Oracle Secure Global Desktop Multiple Vulnerabilities (January 2016 CPU) (Logjam)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The application installed on the remote host is affected by multiple
vulnerabilities.

Description :

The version of Oracle Secure Global Desktop installed on the remote
host is version 4.63 / 4.71 / 5.2 and is missing a security patch from
the January 2016 Critical Patch Update (CPU). It is, therefore,
affected by the following vulnerabilities :

- A flaw exists in the bundled version of Apache HTTP
Server in the chunked transfer coding implementation due
to a failure to properly parse chunk headers. A remote
attacker can exploit this to conduct HTTP request
smuggling attacks. (CVE-2015-3183)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

- An unspecified flaw exists in the SGD Core subcomponent
that allows a remote attacker to cause a denial of
service condition. (CVE-2016-0501)

See also :

http://www.nessus.org/u?da1a16c5
https://weakdh.org/

Solution :

Apply the appropriate patch according to the July 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 88049 ()

Bugtraq ID: 74733
75963

CVE ID: CVE-2015-3183
CVE-2015-4000
CVE-2016-0501

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now