Multiple vulnerabilities in Oracle Communications Design Studio

1) Division by zero

EUVDB-ID: #VU23188

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-16168

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle Communications Design Studio: 7.3.4.3.0 - 7.4.1.1.0

CPE2.3

• cpe:2.3:a:oracle:oracle_communications_design_studio:7.4.0.4.0:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpujan2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU24468

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-0227

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core (Apache Axis) component in Oracle Communications Design Studio. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle Communications Design Studio: 7.3.4.3.0 - 7.4.1.1.0

CPE2.3

• cpe:2.3:a:oracle:oracle_communications_design_studio:7.4.0.4.0:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpujan2020.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?