SB2021042114 - Multiple vulnerabilities in Oracle Secure Global Desktop

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Security features bypass (CVE-ID: CVE-2021-3450)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in implementation of the X509_V_FLAG_X509_STRICT flag allows an attacker to overwrite a valid CA certificate using any non-CA certificate in the chain. As a result, a remote attacker can perform MitM attack.

2) Improper input validation (CVE-ID: CVE-2021-2221)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Client component in Oracle Secure Global Desktop. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

3) Improper input validation (CVE-ID: CVE-2021-2248)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Server component in Oracle Secure Global Desktop. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

4) Improper input validation (CVE-ID: CVE-2021-2177)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Gateway component in Oracle Secure Global Desktop. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuapr2021.html?150