Multiple vulnerabilities in IBM Emptoris Strategic Supply Management Platform
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-2245 CVE-2021-2173 CVE-2021-2234 CVE-2021-2175 |
| CWE-ID | CWE-20 CWE-264 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software Subscribe |
IBM Emptoris Strategic Supply Management Platform Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU52382
Risk: Low
CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-2245
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to manipulate data.
The vulnerability exists due to improper input validation within the Oracle Database - Enterprise Edition Unified Audit in Oracle Database Server. A remote privileged user can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Emptoris Strategic Supply Management Platform: 10.1.0.0 - 10.1.3.30
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.1:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.2:*:*:*:*:*:*:
http://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-server-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform-2/
http://www.ibm.com/support/pages/node/6474475
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU52380
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-2173
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Recovery in Oracle Database Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Emptoris Strategic Supply Management Platform: 10.1.0.0 - 10.1.3.30
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.1:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.2:*:*:*:*:*:*:
http://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-server-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform-2/
http://www.ibm.com/support/pages/node/6474475
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Improper input validation
EUVDB-ID: #VU52379
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-2234
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Emptoris Strategic Supply Management Platform: 10.1.0.0 - 10.1.3.30
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.1:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.2:*:*:*:*:*:*:
http://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-server-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform-2/
http://www.ibm.com/support/pages/node/6474475
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU52381
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-2175
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Database Vault in Oracle Database Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Emptoris Strategic Supply Management Platform: 10.1.0.0 - 10.1.3.30
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.1:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_emptoris_strategic_supply_management_platform:10.1.3.2:*:*:*:*:*:*:
http://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-server-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform-2/
http://www.ibm.com/support/pages/node/6474475
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
