Khuyen Nguyen

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.9 **Description** The issue is related to insufficient input validation in the APIs component of Oracle Installed Base, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of Oracle Installed Base accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.9, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the APIs component of Oracle Installed Base to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.3 **Description** The issue is related to insufficient input validation in the Print Server component of Oracle One-to-One Fulfillment. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment, requiring human interaction from a person other than the attacker. Successful attacks may significantly impact additional products and can result in unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data, as well as unauthorized update, insert, or delete access to some of Oracle One-to-One Fulfillment accessible data. **Recommendations** For version 12.1.3, consider restricting access to the Print Server component until a patch is available. As a temporary workaround, limit the use of HTTP protocol for network access to minimize the risk of exploitation. Additionally, ensure that all input data is thoroughly validated to prevent unauthorized access or data modification. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient input validation in the Marketing Administration component of Oracle Marketing. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data, as well as unauthorized update, insert, or delete access to some of Oracle Marketing accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient input validation in the Marketing Administration component of Oracle Marketing, part of the Oracle E-Business Suite system. This can be exploited by a remote attacker to gain unauthorized access to protected information or to modify, add, or delete data using the HTTP protocol. Successful attacks may require human interaction and can significantly impact additional products, potentially resulting in unauthorized access to critical data or complete access to all accessible data in Oracle Marketing, as well as unauthorized update, insert, or delete access to some of the accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Marketing Administration component until a patch is available. Restrict access to the HTTP protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient input validation in the Marketing Administration component of Oracle Marketing. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Marketing, potentially resulting in unauthorized access to critical data or complete access to all Oracle Marketing accessible data, as well as unauthorized update, insert, or delete access to some of Oracle Marketing accessible data. Successful attacks require human interaction from a person other than the attacker. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Marketing Administration component until a patch is available. Restrict access to sensitive data and implement additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 8.0.21 and prior **Description** The issue is related to insufficient input validation in the Server: Optimizer component of the MySQL Server product. It allows an attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For versions 8.0.21 and prior, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation. Avoid using the MySQL protocol over the network until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Configurator versions 12.1 through 12.2 **Description** The issue is related to insufficient access control in the UI Servlet component of Oracle Configurator, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data, complete access to all Oracle Configurator accessible data, as well as unauthorized update, insert, or delete access to some of Oracle Configurator accessible data. **Recommendations** For Oracle Configurator versions 12.1 and 12.2, consider restricting access to the UI Servlet component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of HTTP protocol for accessing Oracle Configurator to reduce the attack surface. Restrict access to sensitive data and implement additional monitoring to detect potential unauthorized access or modifications.

**Name of the Vulnerable Software and Affected Versions** Oracle iSupport versions 12.1.1 through 12.1.3 Oracle iSupport versions 12.2.3 through 12.2.9 **Description** The issue is related to insufficient access control in the Oracle iSupport component of Oracle E-Business Suite. Exploitation of this issue can allow a remote attacker to gain read, modify, add, or delete access to data using the HTTP protocol. Successful attacks may require human interaction from someone other than the attacker and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle iSupport accessible data, as well as unauthorized update, insert, or delete access to some Oracle iSupport accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.9, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Oracle iSupport component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Depot Repair versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient access controls in the Estimate and Actual Charges component of Oracle Depot Repair, allowing a remote attacker to read, modify, add, or delete data using the HTTP protocol. Successful attacks require human interaction and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the Estimate and Actual Charges component until a patch is available. As a temporary workaround, limit the use of HTTP protocol for sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Intelligence versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient access control in the DBI Setups component of Oracle E-Business Intelligence, allowing a remote attacker to gain read, modify, add, or delete access to data via the HTTP protocol. Successful attacks may require human interaction and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the DBI Setups component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of HTTP protocol for sensitive data transactions.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access controls in the User Interface component of Oracle Advanced Outbound Telephony, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data, as well as unauthorized update, insert, or delete access to some of the data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the User Interface component of Oracle Advanced Outbound Telephony to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Advanced Outbound Telephony versions 12.1.1 through 12.1.3 Oracle Advanced Outbound Telephony versions 12.2.3 through 12.2.9 **Description** The issue is related to insufficient access control in the Settings component of Oracle Advanced Outbound Telephony, allowing a remote attacker to gain read, modify, add, or delete access to data via the HTTP protocol. Successful attacks require human interaction and can result in unauthorized access to critical data or complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to resolve the issue. For versions 12.2.3 through 12.2.9, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the Settings component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco IOS Software and Cisco IOS XE Software on Catalyst 4500 Series Switches (affected versions not specified) **Description** A vulnerability in the Simple Network Management Protocol (SNMP) subsystem could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient input validation when the software processes specific SNMP object identifiers. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. To exploit this vulnerability by using SNMPv2c or earlier, the attacker must know the SNMP read-only community string for an affected system. To exploit this vulnerability by using SNMPv3, the attacker must know the user credentials for the affected system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 7.0.0 through 7.0.99 Apache Tomcat versions 8.5.0 through 8.5.50 Apache Tomcat versions 9.0.0.M1 through 9.0.30 **Description** The issue is related to the HTTP header parsing code, which used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid `Transfer-Encoding` header in a particular manner. Such a reverse proxy is considered unlikely. **Recommendations** For Apache Tomcat versions 7.0.0 through 7.0.99, update to a version that fixes the HTTP header parsing issue. For Apache Tomcat versions 8.5.0 through 8.5.50, update to a version that fixes the HTTP header parsing issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.30, update to a version that fixes the HTTP header parsing issue. As a temporary workaround, consider restricting access to the `Transfer-Encoding` header in the reverse proxy configuration to minimize the risk of exploitation.