SB2018041913 - Multiple vulnerabilities in Oracle E-Business Suite

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2018-2804)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Application Object Library accessible data and gain unauthorized access to critical data or complete access to all Oracle Application Object Library accessible data.

2) Security restrictions bypass (CVE-ID: CVE-2018-2864)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Application Object Library accessible data.

3) Security restrictions bypass (CVE-ID: CVE-2018-2865)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data. 

4) Security restrictions bypass (CVE-ID: CVE-2018-2866)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data. 

5) Security restrictions bypass (CVE-ID: CVE-2018-2867)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Application Object Library accessible data. 

6) Security restrictions bypass (CVE-ID: CVE-2018-2868)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Human Resources accessible data. 

7) Security restrictions bypass (CVE-ID: CVE-2018-2869)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle Human Resources accessible data. 

8) Security restrictions bypass (CVE-ID: CVE-2018-2870)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Human Resources accessible data and gain unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. 

9) Security restrictions bypass (CVE-ID: CVE-2018-2871)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Human Resources component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Human Resources accessible data and gain unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. 

10) Security restrictions bypass (CVE-ID: CVE-2018-2872)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data. 

11) Security restrictions bypass (CVE-ID: CVE-2018-2873)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle General Ledger component of Oracle E-Business Suite due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle General Ledger accessible data. 

12) Security restrictions bypass (CVE-ID: CVE-2018-2874)

The vulnerability allows a physical attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Application Object Library component of Oracle E-Business Suite due to improper security restrictions. A physical attacker can trick the victim into opening a specially crafted file and gain unauthorized access to critical data or complete access to all Oracle Application Object Library accessible data.

Remediation

Install update from vendor's website.

References

• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html