http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

104207

1040933

https://curl.haxx.se/docs/adv_2018-82c2.html

GLSA-201806-05

USN-3648-1

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

The version of Oracle HTTP Server installed on the remote host is affected by vulnerabilities as noted in the October 2018 CPU advisory:

  - A vulnerability exists in the Oracle HTTP Server component     of Oracle Fusion Middleware (subcomponent: Web Listener     (curl)). The affected version is 12.2.1.3. This is a     difficult to exploit vulnerability that allows an     unauthenticated attacker with network access via HTTP to     compromise Oracle HTTP Server. A successful attacks     requires human interaction from a person other than the     attacker. Successful attacks of this vulnerability can     result in takeover of Oracle HTTP Server. (CVE-2018-1000300)     
  - A denial of service (DoS) vulnerability exists in curl due     to Buffer Over-read. Affected versions are from curl version     7.20.0 to curl 7.59.0. The vulnerable component can be     tricked into reading data beyond the end of the heap.
    An unauthenticated attacked with network access can exploit     this issue to cause the application to stop responding.
    (CVE-2018-1000301)

  - A buffer over-read vulnerability exists in curl that could lead to     information leakage. Affected versions are from  7.20.0 to     curl 7.58.0. A vulnerability in the RTSP+RTP handling code     could allows an attacker to cause a denial of service or     information leakage. An unauthenticated attacked with     network access can exploit this vulnerability to cause     a denial of service (DoS) or to leak information     from the vulnerable application.
    (CVE-2018-1000122)

This update for curl to version 7.60.0 fixes the following issues :

These security issues were fixed :

  - CVE-2018-1000300: Prevent heap-based buffer overflow     when closing down an FTP connection with very long     server command replies (bsc#1092094).

  - CVE-2018-1000301: Prevent buffer over-read that could     have cause reading data beyond the end of a heap based     buffer used to store downloaded RTSP content     (bsc#1092098).

These non-security issues were fixed :

  - Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy     PROXY protocol

  - Add --haproxy-protocol for the command line tool

  - Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP     addresses 

  - FTP: fix typo in recursive callback detection for     seeking

  - test1208: marked flaky

  - HTTP: make header-less responses still count correct     body size

  - user-agent.d:: mention --proxy-header as well

- http2: fixes typo

  - cleanup: misc typos in strings and comments

  - rate-limit: use three second window to better handle     high speeds

  - examples/hiperfifo.c: improved

  - pause: when changing pause state, update socket state

  - curl_version_info.3: fix ssl_version description

  - add_handle/easy_perform: clear errorbuffer on start if     set

  - cmake: add support for brotli

  - parsedate: support UT timezone

  - vauth/ntlm.h: fix the #ifdef header guard

  - lib/curl_path.h: added #ifdef header guard

  - vauth/cleartext: fix integer overflow check

  - CURLINFO_COOKIELIST.3: made the example not leak memory

  - cookie.d: mention that '-' as filename means stdin

  - CURLINFO_SSL_VERIFYRESULT.3: fixed the example

- http2: read pending frames   (including GOAWAY) in connection-check

  - timeval: remove compilation warning by casting

  - cmake: avoid warn-as-error during config checks

  - travis-ci: enable -Werror for CMake builds

  - openldap: fix for NULL return from     ldap_get_attribute_ber()

