[ERPSCAN-15-026] Oracle E-Business Suite – SQL injection vulnerability

Application: E-Business Suite
Vendor URL: Oracle
Bugs: SQL injection
Reported: 17.07.2015
Vendor response: 24.07.2015
Date of Public Advisory:20.10.2015
Reference: Oracle CPU Oct 2015
Authors: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)

Class: SQL injection
Impact: SQL injection, RCE
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-4846
CVSS Information
CVSS Base Score: 3.6 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) High (H)
Au : Authentication (Level of authentication needed to exploit) Single (S)
C : Impact to Confidentiality Partial (P)
I : Impact to Integrity Partial (P)
A : Impact to Availability None (N)

Business Risk
By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and business-related information stored in the vulnerable Oracle system.

An SQL injection vulnerability means that the code comprises an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can then be used to retrieve additional data from the database or to modify the data.

Oracle E-Business Suite 12.1.3, 12.1.4
Other versions are probably affected too, but they were not checked.

Install Oracle CPU October 2015

One of SQL extensions (afamexts.sql) does not filter user input values which may lead to SQL injection. The only defense mechanism is a password for APPS. If an attacker knows the password (for example, default password APPS/APPS), he will be able to exploit SQL injection with high privilege.