SB2021121542 - Multiple vulnerabilities in Fuse 7.10
Published: December 15, 2021 Updated: February 11, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 54 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2021-30468)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the JsonMapObjectReaderWriter. A remote attacker can trigger resource exhaustion by submitting a malformed JSON to a web service and perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2020-2875)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Connector/J component in MySQL Connectors. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21346)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21345)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Resource exhaustion (CVE-ID: CVE-2021-21341)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Resource exhaustion (CVE-ID: CVE-2020-27782)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
7) XML Entity Expansion (CVE-ID: CVE-2021-23926)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when processing XML data. A remote attacker can pass specially crafted XML data to the application and perform XML Entity Expansion attacks.
8) Input validation error (CVE-ID: CVE-2020-28491)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
9) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2020-15522)
The vulnerability allows a remote attacker to gain access to sensitive information.
The
vulnerability exists due to a timing issue within the EC math library. A remote attacker who can observe timing information for the generation of multiple deterministic ECDSA signatures is able to reconstruct the private key used for encryption.
10) Cleartext storage of sensitive information (CVE-ID: CVE-2021-21290)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to insecure usage of temporary files in AbstractDiskHttpData method in Netty. The application stores sensitive information in temporary file that has insecure permissions. A local user can view application's temporary file and gain access to potentially sensitive data.11) Improper input validation (CVE-ID: CVE-2021-3597)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Signaling (undertow) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
12) Improper input validation (CVE-ID: CVE-2020-2934)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Connector/J component in MySQL Connectors. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
13) Input validation error (CVE-ID: CVE-2020-26259)
The vulnerability allows a remote attacker to delete arbitrary files on the system.
The vulnerability exists due to insufficient validation of user-supplied input within the blacklisting feature. A remote attacker can pass specially crafted input to the application and delete arbitrary files on the system.
14) Incorrect default permissions (CVE-ID: CVE-2020-17521)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for temporary files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.
15) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-11987)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
16) Path traversal (CVE-ID: CVE-2021-20218)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to malicious pod/container can cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
17) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-21409)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in io.netty:netty-codec-http2 in Netty, if the request only uses a single Http2HeaderFrame with the endStream set to to true. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
18) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21342)
The vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and perform SSRF attack.
19) Buffer overflow (CVE-ID: CVE-2021-30129)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the sshd-core of Apache Mina SSHD. A remote attacker can send specially crafted requests to the server, trigger buffer overflow and perform a denial of service (DoS) attack.
20) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21349)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and gain access to sensitive information.
21) Code Injection (CVE-ID: CVE-2021-44228)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing LDAP requests. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, we are aware of attackers exploiting the vulnerability in the wild.
22) Infinite loop (CVE-ID: CVE-2021-37714)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing untrusted HTML and XML code. A remote attacker can consume all available system resources and cause denial of service conditions.
23) Input validation error (CVE-ID: CVE-2020-13949)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted messages and perform a denial of service (DoS) attack.
24) Resource exhaustion (CVE-ID: CVE-2021-37136)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in Bzip2 decompression decoder function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
25) XML External Entity injection (CVE-ID: CVE-2019-12415)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents. A remote attacker can pass a specially crafted XML code to the affected application and read files from the local filesystem or from internal network resources on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
26) Input validation error (CVE-ID: CVE-2021-28164)
The vulnerability allows a remote attacker to gain access to sensitive informatoin.
The vulnerability exists due to insufficient validation of user-supplied input when processing special characters, passed via URI. A remote attacker can use %2e or %2e%2e segments to access protected resources within the WEB-INF directory.
Example:
http://[host]/context/%2e/WEB-INF/web.xml
27) Cross-site scripting (CVE-ID: CVE-2021-3536)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
28) Resource exhaustion (CVE-ID: CVE-2021-3629)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Undertow does not properly control consumption of internal resources when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP/2 requests to the web server, trigger resource exhaustion and perform a denial of service (DoS) attack.
29) Improper input validation (CVE-ID: CVE-2020-27218)
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The vulnerability exists due to improper input validation within the SC Admin server (Eclipse Jetty) component in Oracle Communications Converged Application Server - Service Controller. A remote non-authenticated attacker can exploit this vulnerability to manipulate or delete data.
30) Input validation error (CVE-ID: CVE-2021-28169)
The vulnerability allows a remote attacker to gain access to sensitive information..
The vulnerability exists due to a double decoding issue when parsing URI with certain characters. A remote attacker can send requests to the ConcatServlet and WelcomeFilter and view contents of protected resources within the WEB-INF directory.
Example:
/concat?/%2557EB-INF/web.xml
31) Resource management error (CVE-ID: CVE-2020-13943)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper management of internal resources within the application when processing HTTP/2 requests. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
32) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21350)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) Memory leak (CVE-ID: CVE-2021-3690)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak when processing incoming PONG messages. A remote attacker can force the application to leak memory by sending an websocket PONG message and perform denial of service attack.
34) Code Injection (CVE-ID: CVE-2019-10744)
The vulnerability allows a remote attacker to modify properties on the target system.
The vulnerability exists due to improper input validation in the "defaultsDeep" function. A remote attacker can send a specially crafted request and modify the prototype of "Object" via "{constructor: {prototype: {...}}}" causing the addition or modification of an existing property that will exist on all objects.
35) Information disclosure (CVE-ID: CVE-2021-28163)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink, the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.
36) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-22118)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the WebFlux application, which leads to security restrictions bypass and privilege escalation.
37) Insufficient Session Expiration (CVE-ID: CVE-2021-34428)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.
38) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21343)
The vulnerability allows a remote attacker to delete arbitrary files.
The vulnerability exists due to insecure input validation when processing serialized data where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. A remote attacker can pass specially crafted data to the application and delete arbitrary files.
39) Path traversal (CVE-ID: CVE-2021-29425)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.
40) Improper input validation (CVE-ID: CVE-2020-27223)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
41) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21344)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
42) Resource management error (CVE-ID: CVE-2020-17527)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper management of internal resources within the application when processing HTTP/2 requests in Apache Tomcat. The web server can re-use an HTTP request header value from the previous stream received on an
HTTP/2 connection for the request associated with the subsequent stream. As a result a remote attacker can obtain sensitive information from another HTTP request.
43) OS Command Injection (CVE-ID: CVE-2020-26217)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation, when processing blacklists. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
44) Resource exhaustion (CVE-ID: CVE-2021-21348)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
45) Input validation error (CVE-ID: CVE-2020-35510)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing EJB client requests. A remote user can send specially crafted EJB message to the server and perform a denial of service (DoS) attack.
46) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21351)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
47) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21347)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
48) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-11988)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the XMPParser in Apache XmlGraphics Commons. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
49) Improper Certificate Validation (CVE-ID: CVE-2020-9488)
The vulnerability allows a remote attacker to perform man-in-the-middle attack.
The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.
50) Improper input validation (CVE-ID: CVE-2021-27568)
The vulnerability allows a remote non-authenticated attacker to read data or crash the application.
The vulnerability exists due to improper input validation within the REST Services (netplex json-smart-v1) component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read data or crash the application.
51) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-21295)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in io.netty:netty-codec-http2 when converting HTTP/2 to HTTP/1 streams. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
52) Improper input validation (CVE-ID: CVE-2021-28170)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Policy (Jakarta) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
53) Improper input validation (CVE-ID: CVE-2021-37137)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Content Acquisition System (Netty) component in Oracle Commerce Guided Search. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
54) Input validation error (CVE-ID: CVE-2021-22696)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of "request_uri" parameter by the OAuth 2 authorization service. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.