[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT

Application: Oracle E-Business Suite
Versions Affected: Oracle EBS 12.2.3
Vendor: Oracle
Bugs: SQL injection
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Authors: Dmitry Chastuhin (ERPScan)

VULNERABILITY INFORMATION

Class: SQL injection
Impact: read sensitive data, modify or delete data from database
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-3549

CVSS Information

CVSS Base Score v3: 9.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity High (H)
A: Impact to AvailabilityNone (N)

VULNERABILITY DESCRIPTION

The code comprises an SQL statement containing strings that can be altered by an attacker. The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.

VULNERABLE PACKAGES

Oracle EBS 12.2.3

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

Vulnerable jsp name is iesfootprint.jsp

Approximate request with SQL injection