Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)
Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC. This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU) and has been assigned the CVE tracking identifier CVE-2015-0393. The problem may impact all Oracle E-Business Suite versions including 11.5, 12.0, 12.1, and 12.2. Recent press reports have labeled this vulnerability as a “major misconfiguration flaw.” The security issue is actually broader than just the INDEX privilege that is being reported in the press and there may be at least four independent attack vectors depending on the granted privileges. Fortunately, this issue does not affect all Oracle E-Business Suite environments - Integrigy has only identified this issue in a few number of Oracle E-Business Suite environments in the last three years.
Integrigy has published information on how to validate if this security flaw exists in your environment and how to remediate the issue. The remediation can be done without apply the January 2015 CPU.
For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.