Oracle E-Business Suite Frame Injection (CVE-2017-3528)
Description
Oracle E-Business Suite versions prior to the April 2017 Critical Patch Update contain a frame injection vulnerability in the "Popup windows" subcomponent. This vulnerability allows unauthenticated remote attackers to manipulate the source attribute of iframe elements, enabling them to inject malicious content from attacker-controlled domains into trusted Oracle EBS pages. The vulnerability requires user interaction to exploit and affects the confidentiality and integrity of user data.
Remediation
Apply the Oracle Critical Patch Update (CPU) released in April 2017 or upgrade to a later version of Oracle E-Business Suite that includes this security fix. Follow these steps:
1. Review the Oracle Critical Patch Update Advisory for April 2017 to identify the specific patches applicable to your Oracle EBS version and configuration
2. Test the patches in a non-production environment to ensure compatibility with your customizations
3. Schedule a maintenance window and apply the patches following Oracle's patching guidelines
4. Verify the patch installation by checking the applied patches inventory in Oracle EBS
5. As an additional defense-in-depth measure, implement Content Security Policy (CSP) headers with frame-ancestors directive to restrict which domains can embed your EBS pages
Consult Oracle Support (My Oracle Support) for detailed patching instructions specific to your environment.