SB2019101572 - Multiple vulnerabilities in Oracle Enterprise Manager Ops Center 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019101572

SB2019101572 - Multiple vulnerabilities in Oracle Enterprise Manager Ops Center

Published: October 15, 2019 Updated: March 6, 2024

Security Bulletin ID SB2019101572
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Prototype pollution (CVE-ID: CVE-2019-11358)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.


2) Resource management error (CVE-ID: CVE-2019-9517)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect implementation of HTTP/2 protocol. A remote attacker can  open the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

3) Improper input validation (CVE-ID: CVE-2019-5443)

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Networking (cURL) component in Enterprise Manager Ops Center. A local authenticated user can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References