Multiple vulnerabilities in Oracle Communications Cloud Native Core Service Communication Proxy
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2020-8554 CVE-2020-29582 CVE-2021-34429 CVE-2021-33037 CVE-2020-13956 CVE-2020-27618 CVE-2021-33880 CVE-2020-14340 CVE-2021-36090 CVE-2021-22118 |
| CWE-ID | CWE-20 CWE-284 CWE-444 CWE-835 CWE-203 CWE-400 CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Oracle Communications Cloud Native Core Service Communication Proxy Server applications / DLP, anti-spam, sniffers |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU60104
Risk: Medium
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-8554
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the UDR (Kubernetes API) component in Oracle Communications Cloud Native Core Unified Data Repository. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU55164
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-29582
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Signaling (Calico) component in Oracle Communications Cloud Native Core Network Slice Selection Function. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU56964
Risk: Medium
CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Green]
CVE-ID: CVE-2021-34429
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
4) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU55423
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33037
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, related to processing of transfer encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU47481
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-13956
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Infinite loop
EUVDB-ID: #VU50404
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-27618
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within iconv implementation when processing multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings. A remote attacker can pass specially crafted data to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Observable discrepancy
EUVDB-ID: #VU54078
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-33880
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to observable timing discrepancy on server when HTTP Basic authentication is enabled with basic_auth_protocol_factory(credentials=...). A remote attacker can guess passwords via timing attack.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper input validation
EUVDB-ID: #VU60097
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14340
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the UDR (XNIO) component in Oracle Communications Cloud Native Core Unified Data Repository. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource exhaustion
EUVDB-ID: #VU54853
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-36090
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU53672
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22118
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the WebFlux application, which leads to security restrictions bypass and privilege escalation.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Service Communication Proxy: 1.14.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2022.html?936687
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