  - threaded resolver: track resolver time and set suitable     timeout values

  - cmake: Add advapi32 as explicit link library for win32

  - docs: fix CURLINFO_*_T examples use of     CURL_FORMAT_CURL_OFF_T

  - test1148: set a fixed locale for the test

  - cookies: when reading from a file, only remove_expired     once

  - cookie: store cookies per top-level-domain-specific hash     table

  - openssl: RESTORED verify locations when verifypeer==0

  - file: restore old behavior for file:////foo/bar URLs

  - FTP: allow PASV on IPv6 connections when a proxy is     being used

  - build-openssl.bat: allow custom paths for VS and perl

  - winbuild: make the clean target work without build-type

  - build-openssl.bat: Refer to VS2017 as VC14.1 instead of     VC15

  - curl: retry on FTP 4xx, ignore other protocols

  - configure: detect (and use) sa_family_t

  - examples/sftpuploadresume: Fix Windows large file seek

  - build: cleanup to fix clang warnings/errors

  - winbuild: updated the documentation

  - lib: silence null-dereference warnings

  - travis: bump to clang 6 and gcc 7

  - travis: build libpsl and make builds use it

  - proxy: show getenv proxy use in verbose output

  - duphandle: make sure CURLOPT_RESOLVE is duplicated

  - all: Refactor malloc+memset to use calloc

  - checksrc: Fix typo

  - system.h: Add sparcv8plus to oracle/sunpro 32-bit     detection

  - vauth: Fix typo

  - ssh: show libSSH2 error code when closing fails

  - test1148: tolerate progress updates better

  - urldata: make service names unconditional

  - configure: keep LD_LIBRARY_PATH changes local

  - ntlm_sspi: fix authentication using Credential Manager

  - schannel: add client certificate authentication

  - winbuild: Support custom devel paths for each dependency

  - schannel: add support for CURLOPT_CAINFO

- http2: handle on_begin_headers() called more than once

  - openssl: support OpenSSL 1.1.1 verbose-mode trace     messages

  - openssl: fix subjectAltName check on non-ASCII platforms

- http2: avoid strstr() on data not zero terminated

- http2: clear the 'drain counter' when a stream is closed

- http2: handle GOAWAY properly

  - tool_help: clarify --max-time unit of time is seconds

  - curl.1: clarify that options and URLs can be mixed

- http2: convert an assert to run-time check

  - curl_global_sslset: always provide available backends

  - ftplistparser: keep state between invokes

  - Curl_memchr: zero length input can't match

  - examples/sftpuploadresume: typecast fseek argument to     long

  - examples/http2-upload: expand buffer to avoid silly     warning

  - ctype: restore character classification for non-ASCII     platforms

  - mime: avoid NULL pointer dereference risk

  - cookies: ensure that we have cookies before writing jar

  - os400.c: fix checksrc warnings

  - configure: provide --with-wolfssl as an alias for
    --with-cyassl

  - cyassl: adapt to libraries without TLS 1.0 support     built-in

- http2: get rid of another strstr

  - checksrc: force indentation of lines after an else

  - cookies: remove unused macro

  - CURLINFO_PROTOCOL.3: mention the existing defined names

  - tests: provide 'manual' as a feature to optionally     require

  - travis: enable libssh2 on both macos and Linux

  - CURLOPT_URL.3: added ENCODING section

  - wolfssl: Fix non-blocking connect

  - vtls: don't define MD5_DIGEST_LENGTH for wolfssl

  - docs: remove extraneous commas in man pages

  - URL: fix ASCII dependency in strcpy_url and strlen_url

  - ssh-libssh.c: fix left shift compiler warning

  - configure: only check for CA bundle for file-using SSL     backends

  - travis: add an mbedtls build

- http: don't set the 'rewind' flag when not uploading anything

  - configure: put CURLDEBUG and DEBUGBUILD in     lib/curl_config.h

  - transfer: don't unset writesockfd on setup of     multiplexed conns

  - vtls: use unified 'supports' bitfield member in backends

  - URLs: fix one more http url

  - travis: add a build using WolfSSL

  - openssl: change FILE ops to BIO ops

  - travis: add build using NSS

  - smb: reject negative file sizes

  - cookies: accept parameter names as cookie name

- http2: getsock fix for uploads

  - all over: fixed format specifiers

- http2: use the correct function pointer typedef

An update of the curl package has been released.

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Enterprise Manager Base Platform Agent Next Gen (Jython)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)

  - Enterprise Manager Base Platform Discovery Framework (OpenSSL)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to cause a frequent crash (DoS) of the Enterprise Manager Base     Platform. (CVE-2018-0732)

  - Enterprise Manager Ops Center Networking (OpenSSL) component of     Oracle Enterprise Manager Products Suite is easily exploited     and can allow an unauthenticated attacker the ability to cause a     frequent crash (DoS) of the Enterprise Manager Ops Center     Platform. (CVE-2018-0732)

  - Oracle Application Testing Suite Load Testing for Web Apps     (Spring Framework) component of Oracle Enterprise Manager     Products Suite is easily exploited and can allow an     unauthenticated attacker the ability to takeover the Enterprise     Manager Base Platform. (CVE-2018-1258)

  - Enterprise Manager Base Platform EM Console component is easily     exploited by an unauthenticated attacker. Successful attacks     can result in unauthorized update, insert, or delete access.     (CVE-2018-3303)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3304)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3305)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-12023)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-14718)

  - Enterprise Manager Ops Center Networking (cURL) component of     Oracle Enterprise Manager allows an unauthenticated attacker the     ability to takeover Enterprise Manager Ops Center.     (CVE-2018-1000300)

- fix FTP shutdown response buffer overflow     (CVE-2018-1000300)

  - fix RTSP bad headers buffer over-read (CVE-2018-1000301)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of 'curl' packages of Photon OS has been released.

