CVE-2015-4886

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

Description The issue affects the confidentiality and integrity of the system, potentially allowing remote attackers to impact it via unknown vectors related to Reports Security. There are claims that this issue might be related to an XML External Entity (XXE) vulnerability, which could enable remote attackers to read arbitrary files, cause a denial of service, or conduct SMB Relay attacks by crafting a DTD in an XML request involving the OA HTML/copxml servlet. Additionally, errors in the code of the Oracle Application Object Library component, specifically the Single Signon subcomponent, may allow a remote attacker to gain unauthorized access to read data.

Recommendations For Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4, consider restricting access to the OA HTML/copxml servlet as a temporary workaround until a patch is available. As a mitigation measure, review and secure the configuration of the Single Signon subcomponent in the Oracle Application Object Library to minimize the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.