Oracle released an out-of-cycle security alert on May 19, 2022 for Oracle E-Business Suite (EBS) to address an information disclosure security vulnerability. The vulnerability is being actively exploited in externally accessible Oracle EBS environments running modules such as iSupplier, iStore, iRecruitment, and iSupport. This vulnerability is exploitable in all Oracle EBS versions including 12.0 and 11.5 even though these versions are not listed in the Oracle advisory. This vulnerability may allow an unauthenticated user to view all the Oracle EBS users through the application Manage Proxies page, which displays username, first name, last name, and e-mail address in a list of values (LOV).

This analysis reviews the vulnerability and provides recommendations on mitigating the vulnerability in your Oracle EBS environment.

Integrigy hosted a webinar providing additional information regarding this vulnerability titled "Why Did a 100 Hackers Just Attack My Oracle E-Business Suite Environment" [Presentation].

CVE-2022-21500 Why Did a 100 Hackers Just Attack My Oracle E Business Suite Environment

Vulnerability, Information Disclosure, Oracle E-Business Suite