Multiple vulnerabilities in Oracle Fusion Middleware

1) Security restrictions bypass

EUVDB-ID: #VU10089

Risk: Medium

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-10068

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Business Intelligence Enterprise Edition Analytics Web Dashboards component. A remote attacker can access and partially modify data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 12.2.1.3.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU10096

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2017-10273

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle JDeveloper Deployment component. A local attacker can partially access data, partially modify data, and partially deny service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 11.1.1.7.0 - 12.2.1.2.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.7.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Security restrictions bypass

EUVDB-ID: #VU10091

Risk: Medium

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-2564

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle WebCenter Content Content Server component. A remote attacker can partially access and modify data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 11.1.1.9.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU10095

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-2584

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a flaw in the Oracle WebCenter Sites Advanced UI component. A remote attacker can partially access data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 11.1.1.8.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Security restrictions bypass

EUVDB-ID: #VU10092

Risk: Medium

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-2596

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle WebCenter Content Content Server component. A remote attacker can partially access and modify data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 11.1.1.9.0 - 12.2.1.3.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Security restrictions bypass

EUVDB-ID: #VU10090

Risk: Medium

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-2711

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle JDeveloper Security Framework component. A remote attacker can access and partially modify data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 11.1.1.7.0 - 12.2.1.3.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.7.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Security restrictions bypass

EUVDB-ID: #VU10093

Risk: Medium

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-2713

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle WebCenter Portal WebCenter Spaces Application component. A remote attacker can partially access and modify data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 11.1.1.9.0 - 12.2.1.3.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Information disclosure

EUVDB-ID: #VU10094

Risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-2715

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a flaw in the Oracle Business Intelligence Enterprise Edition BI Platform Security component. A remote attacker can access important data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Fusion Middleware: 12.2.1.2.0 - 12.2.1.3.0

CPE2.3

• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.