http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

91787

91885

1036363

The remote Oracle Database Server is missing the July 2016 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities :

  - A security feature bypass vulnerability, known as FREAK     (Factoring attack on RSA-EXPORT Keys), exists in the     RDBMS HTTPS Listener package due to the support of weak     EXPORT_RSA cipher suites with keys less than or equal to     512 bits. A man-in-the-middle attacker may be able to     downgrade the SSL/TLS connection to use EXPORT_RSA     cipher suites which can be factored in a short amount of     time, allowing the attacker to intercept and decrypt the     traffic. (CVE-2015-0204)

  - An unspecified vulnerability exists in the Application     Express component that allows an unauthenticated, remote     attacker to impact confidentiality and integrity.
    (CVE-2016-3448)

  - An unspecified vulnerability exists in the Application     Express component that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3467)

  - An unspecified vulnerability exists in the Portable     Clusterware component that allows an unauthenticated,     remote attacker to cause a denial of service condition.
    (CVE-2016-3479)

  - An unspecified vulnerability exists in the Database     Vault component that allows a local attacker to impact     confidentiality and integrity. (CVE-2016-3484)

  - An unspecified vulnerability exists in the DB Sharding     component that allows a local attacker to impact     integrity. (CVE-2016-3488)

  - An unspecified vulnerability exists in the Data Pump     Import component that allows a local attacker to to gain     elevated privileges. (CVE-2016-3489)

  - An unspecified vulnerability exists in the JDBC     component that allows an unauthenticated, remote     attacker to execute arbitrary code. (CVE-2016-3506)

  - An unspecified vulnerability exists in the OJVM     component that allows an authenticated, remote attacker     to execute arbitrary code. (CVE-2016-3609)

CVE-2016-3448

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins