Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_E-BUSINESS_CPU_JAN_2022.NASL
HistoryJan 20, 2022 - 12:00 a.m.

Oracle E-Business Suite (Jan 2022 CPU)

2022-01-2000:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
14

7.3 High

AI Score

Confidence

High

JSON

The versions of Oracle E-Business Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2022 CPU advisory.

  • Vulnerability in the Oracle Sourcing product of Oracle E-Business Suite (component: Intelligence, RFx Creation). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Sourcing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Sourcing accessible data as well as unauthorized access to critical data or complete access to all Oracle Sourcing accessible data. (CVE-2022-21274)

  • Vulnerability in the Oracle Project Costing product of Oracle E-Business Suite (component: Expenses, Currency Override). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Costing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Project Costing accessible data as well as unauthorized access to critical data or complete access to all Oracle Project Costing accessible data. (CVE-2022-21273)

  • Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: UI Servlet).
    Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configurator accessible data as well as unauthorized access to critical data or complete access to all Oracle Configurator accessible data. (CVE-2022-21255)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156890);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/20");

  script_cve_id(
    "CVE-2019-10086",
    "CVE-2020-6950",
    "CVE-2022-21250",
    "CVE-2022-21251",
    "CVE-2022-21255",
    "CVE-2022-21273",
    "CVE-2022-21274",
    "CVE-2022-21354",
    "CVE-2022-21373"
  );
  script_xref(name:"IAVA", value:"2022-A-0033-S");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");
  script_xref(name:"IAVA", value:"2023-A-0559");

  script_name(english:"Oracle E-Business Suite (Jan 2022 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The versions of Oracle E-Business Suite installed on the remote host are affected by multiple vulnerabilities as
referenced in the January 2022 CPU advisory.

  - Vulnerability in the Oracle Sourcing product of Oracle E-Business Suite (component: Intelligence, RFx
    Creation). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability
    allows low privileged attacker with network access via HTTP to compromise Oracle Sourcing. Successful
    attacks of this vulnerability can result in unauthorized creation, deletion or modification access to
    critical data or all Oracle Sourcing accessible data as well as unauthorized access to critical data or
    complete access to all Oracle Sourcing accessible data. (CVE-2022-21274)

  - Vulnerability in the Oracle Project Costing product of Oracle E-Business Suite (component: Expenses,
    Currency Override). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable
    vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project
    Costing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or
    modification access to critical data or all Oracle Project Costing accessible data as well as unauthorized
    access to critical data or complete access to all Oracle Project Costing accessible data. (CVE-2022-21273)

  - Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: UI Servlet).
    Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows low
    privileged attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of
    this vulnerability can result in unauthorized creation, deletion or modification access to critical data
    or all Oracle Configurator accessible data as well as unauthorized access to critical data or complete
    access to all Oracle Configurator accessible data. (CVE-2022-21255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpujan2022cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2022.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2022 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10086");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-21274");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/01/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/01/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:e-business_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_e-business_query_patch_info.nbin");
  script_require_keys("Oracle/E-Business/Version", "Oracle/E-Business/patches/installed");

  exit(0);
}

include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_ebusiness::get_app_info();

var constraints = [
  { 'min_version' : '12.2.3', 'max_version' : '12.2.10.99999999', 'fix_patches' : '33487428' },
  { 'min_version' : '12.2.11', 'max_version' : '12.2.11.99999999', 'fix_patches' : '33487428, 33568131' },
];

var fix_date = '202201';

vcf::oracle_ebusiness::check_version_and_report(
  app_info    : app_info,
  severity    : SECURITY_HOLE,
  constraints : constraints,
  fix_date    : fix_date
);
VendorProductVersionCPE
oraclee-business_suitecpe:/a:oracle:e-business_suite

