https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e@%3Cannounce.apache.org%3E

[tika-user] 20191105 Is tika-parsers exposed to CVE-2019-12415

[tika-user] 20191105 Re: Is tika-parsers exposed to CVE-2019-12415

[tika-user] 20191106 Re: Is tika-parsers exposed to CVE-2019-12415

https://www.oracle.com/security-alerts/cpujan2020.html

[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle WebCenter Sites component of Oracle Fusion Middleware is affected by multiple vulnerabilities.

  - Component: WebCenter Sites (Terracotta Quartz Scheduler)). The supported   versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable   vulnerability allows unauthenticated attacker with network access via HTTP to   compromise Oracle WebCenter Sites. Successful attacks of this vulnerability   can result in takeover of Oracle WebCenter Sites. (CVE-2019-13990)

  - Component: WebCenter Sites (XStream)). The supported versions that are   affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability   allows low privileged attacker with network access via HTTP to compromise   Oracle WebCenter Sites. Successful attacks of this vulnerability can result   in takeover of Oracle WebCenter Sites. (CVE-2021-29505)

  - Component: WebCenter Sites (dojo)). The supported versions that are   affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability   allows unauthenticated attacker with network access via HTTP to compromise   Oracle WebCenter Sites. Successful attacks of this vulnerability can result   in unauthorized creation, deletion or modification access to critical data or   all Oracle WebCenter Sites accessible data. (CVE-2020-5258)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version

The version of Oracle JDeveloper installed on the remote host is prior to 12.2.1.4.0. It is, therefore, affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory:

  - Vulnerability in the Essbase product of Oracle Essbase (component: Infrastructure (Apache Commons Compress)). The     supported version that is affected is 21.2. Easily exploitable vulnerability allows low privileged attacker with     access to the physical communication segment attached to the hardware where the Essbase executes to compromise     Essbase. Successful attacks require human interaction from a person other than the attacker. Successful attacks of     this vulnerability can result in unauthorized update, insert or delete access to some of Essbase accessible data     and unauthorized ability to cause a partial denial of service (partial DOS) of Essbase. (CVE-2019-12402)

  - Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: OAM (Apache POI)).     The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged     attacker with logon to the infrastructure where Oracle JDeveloper and ADF executes to compromise Oracle JDeveloper     and ADF. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all Oracle JDeveloper and ADF accessible data. (CVE-2019-12415)

  - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Application     Service Level Mgmt (dom4j)). The supported version that is affected is 13.4.0.0. Easily exploitable vulnerability      allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform.     Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform.     (CVE-2020-10683)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions     that are affected are 12.1.0.2 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require     human interaction from a person other than the attacker and while the vulnerability is in Advanced     Networking Option, attacks may significantly impact additional products. Successful attacks of this     vulnerability can result in takeover of Advanced Networking Option. (CVE-2021-2351)

  - Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected     are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any     Procedure, Alter Any Table privilege with network access via Oracle Net to compromise Oracle Text.
    Successful   attacks of this vulnerability can result in takeover of Oracle Text. (CVE-2021-2328)

  - Vulnerability in the Oracle XML DB component of Oracle Database Server. Supported versions that are     affected   are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having     Create Any   Procedure, Create Public Synonym privilege with network access via Oracle Net to compromise     Oracle XML DB.   Successful attacks of this vulnerability can result in takeover of Oracle XML DB.
    (CVE-2021-2329)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the July 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including the following:

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a     JNDI service to access, it is possible to make the service execute a malicious payload. This is part of     the Security Framework component and is an easily exploitable vulnerability hat allows an unauthenticated     attacker with network access to compromise Oracle WebCenter Portal. (CVE-2019-17531)

  - A vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer).
    Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. This is an easily exploitable     vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle     WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized creation, deletion or     modification access to critical data or all Oracle WebCenter Portal accessible data as well as     unauthorized read access to a subset of Oracle WebCenter Portal accessible data and the unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2020-14611)

  - A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was     last released in 2006, which is used in Oracle WebCenter Portal's WebCenter Spaced Application component.
    This difficult to exploit vulnerability allows an unauthenticated attacker with access to the physical     communication segment attached to the hardware where the Oracle WebCenter Portal executes to compromise     Oracle WebCenter Portal. (CVE-2019-0227)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The 13.3.0.0, 13.4.0.0, and 12.1.0.5 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.

