|
Multiple security vulnerabilities have been corrected in the Oracle Business
Suite 11i and R12 as part of July 2007 Oracle Critical Patch Update (CPU).
All Internet accessible environments should prioritize patch 6045931
(APPS04/05/06) in order to correct multiple vulnerabilities in the On-line
help or temporarily disable the help functionality using the Oracle supplied
"URL Firewall".
APPS01 / CVE-2007-3865
Customer Intelligence (BIC) (R12 only)
SQL Injection
APPS02 / CVE-2007-3866
Configurator (CZ)
Cross Site Scripting
APPS03 / CVE-2007-3866
Internet Expenses (AP)
Cross Site Scripting
APPS04 / CVE-2007-3867
APPS05 / CVE-2007-3867
APPS06 / CVE-2007-3867
On-line Help (FND)
SQL Injection, Cross Site Scripting (multiple), Information Disclosure
APPS07 / CVE-2007-3867
Customer Intelligence (BIC)
SQL Injection
APPS08 / CVE-2007-3867
iPayment (IBY)
Information Disclosure
APPS09 / CVE-2007-3866
Application Object Library (FND)
SQL Injection
APPS10 / CVE-2007-3867
Human Resources (PER)
SQL Injection
See the Oracle Critical Patch Update July 2007 Advisory for exact versions
and CVSS base metric scores.
Fix: Apply the patches as directed in Oracle Metalink Note ID 432882.1.
Credit: These vulnerabilities were discovered by Stephen Kost and Jack
Kanter of Integrigy Corporation
For more details on the impact of the July 2007 CPU on Oracle E-Business
Suite implementations, see Integrigy's analysis of the CPU at -
http://www.integrigy.com/oracle-cpu-july-2007
Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.
For more information or questions regarding these vulnerabilities or
remediation steps, please contact us at alerts@integrigy.com.