SB2022072099 - Multiple vulnerabilities in Oracle ZFS Storage Appliance Kit 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022072099

SB2022072099 - Multiple vulnerabilities in Oracle ZFS Storage Appliance Kit

Published: July 20, 2022

Security Bulletin ID SB2022072099
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2022-21563)

The vulnerability allows a local privileged user to manipulate or delete data.

The vulnerability exists due to improper input validation within the Core component in Oracle ZFS Storage Appliance Kit. A local privileged user can exploit this vulnerability to manipulate or delete data.


2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-24801)

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests within the twisted.web.http module. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


3) Improper input validation (CVE-ID: CVE-2022-21513)

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle ZFS Storage Appliance Kit. A local privileged user can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References