Oracle E-Business Suite environments may be vulnerable to the recently disclosed “POODLE” SSLv3 vulnerability (CVE-2014-3566) depending on where SSL termination is performed for the application. Integrigy believes this to be a low to medium risk issue for Oracle E-Business Suite customers, especially those with Internet facing DMZ nodes. The primary impact would be a “man in the middle” attack between an Oracle E-Business Suite user (such as in a coffee shop) and the application. This would allow the attacker to view all traffic between the user and the application, including the user’s Oracle EBS password.
Integrigy has confirmed all currently supported versions of the Oracle E-Business Suite (EBS) are vulnerable if the standard Oracle EBS SSL configuration is used and the SSL termination is performed natively by the Oracle E-Business Suite.
Oracle E-Business Suite may also be vulnerable to the POODLE vulnerability if a load balancer (such as F5 BIG-IP) or a reverse proxy is used as the SSL termination point and SSLv3 is configured. Our testing of Oracle E-Business Suite environments showed 95% have SSLv3 configured, thus vulnerable.
For more information, please see Integrigy's in-depth security analysis of the POODLE SSLv3 vulnerability impact on Oracle E-Business Suite.
|Integrigy - SSLv3 POODLE (CVE-2014-3566) and Oracle E-Business Suite Impact v1.pdf||166.66 KB|