#VU38052 Input validation error in Siebel UI Framework - CVE-2017-10264

Cybersecurity Help s.r.o.

Published: 2017-10-19 | Updated: 2020-08-08

Vulnerability identifier: #VU38052

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-10264

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Siebel UI Framework
Server applications / Frameworks for developing and running applications

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Vulnerability in the Siebel UI Framework component of Oracle Siebel CRM (subcomponent: UIF Open UI). Supported versions that are affected are 16.0 and 17.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel UI Framework. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Siebel UI Framework: 16.0 - 17.0

External links
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://www.securityfocus.com/bid/101411

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Siebel UI Framework