Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

[ERPSCAN-15-025] Oracle E-Business Suite – Database user enumeration vulnerability

Application: E-Business Suite
Vendor URL: Oracle
Bugs: User enumeration
Reported: 17.07.2015
Vendor response: 24.07.2015
Date of Public Advisory:20.10.2015
Reference: Oracle CPU Oct 2015
Authors: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)

VULNERABILITY INFORMATION
Class: User Enumeration
Impact: user enumeration, SSRF
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-4845
CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality Partial (P)
I : Impact to Integrity None (N)
A : Impact to Availability None (N)

Description
There is a script in EBS that is used to connect to the database and displays the connection status. Different connection results can help an attacker to find existing database accounts.

Business Risk
This script allows an attacker to connect to the database with the given login/password, so the attacker can enumerate the database users.

VULNERABLE PACKAGES
Oracle E-Business Suite 12.2.4
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
Install Oracle CPU October 2015

TECHNICAL DESCRIPTION
Database users enumeration
Vunerable script: Aoljtest.js