Login Sign Up

CVE-2024-21075

7.5 HIGH

📋 TL;DR

This vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Trade Management in Oracle E-Business Suite. Successful exploitation can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. Affected versions are 12.2.3 through 12.2.13.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Oracle Trade Management
Versions: 12.2.3 through 12.2.13
Operating Systems: Any OS running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Claim Line LOV component specifically. All installations within the version range are vulnerable unless patched.

📦 What is this software?

Trade Management by Oracle

View all CVEs affecting Trade Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Trade Management data, including sensitive business information, financial data, and trade secrets.

🟠

Likely Case

Unauthorized access to confidential trade management data, potentially exposing business operations and sensitive information.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthenticated access to vulnerable systems.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing instances extremely vulnerable to exploitation.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access, which may be restricted by internal controls.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes this as 'easily exploitable' with no authentication required, suggesting low technical barriers to exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update April 2024

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2024.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle E-Business Suite patching procedures. 3. Restart affected services. 4. Verify the patch was applied successfully.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Oracle Trade Management components to only trusted sources

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="PORT_NUMBER" accept'
firewall-cmd --reload

Web Application Firewall

all

Deploy WAF rules to block suspicious requests to Claim Line LOV endpoints

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle Trade Management from untrusted networks
  • Deploy intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and compare against affected versions 12.2.3-12.2.13

Check Version:

SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS;

Verify Fix Applied:

Verify patch application through Oracle patch management tools and check that April 2024 CPU patches are applied

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Claim Line LOV endpoints
  • Unauthenticated access attempts to trade management components
  • Increased data access from unexpected sources

Network Indicators:

  • HTTP traffic to Oracle Trade Management from untrusted sources
  • Unusual data extraction patterns

SIEM Query:

source="oracle-ebs" AND (uri="*claim*line*lov*" OR component="Trade Management") AND status="200" AND src_ip NOT IN (trusted_ips)

📊 Metadata

CVE ID: CVE-2024-21075
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: April 16, 2024
Last Updated: December 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON