Oracle Security Alert Advisory
Apps Associates takes the security and privacy of the information you entrust to us very seriously. For this reason, we are reaching out to make you aware of a recent discovery applicable to Oracle E-Business users that may allow unauthorized access to personal information including first and last name, email address, and usernames. Customers that utilize a public facing Oracle DMZ node may be vulnerable based on certain configuration selections.
Apps would like to ensure our customers are informed of this discovery and let you know we are here to support you in assessing and addressing a potential security threat. We would also like to confirm that this is not an Apps Associates’ specific vulnerability, it is a discovery that has been published by the general security community.
On the morning of May 19th, Apps Associates identified a possible security flaw in Oracle’s E-Business Suite (EBS) External Services. This flaw allows a user to self-register through a particular JSP on DMZ nodes, then log back in and through an obscure link, and view information from the fnd_user table in EBS.
We’ve been working non-stop with Oracle Support to identify the root cause and identify those Apps customers directly affected by this vulnerability.
In the late evening of May 19th, Oracle Support released an update:
-
- This vulnerability has officially been identified as CVE-2022-21500
- Oracle Security Alert Advisory – CVE-2022-21500
- Oracle Patch Availability Document – CVE-2022-21500
- Note: Link requires My Oracle Support access
- Oracle has stated that a patch is in development and is expected to be released on June 15th
- Oracle has provided a temporary work-around in the Oracle Patch Availability Document
- This vulnerability has officially been identified as CVE-2022-21500
This vulnerable data comprises PII (Personally Identifiable Information), and this vulnerability is exploitable if DMZ nodes are in use and requires no prior credentials to exploit. We recommend making the changes Oracle outlines in the MOS note above immediately.
The instructions to determine if you are affected by this vulnerability are shown below:
To test if the vulnerability Security Alert CVE-2022-21500 exists:
- Login to:
- <CUST URL>/OA_HTML/ibeCAcpSSOReg.jsp
- Select “Register as Individual”
- <CUST URL>/OA_HTML/ibeCAcpSSOReg.jsp
- Enter account information, including username and password.
- You will receive what appears to be an “error”
- Log back into eBS using new credentials
- <CUST URL>/OA_HTML/AppsLocalLogin.jsp
- Enter new username and password
- <CUST URL>/OA_HTML/AppsLocalLogin.jsp
- You will be logged in with no responsibilities
- Navigate to “gear” icon
- Select Manage Proxies
- Select Run Proxy Report
- In search area enter ‘%’ and select the magnifying glass to search
- PII information is possibly present in the search results.
– Michael Foret: VP Infrastructure/Cloud Services
About Apps Associates
Apps Associates provides services for all things Oracle on AWS. Our team manages the entire AWS environment, enabling significant cost savings, increased agility, and zero business disruption or downtime. Apps’ technical teams provide expert AWS consulting throughout the entire migration and post-migration process. From Dev Ops, to Managed Services we have you covered.
For Dev Ops Services, we provide expertise in CI/CD, Jenkins, GitHub, Ansible, Python, Terraform, and AWS Cloud formation. AWS components are built/managed by automation with custom Shell / Python code to automate the deployment. We can customize the deployment process based on the application structure and stack, and we can reuse scripts and codes to ensure effective utilization of resources and time.
Our Managed Services is based on our next generation monitoring platform that uses statistical and Machine Learning algorithms to reduce alarm fatigue and focus attention on real issues that need attention. Staffed by AWS certified engineers, our managed services teams are ready to support you anytime, all the time. Consider letting us manage your Oracle/AWS systems in the cloud.
Apps Associates is here to help. Please don’t hesitate to reach out with any questions.