CVE-2018-3235

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Description The issue is related to inadequate access control in the Oracle Applications Manager component of Oracle E-Business Suite. This can be exploited by a remote attacker to modify, add, or delete data using the HTTP protocol. The attack requires some interaction from a person other than the attacker and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data, as well as unauthorized update, insert, or delete access to some of the data.

Recommendations For versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, consider restricting access to the Oracle Applications Manager component via HTTP to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling access to sensitive data within Oracle Applications Manager to prevent unauthorized modifications. Restrict network access to Oracle E-Business Suite to only necessary personnel to reduce the attack surface.