Oracle Security Alert for CVE-2022-21500
20-05-2022Oracle heeft https://www.oracle.com/security-alerts/alert-cve-2022-21500.html recent gepubliceerd, met betrekking tot een KRITIEK lek in EBS 12.1 en 12.2. De patch komt pas 15 juni 2022 beschikbaar. MCX beveelt dan ook ten sterkste aan de handmatige stappen uit MOS note 2870472.1 uit te voeren. Test de workaround eerst op een niet-productie omgeving!
To prevent users from accessing PII, perform the following workaround steps:
Log in as a system administrator and navigate to User Management > Proxy Configuration > Privileges.
In the Proxy Delegation Privilege page, select the Users with the Selected Roles or Responsibilities option, thereby deselecting the All Users option.
Click Apply.
Additionally, if you are not using Oracle iStore and you have implemented the Allowed Resources feature in Oracle E-Business Suite, you should disable Oracle iStore in Allowed Resources. See Allowed Resources, Oracle E-Business Suite Security Guide.
Impact of the Workaround
After you deselect the All Users option for proxy delegation privileges, users will no longer be able to manage proxies, though existing proxy definitions will continue to work as usual. If necessary, you can optionally enable proxy delegation privileges for users of a specific role or responsibility. See Giving a User Delegation Privileges, Oracle E-Business Suite Security Guide.
Neem contact op met MCX in geval van vragen.