SB20241015130 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Certificate Management

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20241015130

SB20241015130 - Multiple vulnerabilities in Oracle Communications Cloud Native Core Certificate Management

Published: October 15, 2024

Security Bulletin ID SB20241015130
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2024-4603)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when checking DSA keys and parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


2) Input validation error (CVE-ID: CVE-2024-28182)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to reading the unbounded number of HTTP/2 CONTINUATION frames. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


3) NULL pointer dereference (CVE-ID: CVE-2023-2953)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the ber_memalloc_x() function. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


4) Input validation error (CVE-ID: CVE-2024-6162)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling url-encoded request path information. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.


5) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2024-2398)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when sending HTTP/2 server push responses with an overly large number of headers. A remote attacker can send PUSH_PROMISE frames with an excessive amount of headers to the application, trigger memory leak and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References