SB2020051203 - Multiple vulnerabilities in Oracles iPlanet Web Server

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2020-9315)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions within admingui/version URIs in the Administration console. A remote attacker can send a specially crafted request and read the encryption keys

2) Code Injection (CVE-ID: CVE-2020-9314)

The vulnerability allows a remote attacker to perform a phishing attack.

The vulnerability exists due to improper input validation when processing HTTP requests within the "/admingui/version/" URL in the Administration Console. A remote attacker can send a specially crafted request and permanently inject arbitrary images.

Note, this vulnerability exists due to incomplete fix of SB2012050302 (CVE-2012-0516).

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.oracle.com/support/lifetime-support/
• https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
• https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/