Onapsis Security Advisory

Oracle E-Business Suite

Stored Cross-Site Scripting

☐ Low Risk ☐ Medium Risk ☒ High Risk ☐ Critical Risk

By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users
connected to the system.

Advisory Information
Public Release Date: 5/24/2018
Security Advisory ID: ONAPSIS-2018-020
Onapsis SVS ID: 00612
CVE: CVE-2017-10325
Researcher: Martin Doyhenard
Vendor Provided CVSS v3: 8.2 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)
Onapsis CVSS v3: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)
 Onapsis Security Advisory | Advisory Title
info@onapsis.com | www.onapsis.com

Vulnerability Information
Vendor: Oracle
Affected Components: Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6,
12.2.7
Oracle Common Applications Calendar (Applications Calendar)
Vulnerability Class: CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
Remotely Exploitable: Yes
Locally Exploitable: No
Authentication Required: No

Affected Components Description

Oracle E-Business Suite has more than 8,000 Java Server Pages (JSP) files and 200 servlet services which
interact with the web listener and the data server. The vulnerability exists in the Oracle Common
Applications Calendar Product and Applications Calendar component.

Vulnerability Details
A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has
parameters which are not validated nor encoded.

Solution
Implement the patch from the Oracle Critical Patch Update released on October 2017 or later.

Report Timeline
4/21/2017 Onapsis provides vulnerability information to Oracle.
10/17/2017 Oracle releases the Critical Patch Update in October 2017 fixing the
vulnerability.
5/24/2018 Onapsis releases the security advisory.

2|Page
 Onapsis Security Advisory | Advisory Title
info@onapsis.com | www.onapsis.com

The first cybersecurity solution that automates vulnerability management,

insider/outsider threat detection and response, and audit/compliance monitoring
for SAP and Oracle systems.
As the pioneer in business-critical application security, global enterprises trust Onapsis to proactively protect the
essential systems, information and processes that help them run their businesses.

Onapsis Security Platform

By partnering with Onapsis, your enterprise can unlock new security and
compliance capabilities in three key areas:

Automate Integrate Anticipate

 Continuous vulnerability
scanning with alerts to
proactively identify and bring
attention to misconfigurations,
insider and outsider threats
 Improve work flows to reduce
resources committed to audit
and compliance data tasks
 Compensating controls help
satisfy regulators and maintain
compliance between audits
 Implementation and customer
 Onapsis Research Labs
success services accelerate the
provides industry-defining
maturity of an enterprise’s
threat intelligence to prepare
cybersecurity organization
you for what’s next
 Custom data links feed your
 Research feeds development
existing SIEM tools, such as
of new features to address
Splunk and QRadar, to provide
emerging needs
a unified view of risk
 More than 350 SAP and Oracle
 SAP-certified add-on assures
vulnerabilities reported to-date
BASIS teams of system
compatibility

3|Page
 Onapsis Security Advisory | Advisory Title
info@onapsis.com | www.onapsis.com

About Onapsis Research Labs

SAP and Oracle security threat intelligence is produced by Onapsis Research Labs, a team of recognized
security experts who help the industry and our customers stay on the leading edge of ERP cybersecurity.
Over 90% of all SAP Security Notes to-date were released after the founding of Onapsis in 2009.

The Onapsis Research Labs:

• Worked hand in hand with the DHS to release the first DHS CERT-Alert for SAP Business Applications

• Have released over 150 SAP and Oracle Security Advisories to-date

• Are responsible for reporting more than 500 SAP and Oracle vulnerabilities to-date including over 100 for SAP HANA

• Regularly deliver research on the top 10 attack vectors affecting SAP Business Objects, SAP HANA, SAP Mobile, SAP
ABAP, J2EE Portals, Oracle JD Edwards and Oracle E-Business Suite

About Onapsis, Inc.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000.
Onapsis's solutions are also the de-facto standard for leading consulting and audit firms such as Accenture,
Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-
Critical Systems and Applications,” which describes certain algorithms and capabilities behind the
technology powering the Onapsis Security Platform™. This patented technology is well known, industry
wide, and has gained Onapsis recognition on the Deloitte Technology Top 500, as a Red Herring North
America Top 100 company and a SINET 16 Innovator.

For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.

4|Page