Multiple vulnerabilities in Oracle Communications Cloud Native Core Automated Test Suite
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-46136 CVE-2024-40898 CVE-2024-43044 |
| CWE-ID | CWE-407 CWE-918 CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Oracle Communications Cloud Native Core Automated Test Suite Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Inefficient Algorithmic Complexity
EUVDB-ID: #VU82548
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-46136
CWE-ID:
CWE-407 - Inefficient Algorithmic Complexity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to high resource usage when parsing multipart/form-data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 23.4.3 - 24.2.2
CPE2.3- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:23.4.3:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:24.2.2:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:24.1.1:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2024.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU94503
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2024-40898
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in Apache HTTP Server on Windows with mod_rewrite in server/vhost context. A remote attacker can force the web server to leak NTML hashes to a malicious server via SSRF and malicious requests.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 23.4.4 - 24.2.2
CPE2.3- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:24.2.2:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:24.1.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:23.4.4:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2024.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Improper access control
EUVDB-ID: #VU95780
Risk: High
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2024-43044
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the "ClassLoaderProxy#fetchJar" method in the Remoting library. A remote attacker can read arbitrary files on the Jenkins controller file system, leading to arbitrary code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 23.4.3 - 24.2.2
CPE2.3- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:23.4.3:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:24.2.2:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_communications_cloud_native_core_automated_test_suite:24.1.1:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2024.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
