#VU39120 Input validation error in Enterprise Manager Base Platform - CVE-2017-3518

Cybersecurity Help s.r.o.

Published: 2017-04-24 | Updated: 2020-08-08

Vulnerability identifier: #VU39120

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-3518

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Enterprise Manager Base Platform
Server applications / Other server solutions

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: Discovery Framework). Supported versions that are affected are 12.1.0, 13.1.0 and 13.2.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Enterprise Manager Base Platform: 12.1.0 - 13.2.0

External links
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97720
https://www.securitytracker.com/id/1038297

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Enterprise Manager Base Platform