Multiple vulnerabilities in Oracle Communications Order and Service Management
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-46153 CVE-2023-24998 |
| CWE-ID | CWE-295 CWE-770 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
Oracle Communications Order and Service Management Web applications / Remote management & hosting panels |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Certificate Validation
EUVDB-ID: #VU70066
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-46153
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate verification within managing the TLS connections. A remote attacker can expose a route secured using an mTLS connection set with a wrong CA file.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Order and Service Management: 7.4.1
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujul2023.html?62362
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU72427
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-24998
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Order and Service Management: 7.3.5 - 7.4.1
CPE2.3- cpe:2.3:a:oracle:oracle_communications_order_and_service_management:7.3.5:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_order_and_service_management:7.4.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_order_and_service_management:7.4.0:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpujul2023.html?62362
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
