Oracle E-Business Multiple Vulnerabilities (July 2016 CPU)

critical Nessus Plugin ID 92461

Synopsis

A web application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle E-Business installed on the remote host is missing the July 2016 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the Wireless Framework subcomponent within the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3491)

- An unspecified flaw exists in the Function Security subcomponent within the Customer Interaction History component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3512)

- An unspecified flaw exists in the AOL diagnostic tests subcomponent within the Application Object Library component that allows an authenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3520)

- An unspecified flaw exists in the Application Service subcomponent within the Web Applications Desktop Integrator component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3522)

- An unspecified flaw exists in the Application Service subcomponent within the Web Applications Desktop Integrator component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3523)

- An unspecified flaw exists in the Configuration subcomponent within the Applications Technology Stack component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3524)

- An unspecified flaw exists in the Cookie Management subcomponent within the Applications Manager component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3525)

- An unspecified flaw exists in the Expenses Admin Utilities subcomponent within the Internet Expenses component that allows an unauthenticated, remote attacker to cause a denial of service condition.
(CVE-2016-3528)

- An unspecified flaw exists in the SDK client integration subcomponent within the Advanced Inbound Telephony component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3532)

- An unspecified flaw exists in the Search subcomponent within the Knowledge Management component that allows an unauthenticated, remote attacker to impact integrity.
(CVE-2016-3533)

- An unspecified flaw exists in the Engineering Change Order subcomponent within the Installed Base component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3534)

- An unspecified flaw exists in the Remote Launch subcomponent within the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity.
(CVE-2016-3535)

- An unspecified flaw exists in the Deliverables subcomponent within the Marketing component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3536)

- An unspecified flaw exists in the Notes subcomponent within the Common Applications Calendar component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3541)

- An unspecified flaw exists in the Search/Browse subcomponent within the Knowledge Management component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3542)

- An unspecified flaw exists in the Tasks subcomponent within the Common Applications Calendar component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3543)

- An unspecified flaw exists in the Web based help screens subcomponent within the Application Object Library component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3545)

- An unspecified flaw exists in the Report JSPs subcomponent within the Advanced Collections component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3546)

- An unspecified flaw exists in the Content Manager subcomponent within the One-to-One Fulfillment component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3547)

- An unspecified flaw exists in the Marketing activity collateral subcomponent within the Marketing component that allows an unauthenticated, remote attacker to disclose potentially sensitive information.
(CVE-2016-3548)

- An unspecified flaw exists in the Search Integration Engine subcomponent within the E-Business Suite Secure Enterprise Search component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3549)

- Multiple unspecified flaws exist in the Email Center Agent Console subcomponent within the Email Center component that allow an unauthenticated, remote attacker to impact integrity. (CVE-2016-3558, CVE-2016-3559)

Solution

Apply the appropriate patch according to the July 2016 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?453b5f8c

Plugin Details

Severity: Critical

ID: 92461

File Name: oracle_e-business_cpu_jul_2016.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 7/20/2016

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2016-3546

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:e-business_suite

Required KB Items: Oracle/E-Business/Version, Oracle/E-Business/patches/installed

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/18/2016

Vulnerability Publication Date: 7/18/2016

Reference Information

CVE: CVE-2016-3491, CVE-2016-3512, CVE-2016-3520, CVE-2016-3522, CVE-2016-3523, CVE-2016-3524, CVE-2016-3525, CVE-2016-3528, CVE-2016-3532, CVE-2016-3533, CVE-2016-3534, CVE-2016-3535, CVE-2016-3536, CVE-2016-3541, CVE-2016-3542, CVE-2016-3543, CVE-2016-3545, CVE-2016-3546, CVE-2016-3547, CVE-2016-3548, CVE-2016-3549, CVE-2016-3558, CVE-2016-3559

BID: 91838, 91839, 91841, 91843, 91845, 91848, 91852, 91857, 91861, 91865, 91870, 91873, 91878, 91882, 91886, 91888, 91893, 91896, 91899, 91903, 91907, 91909, 91911