Oracle released an out-of-cycle security alert, CVE-2025-61884, on Saturday, October 11, 2025, and provided My Oracle Support (MOS) Note ID 3107176.1 with generic instructions on securing Oracle E-Business Suite (EBS). On Sunday night, Oracle updated the MOS Note with two patches to address the two security vulnerabilities that comprise the publicly disclosed exploit impacting Oracle EBS. This is a different attack chain than is being used in the Clop extortion attacks (CVE-2025-61882).
As the number of patch downloads for the CVE-2025-61884 security alert is 10x lower than for CVE-2025-61882, we believe many Oracle customers reviewed the CVE-2025-61884 advisory on Sunday morning and have not noticed the update with the new patches.
The first patch (12.2 = 38512809:R12.CZ.C and 12.1 = 38512809:R12.CZ.B) implements the new Allowed Return URLs feature for Oracle Configurator. Allowed Return URLs controls what URLs a user may be directed back to. This patch is required if you are using Configurator. If you are not using Configurator, you must be blocking access to all Configurator functionality, especially on all external servers using the Oracle EBS URL Firewall or Integrigy AppDefend with the OAPermit rule. For internal servers, use the Oracle EBS Allowed Resources or Integrigy AppDefend with the OAPermit rule.
The second patch (12.2 = 37614922:R12.IES.C and 12.1 = 37614922:R12.IES.B) stubs out the "ieshostedsurvey.jsp" file. Oracle EBS versioning does not allow for files to be deleted, since if a file is deleted, it may be re-added if a patch is applied that includes the file. Thus, files are "stubbed" out, which means the file only consists of the version header and all source code is removed. This file was removed as part of the April 2025 Critical Patch Update, and the IES patch does not need to be applied if the April 2025 CPU patch has been applied. To verify, view the file $OA_HTML/ieshostedsurvey.jsp to confirm it is only header comments and a version control header ("$Header: ieshostedsurvey.jsp 120.0.12020000.2 2025/03/04").
If you have any questions or need further assistance, please contact us at info@integrigy.com.