Oracle E-Business Suite - Multiple Vulnerabilities

Multiple security vulnerabilities have been corrected in the Oracle Business
Suite 11i and R12 as part of July 2007 Oracle Critical Patch Update (CPU).
All Internet accessible environments should prioritize patch 6045931
(APPS04/05/06) in order to correct multiple vulnerabilities in the On-line
help or temporarily disable the help functionality using the Oracle supplied
"URL Firewall".

APPS01 / CVE-2007-3865
Customer Intelligence (BIC) (R12 only)
SQL Injection

APPS02 / CVE-2007-3866
Configurator (CZ)
Cross Site Scripting

APPS03 / CVE-2007-3866
Internet Expenses (AP)
Cross Site Scripting

APPS04 / CVE-2007-3867
APPS05 / CVE-2007-3867
APPS06 / CVE-2007-3867
On-line Help (FND)
SQL Injection, Cross Site Scripting (multiple), Information Disclosure

APPS07 / CVE-2007-3867
Customer Intelligence (BIC)
SQL Injection

APPS08 / CVE-2007-3867
iPayment (IBY)
Information Disclosure

APPS09 / CVE-2007-3866
Application Object Library (FND)
SQL Injection

APPS10 / CVE-2007-3867
Human Resources (PER)
SQL Injection

See the Oracle Critical Patch Update July 2007 Advisory for exact versions
and CVSS base metric scores.

Fix: Apply the patches as directed in Oracle Metalink Note ID 432882.1.

Credit: These vulnerabilities were discovered by Stephen Kost and Jack
Kanter of Integrigy Corporation

For more details on the impact of the July 2007 CPU on Oracle E-Business
Suite implementations, see Integrigy's analysis of the CPU at -

http://www.integrigy.com/oracle-cpu-july-2007

Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.

For more information or questions regarding these vulnerabilities or
remediation steps, please contact us at [email protected].