Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC. This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU).
On January 24, Oracle published additional information regarding this security issue in My Oracle Support Note 1964164.1. Revoking of these privileges may cause “subtle timestamp corruptions” in the database unless database patch 19393542 is applied.
Integrigy has updated the information we provided on how to validate if this security flaw exists in your environment and how to remediate the issue based on the additional information provided by Oracle. The remediation can be done without applying the January 2015 CPU, but requires the database patch to be applied first.
For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.