http://bugs.jython.org/issue2454

DSA-3893

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

105647

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859

https://hg.python.org/jython/file/v2.7.1rc1/NEWS

https://hg.python.org/jython/rev/d06e29d100c0

[infra-devnull] 20190402 [GitHub] [flink] aloyszhang opened pull request #8100: [FLINK-12082] Bump up the jython-standalone version

GLSA-201710-28

https://security-tracker.debian.org/tracker/CVE-2016-4000

https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)).   Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1.   Easily exploitable vulnerability allows unauthenticated attacker with network   access via HTTP to compromise Oracle Application Testing Suite. Successful attacks    of this vulnerability can result in takeover of Oracle Application Testing Suite.   (CVE-2016-4000)	

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Jython).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (AntiSamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Antisamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Application Development Framework).  An unauthenticated, remote attacker with network     access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (jQuery).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2019-11358)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An authenticated, low priviledged remote attacker     with network access to the infrastructure can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder.  An unauthenticated remote attacker     with network access via HTTP can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - A remote security vulnerability exists in the Enterprise Manager Base Platform   product of Oracle Enterprise Manager. An unauthenticated attacker with network access   can exploit this vulnerability via HTTP by sending Jython command to execute arbitrary   code via a crafted serialized PyFunction object, can result in takeover Enterprise   Manager Base Platform. (CVE-2016-4000)

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Enterprise Manager Base Platform Agent Next Gen (Jython)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)

  - Enterprise Manager Base Platform Discovery Framework (OpenSSL)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to cause a frequent crash (DoS) of the Enterprise Manager Base     Platform. (CVE-2018-0732)

  - Enterprise Manager Ops Center Networking (OpenSSL) component of     Oracle Enterprise Manager Products Suite is easily exploited     and can allow an unauthenticated attacker the ability to cause a     frequent crash (DoS) of the Enterprise Manager Ops Center     Platform. (CVE-2018-0732)

  - Oracle Application Testing Suite Load Testing for Web Apps     (Spring Framework) component of Oracle Enterprise Manager     Products Suite is easily exploited and can allow an     unauthenticated attacker the ability to takeover the Enterprise     Manager Base Platform. (CVE-2018-1258)

  - Enterprise Manager Base Platform EM Console component is easily     exploited by an unauthenticated attacker. Successful attacks     can result in unauthorized update, insert, or delete access.     (CVE-2018-3303)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3304)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3305)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-12023)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-14718)

  - Enterprise Manager Ops Center Networking (cURL) component of     Oracle Enterprise Manager allows an unauthenticated attacker the     ability to takeover Enterprise Manager Ops Center.     (CVE-2018-1000300)

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - A remote code execution vulnerability exists in Jython     before 2.7.1rc1.
    An unauthenticated, remote attacker can exploit this by     sending a serialized function to the deserializer.
    (CVE-2016-4000)

  - A denial of service (DoS) vulnerability exists in OpenSSL due to     the client spending long periods of time generating     a key from large prime values. A malicious remote server can     exploit this issue via sending a very large prime value     to the clients, resulting in a hang until the client has     finished generating the key.
    (CVE-2018-0732)

The remote host is affected by the vulnerability described in GLSA-201710-28 (Jython: Arbitrary code execution)

    It was found that Jython is vulnerable to arbitrary code execution by       sending a serialized function to the deserializer.
  Impact :

    Remote execution of arbitrary code by enticing a user to execute       malicious code.
  Workaround :

    There is no known workaround at this time.

Alvaro Munoz and Christian Schneider discovered that jython, an implementation of the Python language seamlessly integrated with Java, is prone to arbitrary code execution triggered when sending a serialized function to the deserializer.

Alvaro Munoz and Christian Schneider discovered that Jython, an implementation of the Python language seamlessly integrated with Java, would execute arbitrary code when deserializing objects.

For Debian 7 'Wheezy', these problems have been fixed in version 2.5.2-1+deb7u1.

We recommend that you upgrade your jython packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
133260	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	Misc.	critical
130054	Oracle Enterprise Manager Cloud Control (Oct 2019 CPU)	Nessus	Misc.	critical
121257	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	critical
121225	Oracle Enterprise Manager Cloud Control (January 2019 CPU)	Nessus	Misc.	critical
104229	GLSA-201710-28 : Jython: Arbitrary code execution	Nessus	Gentoo Local Security Checks	critical
101010	Debian DSA-3893-1 : jython - security update	Nessus	Debian Local Security Checks	critical
100849	Debian DLA-989-1 : jython security update	Nessus	Debian Local Security Checks	critical

CVE-2016-4000

CRITICAL

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical