CVE-2015-4849

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

Description The issue affects the confidentiality, integrity, and availability of the system via unknown vectors related to Punch-in. It is reportedly related to errors in the code of the Oracle Payments component. Exploitation may allow a remote attacker to access Oracle Payments or execute arbitrary code. There are claims that this issue could be an XML External Entity (XXE) vulnerability, which might allow remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to "OA HTML/IspPunchInServlet".

Recommendations For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4, consider restricting access to the Oracle Payments component until a fix is available. As a temporary workaround, consider disabling the IspPunchInServlet function in the "OA HTML" module to minimize the risk of exploitation. Avoid using crafted DTDs in XML requests to the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.