SB2023071970 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Policy

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Sensitive cookie in HTTPS session without Secure attribute (CVE-ID: CVE-2023-28708)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Apache Tomcat does not set the "Secure" attribute for the JSESSIONID session cookie when using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https. A remote attacker can force the application to transmit cookie via an insecure channel and intercept it.

2) Improper input validation (CVE-ID: CVE-2023-21971)

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the Connector/J component in MySQL Connectors. A remote privileged user can exploit this vulnerability to read and manipulate data.

3) Input validation error (CVE-ID: CVE-2023-26049)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient input validation when parsing cookies. A remote attacker can send a specially crafted HTTP request with a cookie value that starts with a double quote and force the application to read the cookie string until it sees a closing quote. Such behavior can be used to exfiltrate sensitive values from other cookies.

4) Input validation error (CVE-ID: CVE-2023-20861)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of SpEL expressions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

5) Resource exhaustion (CVE-ID: CVE-2022-45061)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. A remote attacker can pass a specially crafted name to he decoder, trigger resource excessive CPU consumption and perform a denial of service (DoS) attack.

6) Information disclosure (CVE-ID: CVE-2023-30861)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing Vary: Cookie header. A remote attacker can gain unauthorized access to sensitive information on the system.

7) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.

8) Inadequate Encryption Strength (CVE-ID: CVE-2023-0361)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error in the TLS RSA key exchange. A remote attacker can perform Bleichenbacher oracle attack and decrypt information.

9) Security features bypass (CVE-ID: CVE-2023-20862)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the logout support does not properly clean the security context if using serialized versions. A remote attacker can save an empty security context to the HttpSessionSecurityContextRepository and keep users authenticated even after they performed logout.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujul2023.html?936689