SB20241015129 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Console

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20241015129

SB20241015129 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Console

Published: October 15, 2024

Security Bulletin ID SB20241015129
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2024-28182)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to reading the unbounded number of HTTP/2 CONTINUATION frames. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


2) Resource exhaustion (CVE-ID: CVE-2024-26308)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of memory when unpacking a broken Pack200 file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) NULL pointer dereference (CVE-ID: CVE-2023-2953)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the ber_memalloc_x() function. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


4) Resource exhaustion (CVE-ID: CVE-2024-5971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to response writes hand when using Java 17 TLSv1.3 NewSessionTicket. A remote attacker can perform a denial of service (DoS) attack.


5) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2024-2398)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when sending HTTP/2 server push responses with an overly large number of headers. A remote attacker can send PUSH_PROMISE frames with an excessive amount of headers to the application, trigger memory leak and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References