Lucene search

K

Oracle E-Business Suite Multiple Vulnerabilities (Oct 2019 CPU)

Oracle E-Business Suite missing October 2019 Critical Patch Update and affected by multiple vulnerabilitie

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Prion
Design/Logic Flaw
16 Oct 201918:15
prion
Rows per page
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(130020);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2019-2925",
    "CVE-2019-2930",
    "CVE-2019-2942",
    "CVE-2019-2990",
    "CVE-2019-2994",
    "CVE-2019-2995",
    "CVE-2019-3000",
    "CVE-2019-3022",
    "CVE-2019-3024",
    "CVE-2019-3027"
  );
  script_xref(name:"IAVA", value:"2019-A-0386-S");

  script_name(english:"Oracle E-Business Suite Multiple Vulnerabilities (Oct 2019 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"A web application installed on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle E-Business installed on the remote host is
missing the October 2019 Oracle Critical Patch Update (CPU). It is,
as noted in the October 2019 Critical Patch Update advisory, affected
by flaws in the following components :

  - Oracle Advanced Outbound Telephony
  - Oracle Application Object Library
  - Oracle Content Manager
  - Oracle Field Service
  - Oracle Installed Base
  - Oracle iStore
  - Oracle Marketing
  - Oracle Workflow

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2019 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3000");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:e-business_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_e-business_query_patch_info.nbin");
  script_require_keys("Oracle/E-Business/Version", "Oracle/E-Business/patches/installed");

  exit(0);
}

fix_date = '201910';

app_name = 'Oracle E-Business';
version = get_kb_item_or_exit('Oracle/E-Business/Version');
patched_versions = get_kb_item('Oracle/E-Business/patched_versions');

# check if patched
version_regex = "(^|[^0-9])" + version + "\." + fix_date + "([^0-9]|$)";
if (!empty_or_null(patched_versions) && patched_versions =~ version_regex)
  audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

# Report fixed version and required patches
fix_version = version;

# 12.1.1 - 12.1.3
if (version =~ "^12\.1\.[1-3]($|[^0-9])")
  fix_patches = '30077281';

# 12.2.0 - 12.2.3
else if (version =~ "^12\.2.[0-3]($|[^0-9])")
{
  fix_version = '12.2.3';
  fix_patches = '30077283';
}
# 12.2.4 
else if (version =~ "^12\.2\.4($|[^0-9])")
  fix_patches = '30077283';
# 12.2.5-9
else if (version =~ "^12\.2\.[5-9]($|[^0-9])")
  fix_patches = make_list('30077283', '29747091');
else
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version);

report =
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix_version +
    '\n  Required Patches  : ' + join(sep:', ', fix_patches);

security_report_v4(port:0,extra:report,severity:SECURITY_WARNING);

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo