Alexey Tyurin

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 12.2.1.2.0 **Description** A vulnerability exists in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). This vulnerability allows an unauthenticated attacker with network access via T3 or HTTP to compromise Oracle WebLogic Server, potentially leading to a takeover of the server. **Recommendations** Oracle WebLogic Server versions prior to 10.3.6.0.0 and versions after 12.2.1.2.0 are not affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.0.6 through 12.2.4 **Description** The issue is related to the Oracle Application Object Library component and affects data integrity. It may be related to Single Signon and potentially allows remote attackers to inject arbitrary web script or HTML, although the exact nature of the vulnerability is not confirmed by Oracle. The exploitation could be related to unknown vectors and may involve the Domain parameter in the CfgOCIReturn servlet. There are claims that this issue could be a cross-site scripting (XSS) vulnerability. **Recommendations** For versions 12.0.6 through 12.2.4, consider restricting access to the Single Signon feature and the CfgOCIReturn servlet to minimize the risk of exploitation. As a temporary workaround, avoid using the Domain parameter in the affected servlet until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.0.6 through 12.2.4 **Description** The issue is related to errors in the code of the Oracle iSupplier Portal component. It may allow a remote attacker to access the Oracle iSupplier Portal or execute arbitrary code. The vulnerability is reportedly related to XML input and may be an XML External Entity (XXE) vulnerability, which could enable remote attackers to read arbitrary files, cause a denial of service, or conduct SMB Relay attacks via a crafted DTD in an XML request to "OA HTML/oramipp lpr". **Recommendations** For versions 12.0.6 through 12.2.4, consider restricting access to the Oracle iSupplier Portal component until a patch is available. As a temporary workaround, avoid using XML input in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4 **Description** The issue affects the confidentiality and integrity of the system, potentially allowing remote attackers to impact it via unknown vectors related to Reports Security. There are claims that this issue might be related to an XML External Entity (XXE) vulnerability, which could enable remote attackers to read arbitrary files, cause a denial of service, or conduct SMB Relay attacks by crafting a DTD in an XML request involving the OA HTML/copxml servlet. Additionally, errors in the code of the Oracle Application Object Library component, specifically the Single Signon subcomponent, may allow a remote attacker to gain unauthorized access to read data. **Recommendations** For Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4, consider restricting access to the OA HTML/copxml servlet as a temporary workaround until a patch is available. As a mitigation measure, review and secure the configuration of the Single Signon subcomponent in the Oracle Application Object Library to minimize the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4 **Description** The issue affects the confidentiality and integrity of the system, potentially allowing remote authenticated users to execute arbitrary SQL commands via a request involving the `afamexts.sql` SQL extension. This could enable unauthorized updates, insertions, deletions of data, as well as unauthorized access to read data in Oracle Applications Manager. The exact nature of the vulnerability is related to errors in the code and is possibly a SQL injection vulnerability, although Oracle has not confirmed this. **Recommendations** For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4, consider restricting access to the `afamexts.sql` SQL extension to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the SQL Extensions feature in the Oracle Applications Manager component until a patch is available. Avoid using the `afamexts.sql` SQL extension in requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4 **Description** The issue is related to errors in the code of the Oracle Application Object Library component, allowing remote attackers to affect confidentiality. It is also claimed that this issue may allow remote attackers to enumerate database users via a series of requests to `Aoljtest.js`. The vulnerability is related to Java APIs - AOL/J. **Recommendations** For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4, consider restricting access to the Oracle Application Object Library component until a patch is available. As a temporary workaround, consider disabling requests to `Aoljtest.js` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4 **Description** The issue affects the confidentiality, integrity, and availability of the system via unknown vectors related to Punch-in. It is reportedly related to errors in the code of the Oracle Payments component. Exploitation may allow a remote attacker to access Oracle Payments or execute arbitrary code. There are claims that this issue could be an XML External Entity (XXE) vulnerability, which might allow remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to "OA HTML/IspPunchInServlet". **Recommendations** For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4, consider restricting access to the Oracle Payments component until a fix is available. As a temporary workaround, consider disabling the `IspPunchInServlet` function in the "OA HTML" module to minimize the risk of exploitation. Avoid using crafted DTDs in XML requests to the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.