SB2019071685 - Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2019-2823)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Infrastructure component in Oracle Financial Services Analytical Applications Infrastructure. A remote authenticated user can exploit this vulnerability to read and manipulate data.

2) Prototype pollution (CVE-ID: CVE-2019-11358)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

3) Improper input validation (CVE-ID: CVE-2018-15756)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in Pivotal Software Spring Framework due to improper handling of range requests. A remote attacker can send a specially crafted request that contains an additional range header with a high number of ranges or with wide ranges that overlap and cause the service to crash.

4) Input validation error (CVE-ID: CVE-2018-19362)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujul2019.html?3369