SB2024011665 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Security Edge Protection Proxy

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024011665

SB2024011665 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Security Edge Protection Proxy

Published: January 16, 2024 Updated: March 7, 2025

Security Bulletin ID SB2024011665
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 20% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2023-41053)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to Redis does not correctly identify keys accessed by SORT_RO. This may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.


2) Resource exhaustion (CVE-ID: CVE-2023-44487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-5072)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


4) Buffer overflow (CVE-ID: CVE-2023-4911)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of GLIBC_TUNABLES environment variable. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

5) Incorrect default permissions (CVE-ID: CVE-2023-43496)

The vulnerability allows a local user to execute arbitrary code on the system.

The vulnerability exists due to the affected plugin creates the temporary file in the system temporary directory with the default permissions for newly created files. A local user can view contents of files and directories and execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References