SB2024041727 - Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition
Published: April 17, 2024 Updated: April 19, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2024-21099)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Data Visualization component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
2) Improper input validation (CVE-ID: CVE-2023-35116)
The vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Oracle Database Fleet Patching and Provisioning (jackson-databind) in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.
3) Resource management error (CVE-ID: CVE-2023-3817)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when checking the long DH keys. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
4) Improper input validation (CVE-ID: CVE-2024-21001)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the BI Platform Security component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to read and manipulate data.
5) Improper input validation (CVE-ID: CVE-2024-21064)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Analytics Web Answers component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to read and manipulate data.
6) Incorrect default permissions (CVE-ID: CVE-2023-2976)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.
7) Open redirect (CVE-ID: CVE-2021-28861)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in lib/http/server.py due to missing protection against multiple (/) at the beginning of URI path. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
8) Code Injection (CVE-ID: CVE-2022-42890)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the application allows running Java classes via JavaScript. A remote user can use JavaScript to execute a Java class on the system and obtain its execution results.
Example:
Runtime.getRuntime().exec("xxx");
9) Information disclosure (CVE-ID: CVE-2023-43804)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to urllib does not strip the "Cookie" HTTP header during cross-origin HTTP redirects. A remote attacker can gain unauthorized access to sensitive information.
Remediation
Install update from vendor's website.