Multiple vulnerabilities in Oracle E-Business Suite
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2018-2804 CVE-2018-2864 CVE-2018-2865 CVE-2018-2866 CVE-2018-2867 CVE-2018-2868 CVE-2018-2869 CVE-2018-2870 CVE-2018-2871 CVE-2018-2872 CVE-2018-2873 CVE-2018-2874 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Oracle Application Object Library Universal components / Libraries / Libraries used by multiple products Oracle General Ledger Web applications / Remote management & hosting panels Oracle Human Resources Web applications / CRM systems |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU11934
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2804
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Application Object Library accessible data and gain unauthorized access to critical data or complete access to all Oracle Application Object Library accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Application Object Library: 12.1.3 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU11935
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2864
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Application Object Library accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Application Object Library: 12.1.3 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security restrictions bypass
EUVDB-ID: #VU11936
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2865
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle General Ledger: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security restrictions bypass
EUVDB-ID: #VU11937
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2866
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle General Ledger: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security restrictions bypass
EUVDB-ID: #VU11938
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2867
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Application Object Library accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Application Object Library: 12.1.3 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security restrictions bypass
EUVDB-ID: #VU11939
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2868
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Human Resources accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Human Resources: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Security restrictions bypass
EUVDB-ID: #VU11940
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2869
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Human Resources accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Human Resources: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security restrictions bypass
EUVDB-ID: #VU11941
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2870
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Human Resources accessible data and gain unauthorized access to critical data or complete access to all Oracle Human Resources accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Human Resources: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security restrictions bypass
EUVDB-ID: #VU11942
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2871
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Human Resources accessible data and gain unauthorized access to critical data or complete access to all Oracle Human Resources accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Human Resources: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Security restrictions bypass
EUVDB-ID: #VU11943
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2872
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle General Ledger: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Security restrictions bypass
EUVDB-ID: #VU11944
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2873
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle General Ledger: 12.1.1 - 12.2.7
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Security restrictions bypass
EUVDB-ID: #VU11945
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2874
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a physical attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A physical attacker can trick the victim into opening a specially crafted file and gain unauthorized access to critical data or complete access to all Oracle Application Object Library accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Application Object Library: 12.1.3
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
