CVE-2016-0457

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1 through 12.2

Description The issue affects confidentiality and is related to the REST Framework in the Application Mgmt Pack for E-Business Suite component. It has been suggested that this might be an XML External Entity (XXE) vulnerability, which could allow remote attackers to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or conduct SMB Relay attacks via a crafted DTD in an XML request to "OA HTML/lcmServiceController.jsp".

Recommendations For Oracle E-Business Suite versions 12.1 through 12.2, consider restricting access to the OA HTML/lcmServiceController.jsp endpoint until a patch is available. As a temporary workaround, avoid using crafted DTDs in XML requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.