Multiple vulnerabilities in Oracle Data Integrator



Published: 2021-01-20
Risk High
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2020-9488
CVE-2019-10247
CVE-2016-5725
CVE-2018-9019
CVE-2019-10086
CVE-2019-17359
CVE-2020-10683
CVE-2015-8965
CWE-ID CWE-295
CWE-20
CWE-89
CWE-693
CWE-401
CWE-749
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software
Subscribe
Oracle Data Integrator
Other software / Other software solutions

Vendor Oracle

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Improper Certificate Validation

EUVDB-ID: #VU27487

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-9488

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 12.2.1.3.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU25067

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-10247

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Integrator Acquistion System (Eclipse Jetty) component in Oracle Endeca Information Discovery Integrator. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 12.2.1.3.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU49795

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2016-5725

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Install, config, upgrade (JCraft JSch) component in Oracle Data Integrator. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 11.1.1.9.0 - 12.2.1.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) SQL injection

EUVDB-ID: #VU31298

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-9019

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 11.1.1.9.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Protection mechanism failure

EUVDB-ID: #VU20844

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10086

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 11.1.1.9.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Memory leak

EUVDB-ID: #VU22272

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-17359

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ASN.1 parser. A remote attacker can send a specially crafted ASN.1 data and cause an OutOfMemoryError and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Exposed dangerous method or function

EUVDB-ID: #VU28238

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-10683

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to abuse implemented functionality.

The vulnerability exists due to dom4j allows by default external DTDs and External Entities. A remote attacker can abuse this functionality and perform XXE attack against application that uses dom4j default configuration.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 12.2.1.3.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU49775

Risk: High

CVSSv3.1:

CVE-ID: CVE-2015-8965

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Install, config, upgrade (Rogue Wave JViews) component in Oracle Data Integrator. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Data Integrator: 12.2.1.3.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2021.html?3354

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###