Late last year in my work for Jibe Consulting, I detected a password disclosure issue with E-Business Suite R12, and reported it to Oracle. After I made sure that Oracle Support could replicate the issue, Oracle E-Business Suite Development worked the issue. The password disclosure issue has now been addressed in the July 2013 CPU security patch.
The Carnegie Mellon CERT organization has issues a public advisory about this issue. You can see the advisory here:
http://www.kb.cert.org/vuls/id/826463
As noted in the Oracle Security Alert, the CVE number is: CVE-2013-3749
I have worked with Oracle Support on mitigation steps, and the steps are included in the new MOS note:
Potential Logging of E-Business Suite Passwords (Doc ID 1579709.1)
You are affected if you have applied any of the E-Business Suite CPU patches: July 2012, Oct 2012, Jan 2013, or Apr 2013. There are also two one-off patches identified that cause the same issue: 12832734 and 10009066. See the MOS note for the latest news about which patches introduce the problem.
If you are affected, please follow the mitigation steps in the note to ensure that your E-Business Suite system is secured.
Note: Even if you have already applied CPU July 2013, you still need to read the note, because some of the mitigation steps will still apply.
I recommend doing the optional password change mitigation step (as well as the other mitigation steps).
Wow, I can’t believe it took Oracle so long to fix this… and they STILL didn’t get it right! Good job bringing it to everyone’s attention.