Oracle E-Business Suite Unauthenticated Remote Code Execution
Description
Oracle E-Business Suite (EBS) is an integrated suite of business applications for automating CRM, ERP, and supply chain management processes.
Versions 12.2.3 through 12.2.11 contain a critical vulnerability in the Oracle Web Applications Desktop Integrator component (Upload functionality). The BneAbstractXMLServlet servlet is susceptible to a zip slip attack, which allows attackers to extract malicious archive files to arbitrary locations on the server filesystem. By manipulating file paths within a compressed archive (e.g., using "../" sequences), an unauthenticated attacker can overwrite critical system files or upload malicious code to executable directories, leading to remote code execution.
Remediation
Take the following actions immediately to remediate this vulnerability:
1. Apply Security Patches: Install the Oracle Critical Patch Update (CPU) for October 2022 or later, which addresses CVE-2022-21587. Refer to the Oracle Critical Patch Update Advisory for specific patch numbers and installation instructions for your EBS version.
2. Upgrade Oracle EBS: If patching is not immediately feasible, plan to upgrade to Oracle E-Business Suite version 12.2.12 or later, which includes the security fix.
3. Implement Network Controls: As an interim mitigation, restrict network access to the Oracle Web Applications Desktop Integrator component using firewall rules or web application firewall (WAF) policies. Limit access to trusted IP addresses only.
4. Monitor for Exploitation: Review server logs for suspicious file upload activity, particularly requests to BneAbstractXMLServlet, and check for unexpected files in application directories.
5. Verify File Integrity: Conduct a file integrity check on critical system and application files to ensure no unauthorized modifications have occurred prior to patching.