Risk | High |
Patch available | YES |
Number of vulnerabilities | 5 |
CVE-ID | CVE-2022-23491 CVE-2022-37865 CVE-2022-45047 CVE-2022-43402 CVE-2022-43401 |
CWE-ID | CWE-345 CWE-20 CWE-502 CWE-693 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #3 is available. |
Vulnerable software |
Oracle Communications Cloud Native Core Automated Test Suite Server applications / Other server solutions |
Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
EUVDB-ID: #VU71398
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-23491
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certificate validation checks.
The vulnerability exists due to presence of the TrustCor certificate in the Root Certificates list. the certificate is removed due to TrustCor's ownership also operated a business that produced spyware. Therefore, any checks that rely on digital signatures of trusted certificates were compromised.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 22.3.1 - 22.4.0
CPE2.3http://www.oracle.com/security-alerts/cpuapr2023.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU75226
Risk: High
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-37865
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to damange or delete data.
The vulnerability exists due to improper input validation within the Installation (Apache Ivy) component in Oracle Communications Cloud Native Core Automated Test Suite. A remote non-authenticated attacker can exploit this vulnerability to damange or delete data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 22.3.1 - 22.4.0
CPE2.3http://www.oracle.com/security-alerts/cpuapr2023.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU70530
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2022-45047
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider class. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 22.3.1 - 22.4.0
CPE2.3http://www.oracle.com/security-alerts/cpuapr2023.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU68596
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green]
CVE-ID: CVE-2022-43402
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the Groovy language runtime. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 22.3.1 - 22.4.0
CPE2.3http://www.oracle.com/security-alerts/cpuapr2023.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68594
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-43401
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the Groovy language runtime. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Cloud Native Core Automated Test Suite: 22.3.1 - 22.4.0
CPE2.3http://www.oracle.com/security-alerts/cpuapr2023.html?947628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.