All Oracle E-Business Suite environments are vulnerable to the “Shellshock” Bash vulnerabilities (CVE-2014-6271 and CVE-2014-7169) if the underlying operating system has not been patched for these vulnerabilities. Integrigy believes this to be a serious issue for Oracle E-Business Suite customers, especially those with Internet facing DMZ nodes.
Integrigy has confirmed all currently supported versions of the Oracle E-Business Suite are vulnerable and exploitable through an unauthenticated web application session. The following versions of the Oracle E-Business Suite all make use of CGI within the Apache HTTP server which exposes them to the “Shellshock” vulnerability:
- Oracle E-Business Suite 11.5.10
- Oracle E-Business Suite 12.0
- Oracle E-Business Suite 12.1
- Oracle E-Business Suite 12.2
Integrigy is actively researching the vulnerabilities and further information will shortly be forthcoming.
The fix for these vulnerabilities is operating system specific and does not require the Oracle E-Business Suite or the Oracle Application Server to be patched. Either the underlying operating system must be patched or access to the CGI web pages within the Oracle E-Business Suite must be blocked. Oracle has released patches for Oracle Linux and Oracle Solaris.
Please note that several vendors released fixes to the Bash shell which were incorrect and did not resolve the underlying issue. CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fixes.
For AppDefend customers, Integrigy has updated the AppDefend ruleset to block exploitation of these vulnerabilities in the Oracle E-Business Suite.
If you have questions, please contact us at info@integrigy.com
References
- CVE-2014-6271 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
- CVE-2014-7169 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
- Oracle Security Alert for CVE-2014-7169 http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html