ID CVE-2015-4762 Type cve Reporter cve@mitre.org Modified 2016-12-24T02:59:00
Description
Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 12.2.3 and 12.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Online patching.
{"nessus": [{"lastseen": "2019-02-21T01:25:14", "bulletinFamily": "scanner", "description": "The version of Oracle E-Business installed on the remote host is missing the October 2015 Oracle Critical Patch Update (CPU). It is, therefore, affected by vulnerabilities in the following components :\n\n - An unspecified flaw exists in the Online Patching subcomponent in the Applications DBA. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4762)\n\n - Unspecified flaws exist in the DB Listener subcomponent in the Applications Technology Stack. An authenticated, remote attacker can exploit these to cause a denial of service. (CVE-2015-4798, CVE-2015-4839)\n\n - An unspecified flaw exists in the Application Object Library related to the 'Java APIs - AOL/J' subcomponent.\n An unauthenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4845)\n\n - An unspecified flaw exists in the SQL Extensions subcomponent in the Applications Manager. An authenticated, remote attacker can exploit this to impact integrity and confidentiality. (CVE-2015-4846)\n\n - An unspecified flaw exists in the Punch-in subcomponent in the Oracle Payments component. An unauthenticated, remote attacker can exploit this to impact integrity.\n (CVE-2015-4849)\n\n - An unspecified flaw exists in the XML Input subcomponent in the iSupplier Portal. An unauthenticated, remote attacker can exploit this to impact integrity.\n (CVE-2015-4851)\n\n - An unspecified flaw exists in the Application Object Library related to the Single Signon subcomponent.\n An unauthenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4854)\n\n - An unspecified flaw exists in the Applications Framework related to the 'Business Objects - BC4J' subcomponent.\n An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4865)\n\n - An unspecified flaw exists in the Single Signon subcomponent in the Application Object Library. An unauthenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4884)\n\n - An unspecified flaw exists in the Reports Security subcomponent in the Report Manager. An unauthenticated, remote attacker can exploit this to impact integrity and confidentiality.(CVE-2015-4886)\n\n - An unspecified flaw exists in the Applications Framework related to the 'Diagnostics, DMZ' subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4898)", "modified": "2018-07-16T00:00:00", "id": "ORACLE_E-BUSINESS_CPU_OCT_2015.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86479", "published": "2015-10-21T00:00:00", "title": "Oracle E-Business Multiple Vulnerabilities (October 2015 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86479);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\n \"CVE-2015-4762\",\n \"CVE-2015-4798\",\n \"CVE-2015-4839\",\n \"CVE-2015-4845\",\n \"CVE-2015-4846\",\n \"CVE-2015-4849\",\n \"CVE-2015-4851\",\n \"CVE-2015-4854\",\n \"CVE-2015-4865\",\n \"CVE-2015-4884\",\n \"CVE-2015-4886\",\n \"CVE-2015-4898\"\n );\n script_bugtraq_id(\n 77243,\n 77244,\n 77245,\n 77247,\n 77248,\n 77249,\n 77250,\n 77251,\n 77252,\n 77253,\n 77254,\n 77255\n );\n\n script_name(english:\"Oracle E-Business Multiple Vulnerabilities (October 2015 CPU)\");\n script_summary(english:\"Checks for the October 2015 CPU.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle E-Business installed on the remote host is\nmissing the October 2015 Oracle Critical Patch Update (CPU). It is,\ntherefore, affected by vulnerabilities in the following components :\n\n - An unspecified flaw exists in the Online Patching\n subcomponent in the Applications DBA. An authenticated,\n remote attacker can exploit this to gain access to\n sensitive information. (CVE-2015-4762)\n\n - Unspecified flaws exist in the DB Listener subcomponent\n in the Applications Technology Stack. An authenticated,\n remote attacker can exploit these to cause a denial of\n service. (CVE-2015-4798, CVE-2015-4839)\n\n - An unspecified flaw exists in the Application Object\n Library related to the 'Java APIs - AOL/J' subcomponent.