Multiple vulnerabilities in Oracle Retail Advanced Inventory Planning



Published: 2020-04-23
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-17091
CVE-2017-5645
CWE-ID CWE-20
CWE-502
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Oracle Retail Advanced Inventory Planning
Web applications / E-Commerce systems

Vendor Oracle

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU24469

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17091

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Maps (Mojarra) component in Oracle Communications Unified Inventory Management. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Retail Advanced Inventory Planning: 15.0 - 16.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html?555817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Deserialization of untrusted data

EUVDB-ID: #VU12127

Risk: High

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5645

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists receiving serialized log events from another application when using the TCP socket server or UDP socket server. A remote attacker can submit a specially crafted binary payload, when deserialized, and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Retail Advanced Inventory Planning: 14.0 - 15.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpuapr2020.html?555817

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###