SB2022012751 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Security Edge Protection Proxy

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022012751

SB2022012751 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Security Edge Protection Proxy

Published: January 27, 2022

Security Bulletin ID SB2022012751
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2021-34429)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.


2) Reachable Assertion (CVE-ID: CVE-2021-3326)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.


3) Observable discrepancy (CVE-ID: CVE-2021-33880)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to observable timing discrepancy on server when HTTP Basic authentication is enabled with basic_auth_protocol_factory(credentials=...). A remote attacker can guess passwords via timing attack.


4) Improper input validation (CVE-ID: CVE-2020-14340)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the UDR (XNIO) component in Oracle Communications Cloud Native Core Unified Data Repository. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


5) Resource management error (CVE-ID: CVE-2021-25122)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper management of internal resources within the application when processing new h2c connection requests. A remote attacker can send specially crafted requests to the server and obtain contents of HTTP responses, served to other users.


6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-22118)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in the WebFlux application, which leads to security restrictions bypass and privilege escalation.


Remediation

Install update from vendor's website.

References