Multiple vulnerabilities in Communications Unified Assurance
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-21830 CVE-2023-20861 CVE-2023-24998 CVE-2022-31692 |
| CWE-ID | CWE-20 CWE-770 CWE-285 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Communications Unified Assurance Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU71288
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-21830
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsCommunications Unified Assurance: 5.5.0 - 6.0.2
CPE2.3- cpe:2.3:a:oracle:communications_unified_assurance:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2023.html?970495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU75562
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-20861
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of SpEL expressions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsCommunications Unified Assurance: 5.5.0 - 6.0.2
CPE2.3- cpe:2.3:a:oracle:communications_unified_assurance:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2023.html?970495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU72427
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2023-24998
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsCommunications Unified Assurance: 5.5.0 - 6.0.2
CPE2.3- cpe:2.3:a:oracle:communications_unified_assurance:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2023.html?970495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Authorization
EUVDB-ID: #VU68866
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-31692
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to authorization rules bypass via forward or include dispatcher types. A remote attacker can bypass authorization process.
MitigationInstall update from vendor's website.
Vulnerable software versionsCommunications Unified Assurance: 5.5.0 - 6.0.2
CPE2.3- cpe:2.3:a:oracle:communications_unified_assurance:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_assurance:5.5.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2023.html?970495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
