Multiple vulnerabilities in Instantis EnterpriseTrack



Published: 2020-04-21
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2019-12415
CVE-2019-17563
CVE-2019-10082
CVE-2017-5645
CWE-ID CWE-611
CWE-384
CWE-416
CWE-502
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Instantis EnterpriseTrack
Web applications / CRM systems

Vendor Oracle

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) XML External Entity injection

EUVDB-ID: #VU22545

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12415

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents. A remote attacker can pass a specially crafted XML code to the affected application and read files from the local filesystem or from internal network resources on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Instantis EnterpriseTrack: 17.1 - 17.3


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html?504242

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Session Fixation

EUVDB-ID: #VU25002

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17563

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a session fixation attack.

The vulnerability exists due to a race condition when FORM authentication is used in Apache Tomcat. A remote attacker can use a narrow window to perform a session fixation attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Instantis EnterpriseTrack: 17.1 - 17.3


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html?504242

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU20386

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10082

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the mod_http2 when handling connection shutdown. A remote attacker can send specially crafted requests to the affected server and make the mod_http2 to read memory that was already freed.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Instantis EnterpriseTrack: 17.1 - 17.3


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html?504242

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Deserialization of untrusted data

EUVDB-ID: #VU12127

Risk: High

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5645

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists receiving serialized log events from another application when using the TCP socket server or UDP socket server. A remote attacker can submit a specially crafted binary payload, when deserialized, and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Instantis EnterpriseTrack: 17.1 - 17.3


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html?504242

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###