SB2019011592 - Multiple vulnerabilities in Enterprise Manager Base Platform

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019011592

SB2019011592 - Multiple vulnerabilities in Enterprise Manager Base Platform

Published: January 15, 2019

Security Bulletin ID SB2019011592
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2018-3303)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: EM Console). Supported versions that are affected are 13.2 and 13.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).


2) Improper input validation (CVE-ID: CVE-2018-0732)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of large prime values by the affected software during key agreement operations in a Transport Layer Security (TLS) handshake using an Ephemeral Diffie-Hellman (DHE) based cipher suite. A remote attacker can send a large prime value from a malicious OpenSSL server to a targeted OpenSSL client and cause the client to stop responding while generating a key for the prime value.


3) Improper input validation (CVE-ID: CVE-2016-4000)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Oracle Flow Builder (Jython) component in Oracle Application Testing Suite. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References