Multiple vulnerabilities in Oracle Communications Cloud Native Core Unified Data Repository

Published: 2023-04-18

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-23916 CVE-2022-47629
CWE-ID	CWE-770 CWE-190
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Oracle Communications Cloud Native Core Unified Data Repository Server applications / DLP, anti-spam, sniffers
Vendor	Oracle

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU72337

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23916

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect implementation of the "chained" HTTP compression algorithms, where the number of links in the decompression chain was limited for each header instead of the entire request. A remote attacker can send a specially crafted compressed HTTP request with numerous headers and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Communications Cloud Native Core Unified Data Repository: 22.4.1

External links

http://www.oracle.com/security-alerts/cpuapr2023.html?936690

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU70474

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47629

CWE-ID: CWE-190 - Integer overflow