#VU17053 Remote code execution in Primavera Unifier - CVE-2018-14718


Vulnerability identifier: #VU17053

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-14718

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Primavera Unifier
Client/Desktop applications / Software for system administration

Vendor: Oracle

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Primavera Unifier: 16.1 - 18.8

External links
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixEM

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


IBM watsonx.data update for FasterXML jackson-databind
Multiple vulnerabilities in IBM watsonx.data
Multiple vulnerabilities in IBM Storage Virtualize
Multiple vulnerabilities in IBM Integration Designer
Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM B2B Advanced Communications
IBM Log Analysis update for FasterXML jackson-databind
Multiple vulnerabilities in z/Transaction Processing Facility