Multiple vulnerabilities in Primavera Unifier
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2020-9488 CVE-2020-9489 CVE-2018-17196 CVE-2019-17558 CVE-2017-9096 CVE-2015-1832 |
| CWE-ID | CWE-295 CWE-401 CWE-284 CWE-94 CWE-611 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #4 is being exploited in the wild. |
| Vulnerable software |
Primavera Unifier Client/Desktop applications / Software for system administration |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Improper Certificate Validation
EUVDB-ID: #VU27487
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-9488
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform man-in-the-middle attack.
The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.
Install update from vendor's website.
Vulnerable software versionsPrimavera Unifier: 18.8 - 19.12
CPE2.3- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2020.html?61749
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU34420
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-9489
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera Unifier: 16.1 - 20.6
CPE2.3- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2020.html?61749
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU19218
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-17196
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper security restrictions imposed by the affected software. A remote authenticated attacker with write permission on respective topics can send a crafted Produce request that is designed to bypass transaction/idempotent access control list (ACL) validation.
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera Unifier: 18.8 - 19.12
CPE2.3- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2020.html?61749
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Code Injection
EUVDB-ID: #VU23850
Risk: Medium
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green]
CVE-ID: CVE-2019-17558
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in VelocityResponseWriter, when "params.resource.loader.enabled" is set to true in Apache Solr configuration. A remote authenticated user with ability to load templates or change software configuration can inject a malicious template and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera Unifier: 16.1 - 20.6
CPE2.3- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2020.html?61749
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
5) XML External Entity injection
EUVDB-ID: #VU31399
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-9096
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera Unifier: 16.1 - 20.6
CPE2.3- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2020.html?61749
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) XXE attack
EUVDB-ID: #VU735
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-1832
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to conduct XXE attack.
The weakness exists due to XML external entity error. Via vectors involving XmlVTI and the XML datatype context-dependent attackers can view arbitrary files that may lead to denial of service.
Successful exploitation of the vulnerability can result in potentially sensitive information disclosure and denial of service on the vulnerable system.
Install update from vendor's website.
Vulnerable software versionsPrimavera Unifier: 16.1 - 20.6
CPE2.3- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2020.html?61749
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
