https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e@%3Cannounce.apache.org%3E

[tika-user] 20191105 Is tika-parsers exposed to CVE-2019-12415

[tika-user] 20191105 Re: Is tika-parsers exposed to CVE-2019-12415

[tika-user] 20191106 Re: Is tika-parsers exposed to CVE-2019-12415

[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the July 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including the following:

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a     JNDI service to access, it is possible to make the service execute a malicious payload. This is part of     the Security Framework component and is an easily exploitable vulnerability hat allows an unauthenticated     attacker with network access to compromise Oracle WebCenter Portal. (CVE-2019-17531)

  - A vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer).
    Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. This is an easily exploitable     vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle     WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized creation, deletion or     modification access to critical data or all Oracle WebCenter Portal accessible data as well as     unauthorized read access to a subset of Oracle WebCenter Portal accessible data and the unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2020-14611)

  - A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was     last released in 2006, which is used in Oracle WebCenter Portal's WebCenter Spaced Application component.
    This difficult to exploit vulnerability allows an unauthenticated attacker with access to the physical     communication segment attached to the hardware where the Oracle WebCenter Portal executes to compromise     Oracle WebCenter Portal. (CVE-2019-0227)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The 13.3.0.0, 13.4.0.0, and 12.1.0.5 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.

  - Vulnerability in the Enterprise Manager Base Platform     product of Oracle Enterprise Manager (component:
    Enterprise Manager Install (jackson-databind)).
    Supported versions that are affected are 13.3.0.0 and     13.4.0.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise Enterprise Manager Base Platform. Successful     attacks of this vulnerability can result in takeover of     Enterprise Manager Base Platform. CVSS 3.1 Base Score     9.8 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2020-9546)

  - Vulnerability in the Enterprise Manager Base Platform     product of Oracle Enterprise Manager (component:
    Reporting Framework (Apache Struts 2)). Supported     versions that are affected are 13.3.0.0 and 13.4.0.0.
    Difficult to exploit vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise Enterprise Manager Base Platform. Successful     attacks of this vulnerability can result in takeover of     Enterprise Manager Base Platform. CVSS 3.1 Base Score     8.1 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2018-11776)

  - Vulnerability in the Enterprise Manager Base Platform     product of Oracle Enterprise Manager (component:
    Application Service Level Mgmt (Apache Axis)). Supported     versions that are affected are 12.1.0.5 and 13.3.0.0.
    Difficult to exploit vulnerability allows     unauthenticated attacker with access to the physical     communication segment attached to the hardware where the     Enterprise Manager Base Platform executes to compromise     Enterprise Manager Base Platform. Successful attacks of     this vulnerability can result in takeover of Enterprise     Manager Base Platform. CVSS 3.1 Base Score 7.5     (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2019-0227)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities:

  - A Polymorphic Typing issue was discovered in FasterXML     jackson-databind before 2.9.10 used in Primavera Unifier.
    (CVE-2019-14540)

  - A memory exhaustion flaw exists in Apache Tika's RecursiveParserWrapper     versions 1.7 - 1.21 used in Primavera Unifier. (CVE-2019-10088)

  - A Server Side Request Forgery (SSRF) vulnerability affected the     Apache Axis 1.4 distribution that was last released in 2006. Security     and bug commits commits continue in the projects Axis 1.x Subversion     repository, legacy users are encouraged to build from source. The     successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is     not vulnerable to this issue. (CVE-2019-0227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)).   Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1.   Easily exploitable vulnerability allows unauthenticated attacker with network   access via HTTP to compromise Oracle Application Testing Suite. Successful attacks    of this vulnerability can result in takeover of Oracle Application Testing Suite.   (CVE-2016-4000)	

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Jython).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (AntiSamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Antisamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Application Development Framework).  An unauthenticated, remote attacker with network     access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (jQuery).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2019-11358)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An authenticated, low priviledged remote attacker     with network access to the infrastructure can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder.  An unauthenticated remote attacker     with network access via HTTP can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)

According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Two Polymorphic Typing issues present in FasterXML jackson-databind related to     com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers.
    (CVE-2019-16335, CVE-2019-14540)

  - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that     the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of     the X.509 certificate. An unauthenticated, remote attacker can exploit this to spoof SSL servers via a     certificate with a subject that specifies a common name in a field that is not a CN field. (CVE-2014-3596)

  - A Server Side Request Forgery (SSRF) vulnerability in Apache Axis that can be exploited by an     unauthenticated, remote attacker. (CVE-2019-0227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
138564	Oracle WebCenter Portal Multiple Vulnerabilities (Jul 2020 CPU)	Nessus	Misc.	high
138555	Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)	Nessus	Misc.	high
133359	Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	CGI abuses	high
133260	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	Misc.	high
132936	Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	CGI abuses	high

CVE-2019-12415

LOW

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high