  - Vulnerability in the Enterprise Manager Base Platform     product of Oracle Enterprise Manager (component:
    Enterprise Manager Install (jackson-databind)).
    Supported versions that are affected are 13.3.0.0 and     13.4.0.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise Enterprise Manager Base Platform. Successful     attacks of this vulnerability can result in takeover of     Enterprise Manager Base Platform. CVSS 3.1 Base Score     9.8 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2020-9546)

  - Vulnerability in the Enterprise Manager Base Platform     product of Oracle Enterprise Manager (component:
    Reporting Framework (Apache Struts 2)). Supported     versions that are affected are 13.3.0.0 and 13.4.0.0.
    Difficult to exploit vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise Enterprise Manager Base Platform. Successful     attacks of this vulnerability can result in takeover of     Enterprise Manager Base Platform. CVSS 3.1 Base Score     8.1 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2018-11776)

  - Vulnerability in the Enterprise Manager Base Platform     product of Oracle Enterprise Manager (component:
    Application Service Level Mgmt (Apache Axis)). Supported     versions that are affected are 12.1.0.5 and 13.3.0.0.
    Difficult to exploit vulnerability allows     unauthenticated attacker with access to the physical     communication segment attached to the hardware where the     Enterprise Manager Base Platform executes to compromise     Enterprise Manager Base Platform. Successful attacks of     this vulnerability can result in takeover of Enterprise     Manager Base Platform. CVSS 3.1 Base Score 7.5     (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2019-0227)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities:

  - A Polymorphic Typing issue was discovered in FasterXML     jackson-databind before 2.9.10 used in Primavera Unifier.
    (CVE-2019-14540)

  - A memory exhaustion flaw exists in Apache Tika's RecursiveParserWrapper     versions 1.7 - 1.21 used in Primavera Unifier. (CVE-2019-10088)

  - A Server Side Request Forgery (SSRF) vulnerability affected the     Apache Axis 1.4 distribution that was last released in 2006. Security     and bug commits commits continue in the projects Axis 1.x Subversion     repository, legacy users are encouraged to build from source. The     successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is     not vulnerable to this issue. (CVE-2019-0227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)).   Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1.   Easily exploitable vulnerability allows unauthenticated attacker with network   access via HTTP to compromise Oracle Application Testing Suite. Successful attacks    of this vulnerability can result in takeover of Oracle Application Testing Suite.   (CVE-2016-4000)	

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Jython).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (AntiSamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Antisamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Application Development Framework).  An unauthenticated, remote attacker with network     access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (jQuery).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2019-11358)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An authenticated, low priviledged remote attacker     with network access to the infrastructure can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder.  An unauthenticated remote attacker     with network access via HTTP can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)

According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Two Polymorphic Typing issues present in FasterXML jackson-databind related to     com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers.
    (CVE-2019-16335, CVE-2019-14540)

  - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that     the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of     the X.509 certificate. An unauthenticated, remote attacker can exploit this to spoof SSL servers via a     certificate with a subject that specifies a common name in a field that is not a CN field. (CVE-2014-3596)

  - A Server Side Request Forgery (SSRF) vulnerability in Apache Axis that can be exploited by an     unauthenticated, remote attacker. (CVE-2019-0227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
154418	Oracle WebCenter Sites Multiple Vulnerabilities (Oct 2021 CPU)	Nessus	Windows	critical
152033	Oracle JDeveloper XXE (July 2021 CPU)	Nessus	Misc.	critical
152026	Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)	Nessus	Databases	high
138564	Oracle WebCenter Portal Multiple Vulnerabilities (Jul 2020 CPU)	Nessus	Misc.	high
138555	Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)	Nessus	Misc.	high
133359	Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	CGI abuses	critical
133260	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	Misc.	critical
132936	Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	CGI abuses	critical

CVE-2019-12415

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

high

high

high

critical

critical

critical