\n An unauthenticated, remote attacker can exploit this to\n gain access to sensitive information. (CVE-2015-4845)\n\n - An unspecified flaw exists in the SQL Extensions\n subcomponent in the Applications Manager. An\n authenticated, remote attacker can exploit this to\n impact integrity and confidentiality. (CVE-2015-4846)\n\n - An unspecified flaw exists in the Punch-in subcomponent\n in the Oracle Payments component. An unauthenticated,\n remote attacker can exploit this to impact integrity.\n (CVE-2015-4849)\n\n - An unspecified flaw exists in the XML Input subcomponent\n in the iSupplier Portal. An unauthenticated, remote\n attacker can exploit this to impact integrity.\n (CVE-2015-4851)\n\n - An unspecified flaw exists in the Application Object\n Library related to the Single Signon subcomponent.\n An unauthenticated, remote attacker can exploit this to\n impact integrity. (CVE-2015-4854)\n\n - An unspecified flaw exists in the Applications Framework\n related to the 'Business Objects - BC4J' subcomponent.\n An authenticated, remote attacker can exploit this to\n gain access to sensitive information. (CVE-2015-4865)\n\n - An unspecified flaw exists in the Single Signon\n subcomponent in the Application Object Library. An\n unauthenticated, remote attacker can exploit this to\n gain access to sensitive information. (CVE-2015-4884)\n\n - An unspecified flaw exists in the Reports Security\n subcomponent in the Report Manager. An unauthenticated,\n remote attacker can exploit this to impact integrity\n and confidentiality.(CVE-2015-4886)\n\n - An unspecified flaw exists in the Applications Framework\n related to the 'Diagnostics, DMZ' subcomponent. An\n authenticated, remote attacker can exploit this to\n impact integrity. (CVE-2015-4898)\");\n # www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9d408555\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2015 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:e-business_suite\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"oracle_e-business_query_patch_info.nbin\");\n script_require_keys(\"Oracle/E-Business/Version\", \"Oracle/E-Business/patches/installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Oracle/E-Business/Version\");\npatches = get_kb_item_or_exit(\"Oracle/E-Business/patches/installed\");\n\n# Batch checks\nif (patches) patches = split(patches, sep:',', keep:FALSE);\nelse patches = make_list();\n\n# Check if the installed version is an affected version\naffected_versions = make_array(\n '11.5.10.2', make_list('21507439', '21507445'),\n\n '12.0.6', make_list('21507421'),\n\n '12.1.3', make_list('21507207'),\n\n '12.2.3', make_list('21507429'),\n '12.2.4', make_list('21507429')\n);\n\npatched = FALSE;\naffectedver = FALSE;\n\nif (affected_versions[version])\n{\n affectedver = TRUE;\n patchids = affected_versions[version];\n foreach required_patch (patchids)\n {\n foreach applied_patch (patches)\n {\n if(required_patch == applied_patch)\n {\n patched = applied_patch;\n break;\n }\n }\n if(patched) break;\n }\n if(!patched) patchreport = join(patchids,sep:\" or \");\n}\n\nif (!patched && affectedver)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Installed version : '+version+\n '\\n Fixed version : '+version+' Patch '+patchreport+\n '\\n';\n security_warning(port:0,extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse if (!affectedver) audit(AUDIT_INST_VER_NOT_VULN, 'Oracle E-Business', version);\nelse exit(0, 'The Oracle E-Business server ' + version + ' is not affected because patch ' + patched + ' has been applied.');\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "description": "Quarterly update closes 140 vulnerabilities in different applications.", "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:21:05", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "modified": "2016-09-29T00:00:00", "published": "2015-10-20T00:00:00", "id": "ORACLE:CPUOCT2015-2367953", "href": "", "title": "Oracle Critical Patch Update - October 2015", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
