Missing Authentication for Critical Function in Oracle Application Performance Management
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-14350 |
| CWE-ID | CWE-306 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Application Performance Management Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Missing Authentication for Critical Function
EUVDB-ID: #VU38173
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-14350
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A potential security vulnerability has been identified in HPE Application Performance Management (BSM) Platform versions 9.26, 9.30, 9.40. The vulnerability could be remotely exploited to allow code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsApplication Performance Management: 9.26 - 9.40
CPE2.3- cpe:2.3:a:oracle:application_performance_management:9.26:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_performance_management:9.30:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_performance_management:9.40:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/100988
https://www.zerodayinitiative.com/advisories/ZDI-17-825/
https://softwaresupport.hpe.com/km/KM02960811
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
