SB20241015151 - Multiple vulnerabilities in Oracle Commerce Guided Search

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2024-26308)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of memory when unpacking a broken Pack200 file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2023-20863)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use a specially crafted SpEL expression and perform a denial of service (DoS) attack.

3) Resource management error (CVE-ID: CVE-2024-34750)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling HTTP/2 stream. A remote attacker can initiate multiple HTTP/2 connections to the server that are remain open and perform a denial of service (DoS) attack.

4) LDAP injection (CVE-ID: CVE-2022-46337)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote non-authenticated attacker can send a specially crafted LDAP query to the application, bypass authentication process and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuoct2024.html?3362