SB2021042641 - Multiple vulnerabilities in Oracle Retail Predictive Application Server 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021042641

SB2021042641 - Multiple vulnerabilities in Oracle Retail Predictive Application Server

Published: April 26, 2021

Security Bulletin ID SB2021042641
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2019-3740)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Comp Management and Life Cycle Management (RSA BSAFE Crypto-J) component in Application Performance Management (APM). A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


2) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-11979)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect patch for vulnerability #VU27924 (CVE-2020-1945). Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.


4) Improper input validation (CVE-ID: CVE-2020-5421)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.


Remediation

Install update from vendor's website.

References