The version of Oracle Secure Global Desktop installed on the remote host is 5.3 / 5.4 and is missing a security patch from the July 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

 - curl version curl 7.54.1 to and including curl 7.59.0 contains a  Heap-based Buffer Overflow vulnerability in FTP connection closing  down functionality which can lead to DoS and RCE conditions. This  vulnerability appears to have been fixed in curl < 7.54.1 and  curl >= 7.60.0. (CVE-2018-1000300)

 - Security constraints defined by annotations of Servlets in Apache  Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and  7.0.0 to 7.0.84 were only applied once a Servlet had been loaded.  It was possible - depending on the order Servlets were loaded - for  some security constraints not to be applied. This could have exposed  resources to unauthorized users. (CVE-2018-1305)

 - ASN.1 types with a recursive definition could exceed the stack  given malicious input with excessive recursion. This could result  in a Denial Of Service attack. Fixed in OpenSSL 1.1.0h (Affected  1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
 (CVE-2018-0739)

The remote host is affected by the vulnerability described in GLSA-201806-05 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    Remote attackers could cause a Denial of Service condition, obtain       sensitive information, or have other unspecified impacts.
  Workaround :

    There is no known workaround at this time.

Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.(CVE-2018-1000300)

Curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.(CVE-2018-1000301)

Dario Weisser discovered that curl incorrectly handled long FTP server command replies. If a user or automated system were tricked into connecting to a malicious FTP server, a remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-1000300)

Max Dymond discovered that curl incorrectly handled certain RTSP responses. If a user or automated system were tricked into connecting to a malicious server, a remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2018-1000301).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

cURL security problems :

CVE-2018-1000300: FTP shutdown response buffer overflow

curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.

When doing FTP transfers, curl keeps a spare 'closure handle' around internally that will be used when an FTP connection gets shut down since the original curl easy handle is then already removed.

FTP server response data that gets cached from the original transfer might then be larger than the default buffer size (16 KB) allocated in the 'closure handle', which can lead to a buffer overwrite. The contents and size of that overwrite is controllable by the server.

This situation was detected by an assert() in the code, but that was of course only preventing bad stuff in debug builds. This bug is very unlikely to trigger with non-malicious servers.

We are not aware of any exploit of this flaw.

CVE-2018-1000301: RTSP bad headers buffer over-read

curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded content.

When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the 'body' part.

The function that splits up the response into headers is called Curl_http_readwrite_headers() and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use.

This could potentially lead to information leakage but most likely a crash/denial of service for applications if a server triggers this flaw.

We are not aware of any exploit of this flaw.

New curl packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

ID	Name	Product	Family	Severity
124090	Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2018 CPU)	Nessus	Web Servers	high
123190	openSUSE Security Update : curl (openSUSE-2019-435)	Nessus	SuSE Local Security Checks	high
121963	Photon OS 2.0: Curl PHSA-2018-2.0-0068	Nessus	PhotonOS Local Security Checks	high
121855	Photon OS 1.0: Curl PHSA-2018-1.0-0158	Nessus	PhotonOS Local Security Checks	high
121257	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	high
120931	Fedora 28 : curl (2018-fa01002d7e)	Nessus	Fedora Local Security Checks	high
111954	Photon OS 2.0: Curl PHSA-2018-2.0-0068 (deprecated)	Nessus	PhotonOS Local Security Checks	high
111941	Photon OS 1.0: Curl PHSA-2018-1.0-0158 (deprecated)	Nessus	PhotonOS Local Security Checks	high
111333	Oracle Secure Global Desktop Multiple Vulnerabilities (July 2018 CPU)	Nessus	Misc.	high
110614	GLSA-201806-05 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
110446	Amazon Linux 2 : curl (ALAS-2018-1029)	Nessus	Amazon Linux Local Security Checks	high
110434	openSUSE Security Update : curl (openSUSE-2018-589)	Nessus	SuSE Local Security Checks	high
110061	Fedora 27 : curl (2018-9dc7338487)	Nessus	Fedora Local Security Checks	high
109893	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : curl vulnerabilities (USN-3648-1)	Nessus	Ubuntu Local Security Checks	high
109877	FreeBSD : cURL -- multiple vulnerabilities (04fe6c8d-2a34-4009-a81e-e7a7e759b5d2)	Nessus	FreeBSD Local Security Checks	high
109870	Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2018-136-01)	Nessus	Slackware Local Security Checks	high

CVE-2018-1000300

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins