SB2025012192 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Console
Published: January 21, 2025 Updated: November 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2024-5535)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.
2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-38807)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to incorrect signature verification when using spring-boot-loader and spring-boot-loader-classic for nested jar files. A local user can forge the signature to spoof identity of the code signer.
3) Information disclosure (CVE-ID: CVE-2024-7885)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure sharing of resources where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure.
4) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2024-3596)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in RADIUS Protocol. A remote user can perform a man-in-the-middle (MitM) attack and gain access to target system.
Remediation
Install update from vendor's website.