ID CVE-2016-5583
Summary Unspecified vulnerability in the Oracle One-to-One Fulfillment component in Oracle E-Business Suite 12.1.1 through 12.1.3 and 12.2.3 through 12.2.6 allows remote attackers to affect integrity via unknown vectors.
References
Vulnerable Configurations
  • Oracle One-to-one Fulfillment 12.1.1
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.1.1
  • Oracle One-to-one Fulfillment 12.2.5
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.2.5
  • Oracle One-to-one Fulfillment 12.1.3
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.1.3
  • Oracle One-to-One Fulfillment 12.2.6
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.2.6
  • Oracle One-to-one Fulfillment 12.2.3
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.2.3
  • Oracle One-to-one Fulfillment 12.1.2
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.1.2
  • Oracle One-to-one Fulfillment 12.2.4
    cpe:2.3:a:oracle:one-to-one_fulfillment:12.2.4
CVSS
Base: 5.0 (as of 27-10-2016 - 12:44)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
NASL family Misc.
NASL id ORACLE_E-BUSINESS_CPU_OCT_2016.NASL
description The version of Oracle E-Business installed on the remote host is missing the October 2016 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists in the OpenSSL subcomponent in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the OpenSSL subcomponent in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist in the OpenSSL subcomponent in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the OpenSSL subcomponent in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the OpenSSL subcomponent in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) - An unspecified flaw exists in the Runtime Catalog subcomponent in the iStore component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5489) - An unspecified flaw exists in the AD Utilities subcomponent in the Applications DBA component that allows a local attacker to disclose sensitive information. (CVE-2016-5517) - An unspecified flaw exists in the Workflow Events subcomponent in the Shipping Execution component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5532) - An unspecified flaw exists in the Price Book subcomponent in the Advanced Pricing component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5557) - An unspecified flaw exists in the Requisition Management subcomponent in the iProcurement component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5562) - Multiple unspecified flaws exist in the AD Utilities subcomponent in the DBA component that allow an authenticated, remote attacker to impact confidentiality and integrity. (CVE- 2016-5567, CVE-2016-5570, CVE-2016-5571) - An unspecified flaw exists in the Resources Module subcomponent in the Common Applications Calendar component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5575) - An unspecified flaw exists in the Candidate Self Service subcomponent in the iRecruitment component that allows a local attacker to gain elevated privileges. (CVE-2016-5581) - An unspecified flaw exists in the File Upload subcomponent in the One-to-One Fulfillment component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5583) - An unspecified flaw exists in the Select Application Dependencies subcomponent in the Interaction Center Intelligence component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5585) - An unspecified flaw exists in the Dispatch/Service Call Requests subcomponent in the Email Center component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5586) - Multiple unspecified flaws exist in the Outcome-Result subcomponent in the Customer Interaction History component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5587, CVE-2016-5591, CVE-2016-5593) - An unspecified flaw exists in the Responsibility Management subcomponent in the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5589) - Multiple unspecified flaws exist in the Result-Reason subcomponent in the Customer Interaction History component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5592, CVE-2016-5595) - An unspecified flaw exists in the Default Responsibility subcomponent in the CRM Technical Foundation component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5596)
last seen 2019-02-21
modified 2018-07-17
plugin id 94164
published 2016-10-20
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=94164
title Oracle E-Business Multiple Vulnerabilities (October 2016 CPU)
refmap via4
bid 93770
confirm http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
sectrack 1037038
Last major update 28-11-2016 - 15:27
Published 25-10-2016 - 10:30
Last modified 28-07-2017 - 21:34
Back to Top