SB2023011845 - Multiple vulnerabilities in Oracle HTTP Server

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2022-29824)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*). A remote attacker can pass specially crafted multi-gigabyte XML file to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Uncontrolled Recursion (CVE-ID: CVE-2021-42717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing excessively nested JSON objects. A remote attacker can send a specially crafted HTTP request and consume all available worker processes and CPU resources.

3) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.

4) Buffer overflow (CVE-ID: CVE-2018-25032)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when compressing data. A remote attacker can pass specially crafted input to the application, trigger memory corruption and perform a denial of service (DoS) attack.

5) Heap-based buffer overflow (CVE-ID: CVE-2022-2274)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

6) Improper Authentication (CVE-ID: CVE-2022-31813)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in mod_proxy implementation, where the web server may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. A remote attacker can bypass IP based authentication on the origin server/application and gain access to otherwise restricted functionality.

7) Input validation error (CVE-ID: CVE-2022-25236)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujan2023.html?1389