Multiple vulnerabilities in Oracle Fusion Middleware
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2018-2587 CVE-2018-2739 CVE-2018-2765 CVE-2018-2768 CVE-2018-2770 CVE-2018-2791 CVE-2018-2801 CVE-2018-2806 CVE-2018-2828 CVE-2018-2834 CVE-2018-2879 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #11 is available. |
| Vulnerable software |
Oracle Access Manager Server applications / Directory software, identity management Oracle Security Service Server applications / Frameworks for developing and running applications Oracle Outside In Technology Client/Desktop applications / Other client software Oracle Adaptive Access Manager Web applications / Remote management & hosting panels Oracle WebCenter Sites Web applications / Other software Oracle WebCenter Content Web applications / CMS Oracle Data Visualization Desktop Client/Desktop applications / Virtualization software |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU11921
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2587
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Access Manager Web Server Plugin component due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Access Manager accessible data and read a subset of Oracle Access Manager accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Access Manager: 10.1.4.3 - 12.2.1.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_access_manager:10.1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:11.1.2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:12.2.1.3.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU11922
Risk: Low
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2739
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Access Manager Web Server Plugin component due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, create, delete or modify critical data or all Oracle Access Manager accessible data and gain access to critical data or complete access to all Oracle Access Manager accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Access Manager: 10.1.4.3 - 12.2.1.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_access_manager:10.1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:11.1.2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:12.2.1.3.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security restrictions bypass
EUVDB-ID: #VU11923
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2765
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Security Service component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle Security Service accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Security Service: 12.1.3.0.0 - 12.2.1.2.0
CPE2.3- cpe:2.3:a:oracle:oracle_security_service:12.1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_security_service:12.2.1.2.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security restrictions bypass
EUVDB-ID: #VU11924
Risk: Low
CVSSv4.0: 4.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2768
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.
The weakness exists in the Oracle Outside In Technology component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle Security Service accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle Outside In Technology: 8.5.3
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security restrictions bypass
EUVDB-ID: #VU11925
Risk: Low
CVSSv4.0: 5.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2770
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Adaptive Access Manager component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle Adaptive Access Manager accessible data and unauthorized update, insert or delete access to some of Oracle Adaptive Access Manager accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Adaptive Access Manager: 11.1.2.3.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security restrictions bypass
EUVDB-ID: #VU11926
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-2791
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data and unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle WebCenter Sites: 11.1.1.8 - 12.2.1.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_webcenter_sites:11.1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_sites:12.2.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Security restrictions bypass
EUVDB-ID: #VU11927
Risk: Low
CVSSv4.0: 4.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2801
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.
The weakness exists in the Oracle Outside In Technology component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle Outside In Technology: 8.5.3
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security restrictions bypass
EUVDB-ID: #VU11928
Risk: Low
CVSSv4.0: 4.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2806
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.
The weakness exists in the Oracle Outside In Technology component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle Outside In Technology: 8.5.3
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security restrictions bypass
EUVDB-ID: #VU11929
Risk: Low
CVSSv4.0: 5.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:U/U:Clear]
CVE-ID: CVE-2018-2828
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information, write arbitrary files and cause DoS condition on the target system.
The weakness exists in the Oracle WebCenter Content component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data, unauthorized update, insert or delete access to some of Oracle WebCenter Content accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle WebCenter Content: 11.1.1.9.0 - 12.2.1.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_webcenter_content:11.1.1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_content:12.2.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_content:12.2.1.3.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Security restrictions bypass
EUVDB-ID: #VU11931
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2834
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information, write arbitrary files and cause DoS condition on the target system.
The weakness exists in the Oracle Data Visualization Desktop component of Oracle Fusion Middleware due to improper security restrictions. A local attacker can gain create, delete or modify critical data or all Oracle Data Visualization Desktop accessible data, read a subset of Oracle Data Visualization Desktop accessible data and cause the service to frequently crash.
Install update from vendor's website.
Vulnerable software versionsOracle Data Visualization Desktop: 12.2.4.1.1
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Security restrictions bypass
EUVDB-ID: #VU11932
Risk: High
CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2018-2879
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The weakness exists in the Oracle Access Manager component of Oracle Fusion Middleware due to improper security restrictions. A remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOracle Access Manager: 11.1.2.3.0 - 12.2.1.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_access_manager:11.1.2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:12.2.1.3.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
