Main Vulnerability Database SB2020042119

SB2020042119 - Multiple vulnerabilities in Oracle SD-WAN Edge

Published: April 21, 2020 Updated: February 10, 2022

Security Bulletin ID SB2020042119

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2019-1010238)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing utf-8 strings in the pango_log2vis_get_embedding_levels() function in pango-bidi-type.c. A remote attacker can pass a specially crafted string to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Out-of-bounds write (CVE-ID: CVE-2019-14821)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the KVM coalesced MMIO support functionality due to incorrect processing of shared indexes. A local user can run a specially crafted application to trigger an out-of-bounds write error and write data to arbitrary address in the kernel memory.

Successful vulnerability exploitation may allow an attacker to execute arbitrary code on the system with root privileges.

Remediation

Install update from vendor's website.

References

https://www.oracle.com/security-alerts/cpuapr2020.html?534793