SB2020012203 - Multiple vulnerabilities in Oracle Communications Unified Inventory Management

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2019-17091)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Maps (Mojarra) component in Oracle Communications Unified Inventory Management. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

2) Prototype pollution (CVE-ID: CVE-2019-11358)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

3) Improper input validation (CVE-ID: CVE-2018-15756)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in Pivotal Software Spring Framework due to improper handling of range requests. A remote attacker can send a specially crafted request that contains an additional range header with a high number of ranges or with wide ranges that overlap and cause the service to crash.

4) Out-of-bounds read (CVE-ID: CVE-2019-8457)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a boundary condition in rtreenode() function when handling invalid rtree tables. A remote attacker can send a specially crafted request to the application, trigger heap out-of-bounds read crash the application.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujan2020.html