SB2022042513 - Multiple vulnerabilities in JD Edwards EnterpriseOne Tools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022042513

SB2022042513 - Multiple vulnerabilities in JD Edwards EnterpriseOne Tools

Published: April 25, 2022 Updated: April 30, 2023

Security Bulletin ID SB2022042513
Severity
Critical
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 17% High 50% Medium 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2022-21409)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Web Runtime component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


2) Improper Certificate Validation (CVE-ID: CVE-2021-32066)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in Net::IMAP in Ruby, due to the gem does not raise an exception when StartTLS fails with an an unknown response. A remote attacker can perform a man-in-the-middle (MitM) attack.


3) Improper input validation (CVE-ID: CVE-2022-21464)

The vulnerability allows a remote non-authenticated attacker to access sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Business Logic Infra SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to access sensitive information or perform a denial of service (DoS) attack.


4) Improper input validation (CVE-ID: CVE-2021-2351)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Advanced Networking Option in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


5) Buffer overflow (CVE-ID: CVE-2021-3711)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in EVP_PKEY_decrypt() function within implementation of the SM2 decryption. A remote attacker can send specially crafted SM2 content for decryption to trigger a buffer overflow by 62 bytes and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) OS Command Injection (CVE-ID: CVE-2021-42013)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient fix for the path traversal vulnerability #VU57063 (CVE-2021-41733). A remote unauthenticated attacker can send a specially crafted HTTP request to the affected server and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References