Oracle E-Business Suite SSRF (CVE-2018-3167)
Description
Oracle E-Business Suite contains a Server-Side Request Forgery (SSRF) vulnerability in the lcmServiceController script due to improper validation of XML Document Type Definitions (DTD). This flaw allows unauthenticated remote attackers to force the server to make requests to arbitrary internal or external network resources, potentially exposing sensitive information about the internal network infrastructure.
Remediation
Apply the security patches provided in Oracle's Critical Patch Update (CPU) for October 2018 immediately. Follow these steps:
1. Review the Oracle Critical Patch Update Advisory - October 2018 at https://www.oracle.com/security-alerts/cpuoct2018.html
2. Identify your current Oracle E-Business Suite version and determine the appropriate patch
3. Test the patch in a non-production environment first
4. Schedule a maintenance window and apply the patch to production systems
5. Verify the patch installation and confirm the vulnerability is remediated
As a temporary mitigation until patching is complete, consider implementing network-level controls to restrict outbound connections from the Oracle EBS server to only necessary destinations. Additionally, disable XML external entity processing in the lcmServiceController if configuration options are available.