com/security-alerts/cpujan2021.html

Plugin Details

Severity: Critical

ID: 145220

File Name: oracle_e-business_cpu_jan_2021.nasl

Version: 1.10

Type: remote

Family: Misc.

Published: 1/20/2021

Updated: 12/7/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-2029

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:e-business_suite

Required KB Items: Oracle/E-Business/Version, Oracle/E-Business/patches/installed

Exploit Ease: No known exploits are available

Patch Publication Date: 1/19/2021

Vulnerability Publication Date: 1/19/2021

Reference Information

CVE: CVE-2021-2015, CVE-2021-2017, CVE-2021-2023, CVE-2021-2026, CVE-2021-2027, CVE-2021-2029, CVE-2021-2034, CVE-2021-2059, CVE-2021-2077, CVE-2021-2082, CVE-2021-2083, CVE-2021-2084, CVE-2021-2085, CVE-2021-2089, CVE-2021-2090, CVE-2021-2091, CVE-2021-2092, CVE-2021-2093, CVE-2021-2094, CVE-2021-2096, CVE-2021-2097, CVE-2021-2098, CVE-2021-2099, CVE-2021-2100, CVE-2021-2101, CVE-2021-2105, CVE-2021-2106, CVE-2021-2107, CVE-2021-2114, CVE-2021-2115, CVE-2021-2118

IAVA: 2021-A-0031-S