SB2021012051 - Multiple vulnerabilities in Oracle Enterprise Data Quality

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2019-17091)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Maps (Mojarra) component in Oracle Communications Unified Inventory Management. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

2) Infinite loop (CVE-ID: CVE-2017-12626)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to infinite loops while parsing specially crafted WMF, EMF, MSG and macros and out of Memory exceptions while parsing specially crafted DOC, PPT and XLS. A remote attacker can cause the service to crash.

3) Exposed dangerous method or function (CVE-ID: CVE-2020-10683)

The vulnerability allows a remote attacker to abuse implemented functionality.

The vulnerability exists due to dom4j allows by default external DTDs and External Entities. A remote attacker can abuse this functionality and perform XXE attack against application that uses dom4j default configuration.

4) Desereliazation of untrusted data (CVE-ID: CVE-2016-1000031)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists in DiskFileItem class of the FileUpload library due to deserialization of untrusted data. A remote attacker can execute arbitrary code under the context of the current process.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujan2021.html?924165