“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle wrote.
The Critical Patch Update is a collection of patches for multiple security vulnerabilities, and the July 16 update contains 322 new fixes. Six of the security vulnerabilities were reportedly discovered by the Onapsis Research Labs team.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the announcement stated.
Two of the six different patches that were originally reported by the Onapsis Research Lab team addressed ”critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years,” researchers wrote. “Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.”
The two vulnerabilities reported by Onapsis are an unrestricted file upload, which was originally reported in November 2018 and leads to remote code execution (CVSS 9.1), and a reflected server-side request forgery, which was originally reported in April 2019 and can lead to a denial of service (DoS) and a client-side remote code execution (CVSS 9.6).
If left unpatched, these vulnerabilities have the potential to allow remote execution and DoS, disrupting critical services such an ERP system convert this attack into a critical one, since it affects all availability, confidentiality and integrity of the data.
“Both vulnerabilities allow remote command execution, one in any EBS client and the other one directly on the server side. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed, and customers should prioritize implementation of the patches in order to avoid malicious exploitation,” the blog stated.