Oracle E-Business Suite SQL injection (CVE-2017-3549)
Description
Oracle E-Business Suite contains a SQL injection vulnerability in the iesfootprint script that allows unauthenticated remote attackers to inject and execute arbitrary SQL commands against the backend database. This vulnerability exists due to insufficient input validation and sanitization of user-supplied data before it is used in SQL queries, enabling attackers to manipulate database operations without authentication.
Remediation
Apply the security patches provided by Oracle for CVE-2017-3549 immediately. Refer to Oracle's Critical Patch Update (CPU) advisory from April 2017 for specific patch numbers applicable to your Oracle E-Business Suite version.
Follow these steps to remediate:
1. Review Oracle's April 2017 Critical Patch Update advisory to identify the appropriate patch for your E-Business Suite version
2. Test the patch in a non-production environment to ensure compatibility
3. Schedule a maintenance window and apply the patch to production systems
4. Verify the patch installation by checking the Oracle E-Business Suite patch level
5. Monitor database and application logs for any suspicious SQL activity or exploitation attempts
As a temporary mitigation until patching is complete, consider restricting network access to the iesfootprint script using web application firewall (WAF) rules or access control lists (ACLs) to limit exposure to trusted IP addresses only.