Oracle’s July 2019 CPU Patches Three Critical Vulnerabilities in E-Business Suite Reported by Onapsis

Six of 13 Total EBS Vulnerabilities Reported by Onapsis. Four in Oracle Payments.

In this blog post we will cover:

  • Four Critical Bugs in Payments Module reported by Onapsis.
    • These critical vulnerabilities put sensitive data at risk, such as credit card or bank accounts, among other confidential information that may be stored in the database
  • Unrestricted Upload in EBS Payments.
    • This exploit allows an attacker to remotely overwrite files, potentially allowing a remote code execution and/or a DoS in EBS
  • Other Payments Bugs Reported by Onapsis.
    • Three additional vulnerabilities were reported by Onapsis
  • Critical Reflected Server-Side Request Forgery.
    • If exploited, the attacker could perform a DoS attack or use of a Java Applet in the controlled response to compromise the victim’s browser and E-Business Suite (EBS) session
  • Other Bugs Reported By Onapsis.
    • An additional vulnerability leading to a client-side attack, once the session is stolen it has access to the EBS system
  • Highlights of Oracle July’s CPU.
    • Oracle’s third CPU of the year includes 319 patches for 25 different products, including 13 patches for EBS

Today Oracle released its July 2019 quarterly Critical Patch Update and it includes several security fixes for vulnerabilities reported by the Onapsis Research Labs. From the six different patches that were originally reported by our team, three of them address critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years. Onapsis has reported almost half of the bugs fixed in EBS in this CPU, as we continue to help the biggest ERP vendors in the world secure vulnerabilities before an attacker can exploit them.

Four of the bugs reported by Onapsis were found in EBS Payments module, where sensitive data such as credit card and/or bank accounts is stored. Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity, confidentiality and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.

Four Critical Bugs in Payments Module Reported by Onapsis
The Payments module is the centralized payment processing engine for the entire Oracle E-Business Suite. Oracle Payments was introduced in version 12 to consolidate all payment processing for transactions with clients and vendors. Whereas prior to version 12, modules such as Accounts Payable and Accounts Receivable each defined and processed bank accounts and credit cards separately, the Payments module now consolidates all customer and bank account and credit card processing into one place.

With the July 2019 CPU, Onapsis reported four (4) CVEs for the Oracle EBS Payments module. While Oracle rated only one (CVE-2019-2775) as a critical bug with a CVSS score of 9.1, Onapsis advises that any issue potentially placing client payment data at risk (bank accounts and/or credit cards) should be considered a serious risk.

The four Payments CVEs reported by Onapsis are:

  • CVE-2019-2775 (9.1) Unrestricted File Upload
  • CVE 2019-2782 (7.5) Arbitrary File Access
  • CVE-2019-2783 (5.8) Server Side Request Forgery
  • CVE-2019-2773 (5.8) XML External Entity Injection

Besides patching immediately, Onapsis recommends ensuring that the optional Payments functionality is encrypting at-rest client bank account and credit card information. For those clients using the Onapsis Security Platform (OSP), OSP supports both checking if the latest security patches have been applied as well as if the optional functionality for encrypting client bank accounts has been enabled.

Unrestricted Upload in EBS Payments
Onapsis reported CVE-2019-2775 (CVSS of 9.1) for unrestricted upload in EBS Payments. This exploit allows an attacker to remotely overwrite files, potentially allowing a remote code execution and/or a Denial of Service in EBS.

Even though the security vulnerability exists in the Payments module, the successful exploitation of it could give an attacker access not only to Payments but to the entire EBS environment. To further detail this exploit, due to a lack of sanitization checks, CVE-2019-2775 allows for several technical attack vectors, including:

  • By using simple Path Traversal techniques, an attacker could overwrite (without authentication) different files in the server, compromising the integrity of all documents SysAdm user has access over.
  • An attacker could also leverage this vulnerability to write CGI system scripts. These scripts can then be run just by using a reference to them, allowing the attacker to execute remote custom code in the server without any authentication.
  • Finally, since it is possible to modify critical EBS documents, it is also possible to overwrite critical configuration files in the server (or even EBS executable files), which may lead to a system crash or fail, causing a Denial of Service attack.

Other Critical Payments Bugs Reported by Onapsis
Any vulnerability placing client bank account and credit card data at risk is a serious issue, certainly for any clients needing to meet compliance and legal mandates for safeguarding payment information. Besides CVE-2019-2775, Onapsis reported three additional vulnerabilities:

  • Arbitrary File Disclosure in EBS Payments (CVE-2019-2782, CVSS score of 8.6): If successfully exploited, this vulnerability allows an attacker to read any system file with ApplMgr (admin) privileges, which would allow, for example, access to critical files containing passwords and/or sensitive information (for example bank accounts) and potentially allowing the entire system to be compromised.
  • Server Side Request Forgery in Oracle EBS IBY (CVE-2019-2783, CVSS score of 5.8): Make requests from EBS to any other host:port, could be used to discover internal network resources that are initially not visible from the attackers perspective.
  • XXE in EBS Payments (CVE-2019-2773, CVSS score of 5.8): XML External Entities vulnerability allows an attacker to read system files with ApplMgr privileges or generate a Denial of Service.

