CVE-2016-0456

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1 through 12.2

Description The issue affects confidentiality and is related to the REST Framework in the Application Mgmt Pack for E-Business Suite component. There are claims that this issue may be an XML External Entity (XXE) vulnerability, which could allow remote attackers to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or conduct SMB Relay attacks via a crafted DTD in an XML request to "OA HTML/copxmllcmservicecontroller.js".

Recommendations For Oracle E-Business Suite versions 12.1 through 12.2, consider restricting access to the REST Framework until a patch is available. As a temporary workaround, avoid using the Application Mgmt Pack for E-Business Suite component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.