SB2024041738 - Multiple vulnerabilities in Oracle Access Manager



SB2024041738 - Multiple vulnerabilities in Oracle Access Manager

Published: April 17, 2024

Security Bulletin ID SB2024041738
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Security features bypass (CVE-ID: CVE-2022-24329)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass certain security restrictions.

The vulnerability exists due to unspecified error, related to the ability to lock dependencies for Kotlin Multiplatform Gradle projects.



2) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-0231)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect handling of close_notify SSL/TLS messages that results in software not closing the connection and retaining the socket opened, which allows a client to receive clear text messages afterward. A remote attacker can intercept traffic between client and server application and gain access to potentially sensitive information.


3) Integer overflow (CVE-ID: CVE-2023-37536)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow. A remote attacker can pass specially crafted data to the application, trigger integer overflow and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.