Critical Reflected Server-Side Request Forgery
The bug with the highest CVSS score is another critical vulnerability reported by our team. Identified with CVE-2019-2828, it has a CVSS score of 9.6 and it is a reflected server-side request forgery over a vulnerable servlet. This servlet intends to retrieve the content of a web page. By registering a malicious server and specifically manipulating the web page URL in the request, an attacker may be able to generate two types of attacks.

The first one, without any authentication or user interaction, may disrupt all EBS services through a Denial of Service exploitation. By sending crafted requests, it is possible to make an Oracle EBS server connect with the malicious one, generating a connection that can be prepared to consume as many resources as possible.

The most critical attack can be performed leveraging the use of a Java Applet in the controlled response. This vulnerability works similar to cross-site scripting (XSS) which, by itself, may allow an attacker to compromise the victim’s browser and EBS session.

However, what makes this bug more interesting is the fact that, if an attacker includes an Applet resource in the XSS, the vulnerable server will act as a proxy, retrieving the malicious Java code to the victim. As a security policy, browsers and Java only accept to execute Applets that come from a trusted source, as this could perform critical and dangerous actions on the OS. Considering that EBS uses Applets for many of its daily used forms, it is safe to assume that this server would be in the trusted domain list.

So, when the attacker injects the reference to the malicious Applet in the XSS, the EBS server will retrieve it to the client. This would not happen in a regular XSS, where the Java code would be retrieved from a malicious untrusted source. As the victim browser will believe the Applet is coming from EBS, which is a trusted domain, it will be executed with no extra validations, resulting in a client side remote code execution.

onapsis.png

Other Bugs Reported By Onapsis
As mentioned before, Oracle patched a total of six EBS vulnerabilities reported by Onapsis Research Labs. In addition to the four Payments vulnerabilities and the other critical one already explained, the following patch was also released:

  • Reflected Cross-Site Scripting (CVE-2019-2829, CVSS score of 8.2): An attacker can compose a malicious URL containing JavaScript code that could hijack EBS client’s active sessions or credentials. Even though it is a client-side attack, once the session is stolen it has access to the EBS system.

Oracle July’s CPU summarized
July’s CPU contains a total of 319 new security fixes for several Oracle products. As mentioned, 13 of them directly affect Oracle EBS and there are 65 vulnerabilities in total affecting this platform, due to its stack including solutions such as Fusion Middleware or Database, among others:

  • Oracle EBS: 13 for Oracle EBS technology stack components (12 of these vulnerabilities may be remotely exploitable without authentication)
  • Oracle Database: 9 for Database (1 of these vulnerabilities may be remotely exploitable without authentication)
  • Oracle Middleware: 33 for Oracle Fusion Middleware (28 of these vulnerabilities may be remotely exploitable without authentication)
  • Oracle Java: 10 for Java (9 of these vulnerabilities may be remotely exploitable without authentication).

As Oracle mentioned in the CPU note, since last April 2019’s CPU, Oracle has released two Security Alerts for Oracle WebLogic Server: CVE-2019-2725 (April 29, 2019) and CVE-2019-2729 (June 18, 2019). This CPU already includes the fixes for the previously-released alerts from Oracle.

Consider that all the 13 vulnerabilities in this CPU affecting Oracle EBS directly affects all versions from EBS 12.1 to 12.2.8. This means that it is not enough to have the latest version available, you always need to install the CPU in your stack too.

The highest scores for some products in the CPU are 9.8 distributed in the following products: Oracle Database, Oracle Communications Applications, Oracle Construction and Engineering Suite, Oracle Enterprise Manager Products.

In summary, with the help of Onapsis, two critical vulnerabilities were patched this month in Oracle EBS. Both vulnerabilities allow remote command execution, one in any EBS client and the other directly on the server-side. Also, both can trigger a Denial of Service attack. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed by applying July’s Oracle CPU, in order to avoid malicious exploitation. Six of these 13 patches (46%) were originally reported by Onapsis Research Labs, who has helped Oracle patch critical fixes this month.

To learn more about the Oracle July 2019 CPU and best practices for applying the patches, we will be delivering a webinar on July 25 at 12 PM ET, where we will be sharing more details about this critical patch day. Join us here: Prioritizing and Applying Oracle’s July Critical Patch Update.