Memory leak in Oracle Communications Messaging Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-9489 |
| CWE-ID | CWE-401 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Communications Instant Messaging Server Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Memory leak
EUVDB-ID: #VU34420
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-9489
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Instant Messaging Server: 8.1
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpuoct2020.html?534794
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
