#VU17053 Remote code execution in Primavera Unifier


Published: 2019-01-17

Vulnerability identifier: #VU17053

Vulnerability risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14718

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Primavera Unifier
Client/Desktop applications / Software for system administration

Vendor: Oracle

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Primavera Unifier: 16.1 - 18.8

External links
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixEM

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM B2B Advanced Communications
IBM Log Analysis update for FasterXML jackson-databind
Multiple vulnerabilities in z/Transaction Processing Facility
Multiple vulnerabilities in IBM Process Mining
Multiple vulnerabilities in Red Hat Openshift Logging
Multiple vulnerabilities in Red Hat OpenShift Container Platform
Multiple vulnerabilities in Red Hat Data Grid