SB20230418183 - Multiple vulnerabilities in Oracle Utilities Application Framework

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20230418183

SB20230418183 - Multiple vulnerabilities in Oracle Utilities Application Framework

Published: April 18, 2023

Security Bulletin ID SB20230418183
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2022-41966)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass specially crafted data to the application, trigger a stack overflow error and perform a denial of service (DoS) attack.


2) Code Injection (CVE-ID: CVE-2020-13936)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.



3) SQL injection (CVE-ID: CVE-2022-23305)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the JDBCAppender. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Note, a non-default configuration with enabled JDBCAppender is required to exploit the vulnerability.


Remediation

Install update from vendor's website.

References