Oracle Security Alert for CVE-2022-21500
20-05-2022Oracle recently published https://www.oracle.com/security-alerts/alert-cve-2022-21500.html, detailing a CRITICAL security flaw in EBS 12.1 and 12.2. The patch will arrive at June 15th 2022. MCX strongly encourages you to apply the manual mitigation from MOS note 2870472.1. First test on a non-production environment!
To prevent users from accessing PII, perform the following workaround steps:
Log in as a system administrator and navigate to User Management > Proxy Configuration > Privileges.
In the Proxy Delegation Privilege page, select the Users with the Selected Roles or Responsibilities option, thereby deselecting the All Users option.
Click Apply.
Additionally, if you are not using Oracle iStore and you have implemented the Allowed Resources feature in Oracle E-Business Suite, you should disable Oracle iStore in Allowed Resources. See Allowed Resources, Oracle E-Business Suite Security Guide.
Impact of the Workaround
After you deselect the All Users option for proxy delegation privileges, users will no longer be able to manage proxies, though existing proxy definitions will continue to work as usual. If necessary,
you can optionally enable proxy delegation privileges for users of a specific role or responsibility. See Giving a User Delegation Privileges, Oracle E-Business Suite Security Guide.
You can contact MCX if you have any questions about this.