Related

prion 10
cve 11
f5 1
ibm 67
fedora 2
veracode 2
osv 5
nessus 44
debiancve 2
redhat 27
openvas 9
nuclei 1
symantec 2
github 2
ubuntucve 2
freebsd 1
mageia 1
suse 1
cgr 1
amazon 1
redhatcve 2
wolfi 1
debian 1
centos 1
oraclelinux 1
ubuntu 1
prion
prion
Code injection
2022-01-19 12:15:00
Design/Logic Flaw
2022-01-19 12:15:00
Design/Logic Flaw
2022-01-19 12:15:00
cve
cve
CVE-2022-21373
2022-01-19 12:15:00
CVE-2022-21250
2022-01-19 12:15:00
CVE-2022-21273
2022-01-19 12:15:00
f5
f5
K000134517 : Eclipse vulnerability CVE-2020-6950
2023-05-09 00:00:00
ibm
ibm
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server which is used by IBM Rational ClearQuest (CVE-2019-10086)
2019-12-10 02:23:50
Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2019-10086)
2019-12-04 05:05:02
Security Bulletin: Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions) is affected by a vulnerable Apache Commons Beanutils in WebSphere Application Server
2020-09-28 07:57:33
fedora
fedora
[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30
2019-11-13 09:58:19
[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31
2019-11-13 10:08:09
veracode
veracode
Authorization Bypass
2019-08-16 00:43:09
Path Traversal
2020-06-12 03:38:57
osv
osv
Insecure Deserialization in Apache Commons Beanutils
2020-06-15 20:36:17
CVE-2020-6950
2021-06-02 16:15:08
Directory traversal in Eclipse Mojarra
2021-09-01 18:23:58
nessus
nessus
Fedora 31 : apache-commons-beanutils (2019-bcad44b5d6)
2019-11-14 00:00:00
FreeBSD : Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra (b07bdd3c-0809-11eb-a3a4-0019dbb15b3f)
2020-10-09 00:00:00
Oracle Application Testing Suite (Jul 2021 CPU)
2021-07-23 00:00:00
debiancve
debiancve
CVE-2019-10086
2019-08-20 21:15:00
CVE-2020-6950
2021-06-02 16:15:00
redhat
redhat
(RHSA-2020:0057) Important: rh-java-common-apache-commons-beanutils security update
2020-01-08 11:00:17
(RHSA-2020:0194) Important: apache-commons-beanutils security update
2020-01-21 18:21:47
(RHSA-2020:2740) Important: candlepin and satellite security update
2020-06-24 14:05:48
openvas
openvas
Fedora Update for apache-commons-beanutils FEDORA-2019-79b5790566
2019-11-14 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:2244-1)
2021-04-19 00:00:00
CentOS: Security Advisory for apache-commons-beanutils (CESA-2020:0194)
2020-01-29 00:00:00
nuclei
nuclei
Eclipse Mojarra - Local File Read
2023-10-13 16:00:06
symantec
symantec
Oracle WebLogic Server CVE-2020-6950 Remote Security Vulnerability
2020-01-14 00:00:00
Apache Commons Beanutils CVE-2019-10086 Remote Security Vulnerability
2019-08-15 00:00:00
github
github
Directory traversal in Eclipse Mojarra
2021-09-01 18:23:58
Insecure Deserialization in Apache Commons Beanutils
2020-06-15 20:36:17
ubuntucve
ubuntucve
CVE-2020-6950
2021-06-02 00:00:00
CVE-2019-10086
2019-08-20 00:00:00
freebsd
freebsd
Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra
2020-01-13 00:00:00
mageia
mageia
Updated apache-commons-beanutils packages fix security vulnerability
2019-12-19 16:44:26
suse
suse
Security update for apache-commons-beanutils (important)
2019-09-03 00:00:00
cgr
cgr
CVE-2019-10086 vulnerabilities
2024-04-25 09:06:10
amazon
amazon
Important: apache-commons-beanutils
2020-02-17 19:50:00
redhatcve
redhatcve
CVE-2019-10086
2020-02-14 11:44:26
CVE-2020-6950
2020-02-25 06:10:45
wolfi
wolfi
CVE-2019-10086 vulnerabilities
2024-04-25 09:06:43
debian
debian
[SECURITY] [DLA 1896-1] commons-beanutils security update
2019-08-24 14:49:34
centos
centos
apache security update
2020-01-28 21:30:14
oraclelinux
oraclelinux
apache-commons-beanutils security update
2020-01-22 00:00:00
ubuntu
ubuntu
Apache Commons BeanUtils vulnerabilities
2021-03-15 00:00:00

7.3 High

AI Score

Confidence

High

JSON
Related for ORACLE_E-BUSINESS_CPU_JAN_2022.NASL
prion10cve11f51ibm67fedora2veracode2osv5nessus44debiancve2redhat27openvas9nuclei1symantec2github2ubuntucve2freebsd1mageia1suse1cgr1amazon1redhatcve2wolfi1debian1centos1oraclelinux1ubuntu1