A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

The versions of Oracle Siebel CRM installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2023 CPU advisory.

  - Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: EAI (JSON-java)). Supported     versions that are affected are 23.5 and prior. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Siebel CRM. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel     CRM. (CVE-2020-15250, CVE-2022-45688)

  - Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: Siebel Core (Apache ZooKeeper)).
    Supported versions that are affected are 23.5 and prior. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Siebel CRM. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of Siebel CRM. (CVE-2020-36518, CVE-2020-9493, CVE-2021-21295, CVE-2021-37533, CVE-2022-2048,     CVE-2022-23307, CVE-2022-41915, CVE-2022-42003, CVE-2022-42004)

  - Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: UI Framework (jQueryUI)).
    Supported versions that are affected are 23.5 and prior. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Siebel CRM. Successful attacks require     human interaction from a person other than the attacker and while the vulnerability is in Siebel CRM,     attacks may significantly impact additional products (scope change). Successful attacks of this     vulnerability can result in unauthorized update, insert or delete access to some of Siebel CRM accessible     data as well as unauthorized read access to a subset of Siebel CRM accessible data. (CVE-2022-31160)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202402-16 (Apache Log4j: Multiple Vulnerabilities)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)

  - A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious     code execution. (CVE-2020-9493)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira installed on the remote host is prior to 8.13.x < 8.13.21 / 8.20.x < 8.20.9 / 8.22.x < 8.22.3 / 9.0.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-73885 advisory.

  - The version of {{log4j}} used by Jira has been updated from version *1.2.7-atlassian-3* to
    *1.2.7-atlassian-16* to address the following vulnerabilities:
    [CVE-2021-4104|https://www.cve.org/CVERecord?id=CVE-2021-4104] JMSAppender is vulnerable to a     deserialization flaw. A local attacker with privileges to update the Jira configuration can exploit this     to execute arbitrary code. Jira is not configured to use JMSAppender, nor does Atlassian provide any     documentation on using JMSAppender with Jira. Atlassian has [remediated this vulnerability by preventing     external JNDI lookups|https://bitbucket.org/atlassian/log4j1/pull-requests/9] in the Atlassian version of     {{{}log4j{}}}. [CVE-2020-9493|https://www.cve.org/CVERecord?id=CVE-2020-9493] and     [CVE-2022-23307|https://www.cve.org/CVERecord?id=CVE-2022-23307] Apache Chainsaw is bundled with {{log4j}}     1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this     to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed     manually. It is not required by Jira, nor is it executed by default, nor does Atlassian provide any     documentation on using Chainsaw with Jira. Atlassian has [remediated this vulnerability by removing     Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the     Atlassian version of {{{}log4j{}}}. [CVE-2022-23302|https://www.cve.org/CVERecord?id=CVE-2022-23302]     JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Jira     configuration can exploit this to execute arbitrary code. Jira is not configured to use JMSSink by     default, nor does Atlassian provide any documentation on using JMSSink with Jira. Atlassian has     [remediated this vulnerability by removing     JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the     Atlassian version of {{{}log4j{}}}. [CVE-2022-23305|https://www.cve.org/CVERecord?id=CVE-2022-23305]     JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter     ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Jira     is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using     JDBCAppender with Jira. Atlassian has [remediated this vulnerability by removing     JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from     the Atlassian version of {{{}log4j{}}}. Affected versions of Jira: * Versions < 8.13.21 * All versions     8.14.x through 8.19.x * Versions 8.21.x * Versions 8.22.x < 8.22.3 Fixed versions of Jira: * Versions     8.13.x >= 8.13.21 * Versions 8.20.x >= 8.20.9 * Versions 8.22.x >= 8.22.3 * Versions >= 9.0.0 (atlassian-     JRASERVER-73885)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
212439	Oracle Siebel Server <= 23.5 (July 2023 CPU)	Nessus	Misc.	critical
190670	GLSA-202402-16 : Apache Log4j: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
162398	Atlassian Jira 8.13.x < 8.13.21 / 8.20.x < 8.20.9 / 8.22.x < 8.22.3 / 9.0.0 SQLI (JRASERVER-73885)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2020-9493

critical

Tenable Plugins

critical

critical

critical