Oracle EBS - Unauthenticated Remote Code Execution

Summary#

Oracle E-Business Suite (EBS), is an integrated set of business applications for automating customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management (SCM) processes within organizations.

Oracle EBS versions 12.2.3-12.2.11 are affected by a vulnerability in the Oracle Web Applications Desktop Integrator product (component: Upload). The servlet BneAbstractXMLServlet is vulnerable to a zip slip vulnerability that allows an attacker to upload and overwrite arbitrary files.

Impact#

An unauthenticated attacker with network access via HTTP can compromise Oracle Web Applications Desktop Integrator.

Remediation#

It's recommended to upgrade to the latest version of Oracle E-Business Suite (EBS).

Classifications#

PCI v3.2-6.5.1, OWASP 2013-A1, HIPAA-164.306(a), OWASP 2017-A1, CWE-94, WASC-42, CAPEC-210, ISO27001-A14.2.5

Oracle EBS – Unauthenticated Remote Code Execution

Related Articles

Build your resistance to threats. And save hundreds of hours each month.