Use of a broken or risky cryptographic algorithm in JD Edwards World Security

1) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU17860

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-1559

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to the way an application behaves, when it receives a 0-byte record with invalid padding compared to the record with an invalid MAC, which results in padding oracle. A remote attacker can decrypt data.

Successful exploitation of the vulnerability requires that the application is using "non-stitched" ciphersuites and calls SSL_shutdown() twice (first, via a BAD_RECORD_MAC and again via a CLOSE_NOTIFY). 

Mitigation

Install update from vendor's website.

Vulnerable software versions

JD Edwards World Security: A9.3 - A9.4

CPE2.3

• cpe:2.3:a:oracle:jd_edwards_world_security:A9.3:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_world_security:A9.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_world_security:A9.4:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2019.html?3361

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.