[ERPSCAN-17-024] DoS in Oracle E-Business Suite ANONYMOUSLOGIN

Application: Oracle E-Business Suite
Versions Affected: Oracle E-Business Suite 12.2.3
Vendor: Oracle
Bugs: DoS
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Authors: Alexey Tyurin (ERPScan), Ivan Chalykin (ERPScan)

VULNERABILITY INFORMATION

Class: DoS
Impact: direct impact on availability
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3555

CVSS Information

CVSS Base Score v3: 7.5/10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to AvailabilityHigh (H)

VULNERABILITY DESCRIPTION

An anonymous attacker can send many special requests to AnonymousLogin.jsp and cause a denial of service of the whole subsystem.

VULNERABLE PACKAGES

Oracle E-Business Suite 12.2.3

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

Vulnerable URL:

http://victim_ebs_server/OA_HTML/AnonymousLogin.jsp?i_1=1000&home_url=

An attacker can send multiple requests to the vulnerable JSP with incrementally increasing the i_1 parameter (1000,1001,1002,etc).

As a result, after several hundred requests the main web app (OA_HTML/AppsLogin) stops working and displays the following errors:

“Failure of server APACHE bridge. No backend server available for connection…”

“The system has encountered an error when servicing the request, Please try again…”