CVE-2025-61884 PoC — Oracle E-Business Suite 安全漏洞

Source

Associated Vulnerability

Description

🚨 CVE-2025-61884 — High-Risk Oracle EBS Configurator Info Disclosure

Readme

# 🚨 CVE-2025-61884 — High-Risk Oracle EBS Configurator Info Disclosure

## *🌡️ CVE‑2025‑61884 — At a Glance*

```
╔════════════════════════════════════════════════════════════════╗
║ CVE: CVE-2025-61884       ▪ Severity: HIGH (Info Disclosure)   ║
║ Product: Oracle E-Business Suite — Configurator Runtime UI     ║
║ Impact: Unauthorized access to business/configuration data     ║
╚════════════════════════════════════════════════════════════════╝
```

|        ⚙️ Field | 📌 Summary                                                                      |
| --------------: | :------------------------------------------------------------------------------ |
|          CVE ID | **CVE-2025-61884**                                                              |
|        Severity | High (CVSS ~7.5) — unauthenticated info disclosure                              |
|        Affected | Oracle EBS 12.2.3 – 12.2.14 (Configurator Runtime UI)                           |
|   Attack Vector | Network (HTTP), no credentials needed                                           |
| Typical Outcome | Unauthorized access to configuration/business data, potential follow-on attacks |

---

# 🔬 What it *is*

> An unauthenticated attacker can craft HTTP requests to the Runtime UI, causing Oracle Configurator to return sensitive configuration or business data that should not be exposed.

```
[ Attacker ]
     │ crafted HTTP requests
     ▼
[ Oracle Configurator Runtime UI ]
     │ returns sensitive config/business data
     ▼
[ Data disclosed to attacker ]
```

---

# 🧩 Exploit Building Blocks

<img width="1920" height="958" alt="CVE-2025-61884-1" src="https://github.com/user-attachments/assets/c8ac7a93-6d2d-4d5b-a7df-a1c02663498f" />

* 🔗 SSRF-style requests (target internal API endpoints)
* 🔐 Missing authentication / access checks
* 📄 Endpoint returns sensitive config/business LOBs
* 🛡️ Exposure can enable follow-on attacks or data exfiltration

---

# 🕵️‍♀️ Indicators of Compromise (IOCs)

| 🔎 Category | 🔔 Example                                                         |
| ----------- | ------------------------------------------------------------------ |
| Network     | Requests to Configurator Runtime UI from external/unexpected IPs   |
| HTTP        | Unusual query parameters, large response bodies, repeated probes   |
| App logs    | Successful unauthenticated access returning configuration payloads |
| DB          | Unexpected reads of configurator tables/LOBs                       |
| Files       | Exported JSON/XML files with sensitive configuration data          |

---

# 🛠 Detection & Forensics

```
┌──────────────────────── DETECTION STEPS ─────────────────────────┐
│ 1) Review HTTP access logs for Configurator Runtime UI calls.    │
│ 2) Inspect app logs for unauthenticated responses returning      │
│    configuration payloads.                                       │
│ 3) Monitor outbound flows for exfiltration patterns.             │
│ 4) Query DB audit logs for reads of configurator tables/LOBs.    │
│ 5) Snapshot systems before remediation if compromise suspected.  │
└──────────────────────────────────────────────────────────────────┘
```

---

# 🛡 Mitigation & Response Playbook

**Immediate (0–24h)**

* Apply Oracle emergency patch for CVE‑2025‑61884
* Restrict access to Runtime UI endpoints (IP allowlist / firewall / VPN)
* Strengthen logging and capture HTTP access for review

**Short Term (1–7 days)**

* Hunt using IOC checklist; block offending IPs
* Limit application privileges; rotate credentials if compromise suspected
* Enable alerting on anomalous read patterns

**Medium Term (1–4 weeks)**

* Fully patch & validate in staging
* Rebuild compromised hosts if exfiltration detected
* External penetration test / purple-team exercise

**Long Term**

* Network segmentation for public vs internal tiers
* Harden input validation / WAF tuned for EBS Runtime UI
* Maintain automated patch & vulnerability management

---

# 🧾 Quick Hunting Commands

```
# Logs: filter for Runtime UI accesses
grep -i "configurator\|runtimeui" /var/log/httpd/access_log

# App logs: search for config payloads
grep -R --binary-files=text -E "config|configuration|attribute|property" /u01/oracle/inst

# DB audit: find reads of configurator tables
SELECT user_name, sql_text, timestamp
FROM dba_audit_trail
WHERE sql_text LIKE '%CONFIGURATOR%' AND timestamp > sysdate - 7;
```

---

# ⚖️ Risk & Impact

* 🔥 Probability: High for internet-accessible EBS Runtime UI
* 💥 Impact: High — exposure of sensitive config/business data; follow-on attacks possible
* 🚨 Action: Patch + restrict access + hunt immediately

---

# ✅ Action Summary

1. **Patch** Oracle EBS immediately (emergency update)
2. **Restrict access** to Runtime UI endpoints if patching is delayed
3. **Hunt & remediate** using IOCs and logs for unauthorized data access

---

File Snapshot

 [4.0K]  /data/pocs/0a8cbc80dc1529ef618446966d30a7592f439cfb
└── [5.4K]  README.md

1 directory, 1 file

Remarks