http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

102558

1040207

The version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.9.x prior to 11.1.1.9.180116 or 12.2.1.2.x prior to 12.2.1.2.180116 or 12.2.1.3.x prior to 12.2.1.3.180116. It is, therefore, affected by multiple vulnerabilities as noted in the January 2018 Critical Patch Update advisory.
The Oracle Business Intelligence Publisher installed on the remote host is affected by multiple vulnerabilities:

  - An improper restriction of the lifetime of queues entries     associated with unused our-of-order messages allows an     remote attacker to cause a denial of service in the     DTLS implementationof OpenSSL before 1.1.0     (CVE-2016-2179).
  - An easily exploitable vulnerability allows an     unauthenticated attacker with network access to     compromise Oracle Business Intelligence Enterprise     Edition via HTTP. A Successful attack of this     vulnerability would result in unauthorized access to     data as well as unauthorized update, insert or delete.
    This attack would required human interaction.     (CVE-2017-10068).
  - An low privileged attacker with network access via HTTP     can exploit a vulnerability in Oracle Business     Intelligence Enterprise Edition. A successful attack     would allow the unauthorized access to critical data     (CVE-2018-2715).

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Oracle iPlanet Web Server (formerly known as Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.27 Patch 26834070. It is, therefore, affected by an unspecified vulnerability in the Network Security Services (NSS) library with unknown impact.

The version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities as noted in the January 2018 CPU advisory.

ID	Name	Product	Family	Severity
119885	Oracle Business Intelligence Publisher Multiple Vulnerabilities (January 2018 CPU)	Nessus	Misc.	high
106349	Oracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)	Nessus	Web Servers	critical
106299	Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)	Nessus	Web Servers	critical

CVE-2018-2715

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

critical