A vulnerability has been found in Oracle E-Business Suite 12.1.3/12.2.3/12.2.4/12.2.5 (Supply Chain Management Software) and classified as critical. Affected by this vulnerability is an unknown functionality of the component Applications Framework. As an impact it is known to affect confidentiality, and integrity. The summary by CVE is:

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to OAF Core.

The weakness was published 04/19/2016 as Oracle Critical Patch Update Advisory - April 2016 as confirmed advisory (Website). It is possible to read the advisory at oracle.com. This vulnerability is known as CVE-2016-3447 since 03/17/2016. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 90601 (Oracle E-Business Multiple Vulnerabilities (April 2016 CPU)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Misc. and running in the context l.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (90601). Similar entries are available at 12776, 78153, 82623 and 82630.

Productinfo

Type

• Supply Chain Management Software

Vendor

• Oracle

Name

• E-Business Suite

Version

• 12.1.3
• 12.2.3
• 12.2.4
• 12.2.5

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion