The versions of Oracle E-Business Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory.

  - Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite     (component: Download). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Web     Applications Desktop Integrator. Successful attacks require human interaction from a person other than     the attacker and while the vulnerability is in Oracle Web Applications Desktop Integrator, attacks may     significantly impact additional products (scope change). Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Web Applications Desktop     Integrator accessible data as well as unauthorized read access to a subset of Oracle Web Applications     Desktop Integrator accessible data. (CVE-2023-21847)

  - Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils).
    Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Applications DBA. Successful     attacks of this vulnerability can result in unauthorized creation, deletion or modification access to     critical data or all Oracle Applications DBA accessible data. (CVE-2023-21849)

  - Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing     Administration). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing.
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification     access to critical data or all Oracle Marketing accessible data. (CVE-2023-21851)

  - Vulnerability in the Oracle Sales Offline product of Oracle E-Business Suite (component: Core Components).
    Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Sales Offline. Successful     attacks of this vulnerability can result in unauthorized creation, deletion or modification access to     critical data or all Oracle Sales Offline accessible data. (CVE-2023-21854)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle E-Business Suite (Jan 2023 CPU)

high Nessus Plugin ID 170140

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Apr 20, 2023, 4:15 PM IAVM reference Plugin Feed: 202304201615
Version 1.2 Jan 20, 2023, 12:00 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202301201200
Version 1.1 Jan 19, 2023, 8:09 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:U/RL:OF/RC:C") CVSS metrics ("CVSSv2 vector" changed from "CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N" to "CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N") CVSS metrics ("CVSSv2 score" changed from "5.8" to "7.8") Exploit attributes ("Exploitability ease" set to "No known exploits are available") Exploit attributes ("Exploit available" set to "False") CVSSv3 score source (changed from "CVE-2023-21849" to "CVE-2023-21858") CVSSv2 severity (based on CVE-2023-21858, severity increased from "Medium" to "High") CVSSv2 score source (changed from "CVE-2023-21847" to "CVE-2023-21858") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:U/RL:O/RC:C") Plugin Feed: 202301192009
Version 1.0 Jan 18, 2023, 10:23 PM New Plugin Feed: 202301182223