Multiple vulnerabilities in Oracle Primavera Gateway
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-3508 CVE-2017-3500 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Primavera Gateway Server applications / Application servers |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU39117
Risk: High
CVSSv4.0: 2.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Amber]
CVE-ID: CVE-2017-3508
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Primavera Gateway. CVSS 3.0 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera Gateway: 1.0 - 16.2
CPE2.3- cpe:2.3:a:oracle:primavera_gateway:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:14.2:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97883
https://www.securityfocus.com/bid/97889
https://www.securitytracker.com/id/1038289
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU39129
Risk: High
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:H/E:U/U:Amber]
CVE-ID: CVE-2017-3500
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to #BASIC_IMPACT#.
Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera Gateway accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway. CVSS 3.0 Base Score 8.7 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera Gateway: 1.0 - 16.2
CPE2.3- cpe:2.3:a:oracle:primavera_gateway:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:14.2:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97881
https://www.securitytracker.com/id/1038289
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
