Vulnerability identifier: #VU17053

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2018-14718

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Primavera Unifier
Client/Desktop applications / Software for system administration

Vendor: Oracle

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Primavera Unifier: 16.1 - 18.8

---

CPE

• cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

External links
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixEM

---

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?