SB2020102710 - Multiple vulnerabilities in Oracle TimesTen In-Memory Database 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020102710

SB2020102710 - Multiple vulnerabilities in Oracle TimesTen In-Memory Database

Published: October 27, 2020

Security Bulletin ID SB2020102710
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 25% Medium 50% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2019-0201)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions when "getACL()" command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. A remote attacker can gain READ permissions to list ACL.


2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2019-1010239)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7.9 and later.


3) Deserialization of untrusted data (CVE-ID: CVE-2017-5645)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists receiving serialized log events from another application when using the TCP socket server or UDP socket server. A remote attacker can submit a specially crafted binary payload, when deserialized, and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

4) Out-of-bounds read (CVE-ID: CVE-2018-11058)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when parsing ASN.1 data. A remote attacker can use a specially constructed ASN.1 data, trigger out-of-bounds read error and read contents of memory on the system.

This vulnerability affects the following versions of RSA BSAFE Crypto-C Micro Edition:

  • version prior to 4.0.5.3 (in 4.0.x)


Remediation

Install update from vendor's website.

References