CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
20.1%
The versions of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory.
Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Trading Community. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Trading Community accessible data as well as unauthorized access to critical data or complete access to all Oracle Trading Community accessible data. (CVE-2024-21167)
Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Process Manufacturing Product Development accessible data as well as unauthorized access to critical data or complete access to all Oracle Process Manufacturing Product Development accessible data. (CVE-2024-21153)
Vulnerability in the Oracle Process Manufacturing Financials product of Oracle E-Business Suite (component: Allocation Rules). Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Process Manufacturing Financials accessible data as well as unauthorized access to critical data or complete access to all Oracle Process Manufacturing Financials accessible data. (CVE-2024-21152)
Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component:
APIs). Supported versions that are affected are 12.2.6-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Object Library.
Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Object Library, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data as well as unauthorized read access to a subset of Oracle Application Object Library accessible data.
(CVE-2024-21128)
Vulnerability in the Oracle Purchasing product of Oracle E-Business Suite (component: Approvals).
Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Purchasing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Purchasing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Purchasing accessible data as well as unauthorized read access to a subset of Oracle Purchasing accessible data.
(CVE-2024-21132)
Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: User Management).
Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iStore accessible data.
(CVE-2024-21143)
Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: GL Accounts).
Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Trade Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. (CVE-2024-21146)
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component:
Personalization). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. (CVE-2024-21148)
Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component:
Work Definition Issues). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. (CVE-2024-21149)
Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Partners). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Marketing accessible data as well as unauthorized read access to a subset of Oracle Marketing accessible data.
(CVE-2024-21169)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(202705);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/22");
script_cve_id(
"CVE-2024-21128",
"CVE-2024-21132",
"CVE-2024-21143",
"CVE-2024-21146",
"CVE-2024-21148",
"CVE-2024-21149",
"CVE-2024-21152",
"CVE-2024-21153",
"CVE-2024-21167",
"CVE-2024-21169"
);
script_xref(name:"IAVA", value:"2024-A-0424");
script_name(english:"Oracle E-Business Suite (July 2024 CPU)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"The versions of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as
referenced in the July 2024 CPU advisory.
- Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search
UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle Trading Community. Successful
attacks of this vulnerability can result in unauthorized creation, deletion or modification access to
critical data or all Oracle Trading Community accessible data as well as unauthorized access to critical
data or complete access to all Oracle Trading Community accessible data. (CVE-2024-21167)
- Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite
(component: Quality Management Specs). The supported version that is affected is 12.2.13. Easily
exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle
Process Manufacturing Product Development. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical data or all Oracle Process
Manufacturing Product Development accessible data as well as unauthorized access to critical data or
complete access to all Oracle Process Manufacturing Product Development accessible data. (CVE-2024-21153)
- Vulnerability in the Oracle Process Manufacturing Financials product of Oracle E-Business Suite
(component: Allocation Rules). Supported versions that are affected are 12.2.12-12.2.13. Easily
exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle
Process Manufacturing Financials. Successful attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data or all Oracle Process Manufacturing Financials
accessible data as well as unauthorized access to critical data or complete access to all Oracle Process
Manufacturing Financials accessible data. (CVE-2024-21152)
- Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component:
APIs). Supported versions that are affected are 12.2.6-12.2.13. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to compromise Oracle Application Object Library.
Successful attacks require human interaction from a person other than the attacker and while the
vulnerability is in Oracle Application Object Library, attacks may significantly impact additional
products (scope change). Successful attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Application Object Library accessible data as well as
unauthorized read access to a subset of Oracle Application Object Library accessible data.
(CVE-2024-21128)
- Vulnerability in the Oracle Purchasing product of Oracle E-Business Suite (component: Approvals).
Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle Purchasing. Successful attacks
require human interaction from a person other than the attacker and while the vulnerability is in Oracle
Purchasing, attacks may significantly impact additional products (scope change). Successful attacks of
this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Purchasing
accessible data as well as unauthorized read access to a subset of Oracle Purchasing accessible data.
(CVE-2024-21132)
- Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: User Management).
Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks of
this vulnerability can result in unauthorized read access to a subset of Oracle iStore accessible data.
(CVE-2024-21143)
- Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: GL Accounts).
Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks
of this vulnerability can result in unauthorized creation, deletion or modification access to critical
data or all Oracle Trade Management accessible data as well as unauthorized access to critical data or
complete access to all Oracle Trade Management accessible data. (CVE-2024-21146)
- Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component:
Personalization). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable
vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle
Applications Framework. Successful attacks require human interaction from a person other than the attacker
and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact
additional products (scope change). Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Applications Framework accessible data as well as
unauthorized read access to a subset of Oracle Applications Framework accessible data. (CVE-2024-21148)
- Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component:
Work Definition Issues). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable
vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise
Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion
or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well
as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management
accessible data. (CVE-2024-21149)
- Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Partners). Supported
versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access to some of Oracle Marketing
accessible data as well as unauthorized read access to a subset of Oracle Marketing accessible data.
(CVE-2024-21169)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2024.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2024 Oracle Critical Patch Update advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21167");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/16");
script_set_attribute(attribute:"patch_publication_date", value:"2024/07/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:e-business_suite");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_e-business_query_patch_info.nbin");
script_require_keys("Oracle/E-Business/Version", "Oracle/E-Business/patches/installed");
exit(0);
}
include('vcf.inc');
include('vcf_extras_oracle.inc');
var app_info = vcf::oracle_ebusiness::get_app_info();
var constraints = [
{ 'min_version' : '12.2.4', 'max_version' : '12.2.4.99999999', 'fix_patches':'36561740, 36594340' },
{ 'min_version' : '12.2.5', 'max_version' : '12.2.5.99999999', 'fix_patches':'36561740, 36594347, 36453170' },
{ 'min_version' : '12.2.6', 'max_version' : '12.2.6.99999999', 'fix_patches':'36561740, 36594351, 33405354, 36560216' },
{ 'min_version' : '12.2.7', 'max_version' : '12.2.7.99999999', 'fix_patches':'36561740, 36560216, 36594391, 33405354' },
{ 'min_version' : '12.2.8', 'max_version' : '12.2.8.99999999', 'fix_patches':'36561740, 36560216, 36594398, 33405354' },
{ 'min_version' : '12.2.9', 'max_version' : '12.2.9.99999999', 'fix_patches':'36561740, 36560216, 36594402, 33405354' },
{ 'min_version' : '12.2.10', 'max_version' : '12.2.10.99999999', 'fix_patches':'36561740, 36560216, 36594406, 33405354' },
{ 'min_version' : '12.2.11', 'max_version' : '12.2.11.99999999', 'fix_patches':'36561740, 36560216, 36594411, 33405354, 36605871' },
{ 'min_version' : '12.2.12', 'max_version' : '12.2.12.99999999', 'fix_patches':'36561740, 36560216, 36594416, 33405354, 36605881, 36744078' },
{ 'min_version' : '12.2.13', 'max_version' : '12.2.13.99999999', 'fix_patches':'36561740, 36560216, 36605881, 36744078, 36170989' }
];
vcf::oracle_ebusiness::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE,
fix_date:'202407'
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21132
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21143
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21146
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21148
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21149
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21152
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21153
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21167
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21169
www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json
www.oracle.com/security-alerts/cpujul2024.html
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
20.1%