Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU) and has been assigned the CVE tracking identifier CVE-2015-0393.  The problem may impact all Oracle E-Business Suite versions including 11.5, 12.0, 12.1, and 12.2.  Recent press reports have labeled this vulnerability as a “major misconfiguration flaw.”  The security issue is actually broader than just the INDEX privilege that is being reported in the press and there may be at least four independent attack vectors depending on the granted privileges.

Integrigy estimates less than 10% of all Oracle E-Business Suite environments are vulnerable to this security issue based on our previous assessments of production environments.  Integrigy has been tracking this issue and checking for it in Oracle E-Business Suite environments since 2007 – we have only identified the problem during a small fraction of our assessments.  Vulnerable environments have included, 12.0.x, and 12.1.3 and most Oracle E-Business Suite Vision demonstration environments.  Most likely, the problem is introduced into the environment during a maintenance operation as it is not found in a fresh installation of the Oracle E-Business Suite.  See the Background section of this document of more information.

This security issue is resolved by revoking the excessive privileges from the SYS.DUAL table by either (1) applying the January 2015 CPU patch or (2) manually revoking the grants.

IMPORTANT NOTE: Prior to applying the January 2015 CPU patch or manually revoking the grants, database patch 19393542 must be applied to prevent possible timestamp corruptions.

Integrigy has published detailed information regarding how to validate if this vulnerability exists in your environment and remediation instructions.

Vulnerability, Oracle E-Business Suite, Security Analysis