CVE-2017-10329
📋 TL;DR
This vulnerability in Oracle Global Order Promising allows unauthenticated attackers with network access via HTTP to compromise the system. Attackers can create, delete, or modify critical data, and access sensitive information without authorization. Affected versions include Oracle E-Business Suite 12.1.1 through 12.2.7.
💻 Affected Systems
- Oracle E-Business Suite
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Oracle Global Order Promising data including unauthorized creation, deletion, modification of all accessible data, and exposure of all sensitive information.
Likely Case
Unauthorized access to critical business data, potential manipulation of sales orders and promising data, leading to business disruption and data integrity issues.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthenticated external access to vulnerable components.
🎯 Exploit Status
CVSS indicates easily exploitable (AC:L) with no authentication required (PR:N) and no user interaction (UI:N), suggesting simple exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Oracle Critical Patch Update October 2017 or later
Vendor Advisory: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Restart Required: Yes
Instructions:
1. Download October 2017 Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle E-Business Suite instances. 3. Restart application services. 4. Test functionality of Global Order Promising component.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Oracle E-Business Suite instances to only trusted IP addresses and networks
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport <ebs-port> -s <trusted-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <ebs-port> -j DROP
Application Firewall Rules
allImplement web application firewall rules to block suspicious requests to Reschedule Sales Orders endpoints
Configure WAF to block unauthenticated requests to /OA_HTML/* or similar Global Order Promising paths
🧯 If You Can't Patch
- Isolate Oracle E-Business Suite instances in a separate network segment with strict access controls
- Implement additional authentication layer (reverse proxy with authentication) in front of vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check Oracle E-Business Suite version and patch level, verify if October 2017 CPU has been appliedCheck Version:
Check application version: For 12.1.x: SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS; For 12.2.x: adop versionVerify Fix Applied:
Verify patch application through Oracle OPatch utility: opatch lsinventory | grep -i 'CPUOct2017'📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to Reschedule Sales Orders endpoints
- Unusual data modification patterns in Global Order Promising logs
- HTTP requests to /OA_HTML/* paths without session cookies
Network Indicators:
- Unusual HTTP traffic patterns to Oracle E-Business Suite on standard ports (8000, 443)
- Requests to known vulnerable endpoints without authentication headers
SIEM Query:
source="oracle-ebs-logs" AND (uri_path="/OA_HTML/*" OR component="Global Order Promising") AND (user="-" OR auth_status="failed")🔗 References
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/101300
- http://www.securitytracker.com/id/1039592
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/101300
- http://www.securitytracker.com/id/1039592
