Oracle E-Business Suite SSRF (CVE-2017-10246)
Description
The iHelp component in Oracle E-Business Suite contains a Server Side Request Forgery (SSRF) vulnerability that allows unauthenticated remote attackers to make the application server send HTTP requests to arbitrary internal or external destinations. This vulnerability enables attackers to bypass network security controls and interact with internal systems that would otherwise be inaccessible from the internet.
Remediation
Apply the security patches provided in Oracle's Critical Patch Update (CPU) for July 2017 immediately. Follow these steps:
1. Review the Oracle Critical Patch Update Advisory - July 2017 to identify the specific patch applicable to your Oracle E-Business Suite version
2. Test the patch in a non-production environment to ensure compatibility with your customizations
3. Schedule a maintenance window and apply the patch following Oracle's patch installation procedures
4. Verify the patch installation by checking the applied patches inventory
5. As an additional defense-in-depth measure, implement network segmentation to restrict outbound connections from the Oracle EBS server to only necessary destinations
If immediate patching is not possible, implement temporary mitigations such as restricting network access to the iHelp component and monitoring outbound connections for suspicious activity.