CVE-2015-4846

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

Description The issue affects the confidentiality and integrity of the system, potentially allowing remote authenticated users to execute arbitrary SQL commands via a request involving the afamexts.sql SQL extension. This could enable unauthorized updates, insertions, deletions of data, as well as unauthorized access to read data in Oracle Applications Manager. The exact nature of the vulnerability is related to errors in the code and is possibly a SQL injection vulnerability, although Oracle has not confirmed this.

Recommendations For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4, consider restricting access to the afamexts.sql SQL extension to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the SQL Extensions feature in the Oracle Applications Manager component until a patch is available. Avoid using the afamexts.sql SQL extension in requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.