Login Sign Up

CVE-2024-21079

7.5 HIGH

📋 TL;DR

This vulnerability in Oracle Marketing allows unauthenticated attackers with network access via HTTP to access sensitive data. It affects Oracle E-Business Suite versions 12.2.3 through 12.2.13. Attackers can exploit this to view critical marketing campaign data without authentication.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Oracle Marketing
Versions: 12.2.3-12.2.13
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Campaign LOV (List of Values) component specifically. All installations within the version range are vulnerable unless patched.

📦 What is this software?

Marketing by Oracle

View all CVEs affecting Marketing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Marketing accessible data including sensitive customer information, campaign strategies, and marketing intelligence.

🟠

Likely Case

Unauthorized access to marketing campaign data, customer lists, and sensitive business information stored in the Campaign LOV component.

🟢

If Mitigated

Limited data exposure if proper network segmentation and access controls are implemented, though vulnerability remains present.

🌐 Internet-Facing: HIGH - Unauthenticated HTTP access means any internet-facing instance is immediately vulnerable to data exfiltration.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, but requires network access to the vulnerable system.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes this as 'easily exploitable' and requires only network access via HTTP with no authentication. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2024 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2024.html

Restart Required: Yes

Instructions:

1. Download the April 2024 Critical Patch Update from Oracle Support. 2. Apply the patch to affected Oracle E-Business Suite instances. 3. Restart the application services. 4. Verify the patch application was successful.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle Marketing components to only trusted IP addresses

Use firewall rules to limit access to Oracle E-Business Suite ports (typically 8000, 443)

Application Firewall Rules

all

Implement web application firewall rules to block suspicious Campaign LOV requests

Configure WAF to monitor and block unauthorized Campaign LOV component access

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle Marketing from untrusted networks
  • Enable detailed logging and monitoring for all access to Campaign LOV components

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and verify if April 2024 CPU has been applied. Review patch application logs.

Check Version:

Check Oracle E-Business Suite version via application administration console or database queries specific to your installation.

Verify Fix Applied:

Verify the April 2024 Critical Patch Update is installed and check that Campaign LOV component no longer allows unauthorized data access.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated HTTP requests to Campaign LOV endpoints
  • Unusual data access patterns from unexpected IP addresses
  • Large data retrieval from marketing tables

Network Indicators:

  • HTTP traffic to Campaign LOV URLs from unauthorized sources
  • Unusual data transfer volumes from Oracle Marketing ports

SIEM Query:

source="oracle-ebs" AND (uri="*campaign*lov*" OR uri="*marketing*") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2024-21079
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: April 16, 2024
Last Updated: December 5, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON