Multiple vulnerabilities in Oracle Enterprise Manager Base Platform
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-10091 CVE-2017-3518 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Enterprise Manager Base Platform Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU38545
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-10091
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: UI Framework). Supported versions that are affected are 12.1.0, 13.1.0 and 13.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. While the vulnerability is in Enterprise Manager Base Platform, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Enterprise Manager Base Platform accessible data. CVSS 3.0 Base Score 7.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsEnterprise Manager Base Platform: 12.1.0 - 13.2.0
CPE2.3- cpe:2.3:a:oracle:oracle_enterprise_manager_base_platform:12.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_enterprise_manager_base_platform:13.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_enterprise_manager_base_platform:13.2.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.securityfocus.com/bid/99649
https://www.securitytracker.com/id/1038930
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU39120
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3518
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: Discovery Framework). Supported versions that are affected are 12.1.0, 13.1.0 and 13.2.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
MitigationInstall update from vendor's website.
Vulnerable software versionsEnterprise Manager Base Platform: 12.1.0 - 13.2.0
CPE2.3- cpe:2.3:a:oracle:oracle_enterprise_manager_base_platform:12.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_enterprise_manager_base_platform:13.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_enterprise_manager_base_platform:13.2.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97720
https://www.securitytracker.com/id/1038297
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
