SB2021012213 - Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021012213

SB2021012213 - Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure

Published: January 22, 2021

Security Bulletin ID SB2021012213
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2020-5421)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.


2) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.


3) Information disclosure (CVE-ID: CVE-2019-12399)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output within the Apache Kafka Connect REST API tasks endpoint. A remote authenticated user can issue a request to the same Connect cluster to obtain the connector's task configurations and the response will contain the plaintext secret.


4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-11979)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect patch for vulnerability #VU27924 (CVE-2020-1945). Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.


5) XML External Entity injection (CVE-ID: CVE-2019-3773)

The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can supply a specially crafted input and obtain potentially sensitive information or cause the service to crash


Remediation

Install update from vendor's website.

References