Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Oracle E-Business Suite Deserialization RCE - Vulnerability Database

Oracle E-Business Suite Deserialization RCE

Description

Oracle E-Business Suite contains a critical deserialization vulnerability in the iesRuntimeServlet endpoint that allows unauthenticated remote attackers to execute arbitrary code. This flaw occurs when the application deserializes untrusted data without proper validation, enabling attackers to inject malicious serialized Java objects that execute upon deserialization. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction.

Remediation

Take the following steps to remediate this vulnerability:<br/><br/><strong>Immediate Actions:</strong><br/>1. Apply the latest Critical Patch Update (CPU) from Oracle for E-Business Suite that addresses deserialization vulnerabilities<br/>2. If patching cannot be performed immediately, restrict network access to the iesRuntimeServlet endpoint using firewall rules or web application firewall (WAF) policies<br/>3. Monitor application logs for suspicious deserialization attempts or unexpected DNS queries<br/><br/><strong>Long-term Remediation:</strong><br/>1. Upgrade to the latest supported version of Oracle E-Business Suite<br/>2. Implement input validation and use deserialization filters to restrict which classes can be deserialized<br/>3. Apply the principle of least privilege to application server processes<br/>4. Enable comprehensive logging and monitoring for deserialization activities<br/>5. Conduct a security assessment to identify any other exposed deserialization endpoints<br/><br/>Consult Oracle's security advisories and your Oracle support representative for specific patch versions applicable to your E-Business Suite deployment.

References

Oracle EBS Penetration testing tool

Related Vulnerabilities

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587) High
Common tags: Insecure Deserialization Acumonitor
Deserialization of Untrusted Data (Java JSON Deserialization) Jackson High
Common tags: Insecure Deserialization Acumonitor
ActiveMQ OpenWire RCE (CVE-2023-46604) Critical
Common tags: Insecure Deserialization Acumonitor
Flex BlazeDS AMF Deserialization RCE High
Common tags: Insecure Deserialization Acumonitor
ColdFusion AMF Deserialization RCE High
Common tags: Insecure Deserialization Acumonitor

Severity

High

Classification

CWE-502
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization
Acumonitor