CVE-2015-0393

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4

Description The issue affects confidentiality, integrity, and availability. It is related to DB Privileges and allows remote authenticated users to exploit the vulnerability via unknown vectors. There is a claim that during a "seeded install," the PUBLIC role is granted the INDEX privilege for the DUAL table, which could allow remote authenticated users to gain SYSDBA privileges and execute arbitrary code.

Recommendations For Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4, consider restricting the INDEX privilege for the DUAL table to prevent remote authenticated users from gaining SYSDBA privileges. As a temporary workaround, consider revoking the INDEX privilege from the PUBLIC role for the DUAL table until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.