Fangrun Li

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient input validation in the User Interface component of Oracle Advanced Outbound Telephony. This allows a low-privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony, potentially leading to unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data. Successful attacks can also result in unauthorized update, insert, or delete access to some of Oracle Advanced Outbound Telephony accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the User Interface component of Oracle Advanced Outbound Telephony to minimize the risk of exploitation. As a temporary workaround, limit the use of HTTP requests to the affected component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 12.2.1.4.0 **Description** The issue is related to insufficient access control in the WLS Web Services component of Oracle WebLogic Server, allowing a high-privileged attacker with network access via IIOP, T3 protocols to compromise the server. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, consider restricting access to the WLS Web Services component until a patch is available. As a temporary workaround, consider disabling the use of IIOP and T3 protocols to minimize the risk of exploitation. Restrict network access to the Oracle WebLogic Server to minimize the risk of remote attacks.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 12.2.1.4.0 **Description** The issue is related to insufficient access control in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via IIOP and T3 protocols to compromise the server and gain full control over it. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, ensure the WLS instance is using JDK 1.7.0 191 or later, or JDK 1.8.0 181 or later, and apply the patch for this issue to address the vulnerability. As a temporary workaround, consider restricting access to the IIOP and T3 protocols until the patch is applied. Restrict network access to the Oracle WebLogic Server instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient access control in the Web Services component of Oracle WebLogic Server, allowing a remote attacker to gain full control over the application using IIOP and T3 network protocols. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For version 10.3.6.0.0, update to a version that includes the fix for this issue. For version 12.1.3.0.0, update to a version that includes the fix for this issue. For version 12.2.1.3.0, update to a version that includes the fix for this issue. For version 12.2.1.4.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web Services component until a patch is available.