Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_E-BUSINESS_CPU_OCT_2021.NASL
HistoryOct 21, 2021 - 12:00 a.m.

Oracle E-Business Suite Multiple Vulnerabilities (Oct 2021 CPU)

2021-10-2100:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
27

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:C/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

0.015 Low

EPSS

Percentile

86.7%

JSON

The version of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory, including the following:

  • An easily exploitable vulnerability in the Oracle Content Manager product’s Content Item Manager component that allows a low privileged, remote attacker to compromise confidentiality and integrity. (CVE-2021-2483)

  • An easily exploitable vulnerability in the Oracle Applications Manager Diagnostics component that allows a low privileged, remote attacker to compromise confidentiality and integrity. (CVE-2021-35566)

  • An easily exploitable vulnerability in a Miscellaneous component of the Oracle Deal Management product that allows a low privileged, remote attacker to compromise confidentiality and integrity.
    (CVE-2021-35536)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(154291);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/28");

  script_cve_id(
    "CVE-2021-2474",
    "CVE-2021-2477",
    "CVE-2021-2482",
    "CVE-2021-2483",
    "CVE-2021-2484",
    "CVE-2021-2485",
    "CVE-2021-35536",
    "CVE-2021-35554",
    "CVE-2021-35562",
    "CVE-2021-35563",
    "CVE-2021-35566",
    "CVE-2021-35569",
    "CVE-2021-35570",
    "CVE-2021-35580",
    "CVE-2021-35581",
    "CVE-2021-35582",
    "CVE-2021-35585",
    "CVE-2021-35611"
  );
  script_xref(name:"IAVA", value:"2021-A-0485-S");

  script_name(english:"Oracle E-Business Suite Multiple Vulnerabilities (Oct 2021 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as
referenced in the October 2021 CPU advisory, including the following:

  - An easily exploitable vulnerability in the Oracle Content Manager product's Content Item Manager component
    that allows a low privileged, remote attacker to compromise confidentiality and integrity. (CVE-2021-2483)

  - An easily exploitable vulnerability in the Oracle Applications Manager Diagnostics component that allows a
    low privileged, remote attacker to compromise confidentiality and integrity. (CVE-2021-35566)
  
  - An easily exploitable vulnerability in a Miscellaneous component of the Oracle Deal Management product
    that allows a low privileged, remote attacker to compromise confidentiality and integrity.
    (CVE-2021-35536)


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version   
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuoct2021cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixEBS");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2021 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-35570");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-35585");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/10/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/10/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/10/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:e-business_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_e-business_query_patch_info.nbin");
  script_require_keys("Oracle/E-Business/Version", "Oracle/E-Business/patches/installed");

  exit(0);
}

include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_ebusiness::get_app_info();

var constraints = [
  { 'min_version' : '12.1.1', 'max_version' : '12.1.3',  'fix_patches' : '33154541' },
  { 'min_version' : '12.2.0', 'max_version' : '12.2.2',  'fix_patches' : '33154561', 'fixed_display' : '12.2.3' },
  { 'min_version' : '12.2.3', 'max_version' : '12.2.3.9999999', 'fix_patches' : '33154561' },
  { 'min_version' : '12.2.4', 'max_version' : '12.2.4.9999999', 'fix_patches' : '33154561, 33168623' },
  { 'min_version' : '12.2.5', 'max_version' : '12.2.5.9999999', 'fix_patches' : '33154561, 33168635' },
  { 'min_version' : '12.2.6', 'max_version' : '12.2.6.9999999', 'fix_patches' : '33154561, 33168644' },
  { 'min_version' : '12.2.7', 'max_version' : '12.2.7.9999999', 'fix_patches' : '33154561, 33245199, 33168651' },
  { 'min_version' : '12.2.8', 'max_version' : '12.2.8.9999999', 'fix_patches' : '33154561, 33245199, 33168655' },
  { 'min_version' : '12.2.9', 'max_version' : '12.2.9.9999999', 'fix_patches' : '33154561, 33245199, 33168655' },
  { 'min_version' : '12.2.10', 'max_version' : '12.2.10.9999999', 'fix_patches' : '33154561, 33286000, 33207251, 33168664' },
];

var fix_date = '202110';

vcf::oracle_ebusiness::check_version_and_report(
  app_info    : app_info,
  severity    : SECURITY_HOLE,
  constraints : constraints,
  fix_date    : fix_date
);
VendorProductVersionCPE
oraclee-business_suitecpe:/a:oracle:e-business_suite

References

Related

cnvd 11
prion 18
cvelist 18
cve 18
nvd 18
zdi 1
oracle 1
cnvd
cnvd
Oracle E-Business Suite Unauthorized Access Vulnerability (CNVD-2022-02356)
2021-10-20 00:00:00
Oracle E-Business Suite Unauthorized Access Vulnerability (CNVD-2022-02351)
2021-10-20 00:00:00
Oracle E-Business Suite Unauthorized Access Vulnerability (CNVD-2022-02354)
2021-10-20 00:00:00
prion
prion
Design/Logic Flaw
2021-10-20 11:16:00
Design/Logic Flaw
2021-10-20 11:17:00
Design/Logic Flaw
2021-10-20 11:16:00
cvelist
cvelist
CVE-2021-35581
2021-10-20 10:50:26
CVE-2021-35554
2021-10-20 10:50:03
CVE-2021-35611
2021-10-20 10:50:49
cve
cve
CVE-2021-35566
2021-10-20 11:16:38
CVE-2021-35580
2021-10-20 11:16:55
CVE-2021-35562
2021-10-20 11:16:36
nvd
nvd
CVE-2021-35580
2021-10-20 11:16:55
CVE-2021-35562
2021-10-20 11:16:36
CVE-2021-35569
2021-10-20 11:16:51
zdi
zdi
Oracle E-Business Suite Content-Length Memory Exhaustion Denial-Of-Service Vulnerability
2021-10-21 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:C/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

0.015 Low

EPSS

Percentile

86.7%

JSON
Related for ORACLE_E-BUSINESS_CPU_OCT_2021.NASL
cnvd11prion18cvelist18cve18nvd18zdi1oracle1