Information disclosure in Oracle Web applications

#VU193 Information disclosure in Oracle Web applications

Published: 2016-07-21 | Updated: 2020-01-24

Vulnerability identifier: #VU193

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-0635

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Primavera P6 Enterprise Project Portfolio Management
Server applications / Other server solutions
Oracle Enterprise Manager Ops Center
Server applications / Remote management servers, RDP, SSH
Oracle Health Sciences Information Manager
/
Oracle Healthcare Master Person Index
Other software / Other software solutions
Oracle Insurance Rules Palette
Other software / Other software solutions
Oracle Retail Order Broker
Other software / Other software solutions
Primavera Contract Management PCM web services
Other software / Other software solutions
Oracle Financial Services Analytical Applications Infrastructure
Other software / Other software solutions
Oracle Documaker
Client/Desktop applications / Office applications
Oracle Insurance Calculation Engine
Client/Desktop applications / Office applications
Oracle Insurance Policy Administration
Web applications / Other software
Oracle Retail Integration Bus
Client/Desktop applications / Messaging software
Oracle Agile PLM Framework
Universal components / Libraries / Software for developers
Oracle Commerce Guided Search
Web applications / E-Commerce systems

Vendor: Oracle

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in Primavera P6 Enterprise Project Portfolio Management Web Access component. A remote authenticated attacker can gain elevated privileges by exploiting a flaw in the Primavera P6 Enterprise Project Portfolio Management Web access component.

Successful exploitation of this vulnerability may result in disclosure of system information

Mitigation
The vendor has issued a fix as part of the July 2016 Oracle Critical Patch Update.

Vulnerable software versions

Primavera P6 Enterprise Project Portfolio Management: 8.2.0.0 - 16.1.0.0

Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2

Oracle Health Sciences Information Manager: 1.2.8.3 - 3.0.1.0

Oracle Healthcare Master Person Index: 2.0.12 - 4.0.1

Oracle Documaker: 12.3 - 12.4

Oracle Insurance Calculation Engine: 9.7.1 - 10.2.2

Oracle Insurance Policy Administration: 9.6.1 - 10.2.2

Oracle Insurance Rules Palette: 9.6.1 - 10.2.2

Oracle Retail Integration Bus: 15.0

Oracle Retail Order Broker: 5.1 - 15.0

Primavera Contract Management PCM web services: 14.2

Oracle Agile PLM Framework: 9.3.4 - 9.3.5

Oracle Commerce Guided Search: 3.1.1 - 11.2

Oracle Financial Services Analytical Applications Infrastructure: 8.0.0 - 8.0.3

External links
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Sun Systems Products Suite