Multiple vulnerabilities in Oracle WebCenter Portal
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-9489 CVE-2019-12402 CVE-2020-11612 |
| CWE-ID | CWE-401 CWE-399 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle WebCenter Portal Web applications / CRM systems |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU34420
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-9489
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebCenter Portal: 12.2.1.3.0 - 12.2.1.4.0
CPE2.3- cpe:2.3:a:oracle:oracle_webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?540358
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource management error
EUVDB-ID: #VU22185
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-12402
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the file name encoding algorithm can get into an infinite loop when faced with
specially crafted inputs. A remote attacker can choose the file names inside of an archive created by Compress and cause a denial of service condition on the target system.
Install update from vendor's website.
Vulnerable software versionsOracle WebCenter Portal: 12.2.1.3.0 - 12.2.1.4.0
CPE2.3- cpe:2.3:a:oracle:oracle_webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?540358
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU27513
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-11612
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within ZlibDecoders in Netty while decoding a ZlibEncoded byte stream. A remote attacker can trigger resource exhaustion by passing an overly large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebCenter Portal: 12.2.1.3.0 - 12.2.1.4.0
CPE2.3- cpe:2.3:a:oracle:oracle_webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?540358
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
