ID CVE-2015-0393
Summary Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.
References
Vulnerable Configurations
  • Oracle E-Business Suite 12.2.4
    cpe:2.3:a:oracle:e-business_suite:12.2.4
  • Oracle E-Business Suite 12.2.3
    cpe:2.3:a:oracle:e-business_suite:12.2.3
  • Oracle E-Business Suite 12.2.2
    cpe:2.3:a:oracle:e-business_suite:12.2.2
  • Oracle E-Business Suite 12.1.3
    cpe:2.3:a:oracle:e-business_suite:12.1.3
  • Oracle E-Business Suite 12.0.6
    cpe:2.3:a:oracle:e-business_suite:12.0.6
  • Oracle E-Business Suite 11i 11.5.10.2
    cpe:2.3:a:oracle:e-business_suite:11.5.10.2
CVSS
Base: 6.0 (as of 23-06-2016 - 13:52)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
NASL family Misc.
NASL id ORACLE_E-BUSINESS_CPU_JAN_2015.NASL
description The version of Oracle E-Business installed on the remote host is missing the January 2015 Oracle Critical Patch Update (CPU). It is, therefore, affected by vulnerabilities in the following components : - Oracle Application Object Library - Oracle Applications DBA - Oracle Applications DBA - Oracle Applications Framework - Oracle Customer Intelligence - Oracle Customer Interaction History - Oracle HCM Configuration Workbench - Oracle Marketing - Oracle Telecommunications Billing Integrator - Oracle Web Applications Desktop Integrator
last seen 2019-02-21
modified 2018-11-15
plugin id 80952
published 2015-01-23
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=80952
title Oracle E-Business Multiple Vulnerabilities (January 2015 CPU)
refmap via4
bid 72230
confirm http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
misc http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf
sectrack 1031579
xf oracle-cpujan2015-cve20150393(100097)
the hacker news via4
id THN:B5218A4B6680543EFCCADB0F38E960BF
last seen 2018-01-27
modified 2015-01-21
published 2015-01-21
reporter Mohit Kumar
source https://thehackernews.com/2015/01/java-update-patch-vulnerability.html
title Oracle releases 169 Updates, Including 19 Patches for JAVA Vulnerabilities
Last major update 02-01-2017 - 21:59
Published 21-01-2015 - 13:59
Last modified 07-09-2017 - 21:29
Back to Top