This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.
An enterprise management application installed on the remote host is
affected by multiple vulnerabilities.
The version of Oracle Enterprise Manager Cloud Control installed on
the remote host is affected by multiple vulnerabilities in the
Enterprise Manager Base Platform component :
- Multiple flaws exist in the OpenSSL library bundled in
the Discovery Framework subcomponent, specifically in
the aesni_cbc_hmac_sha1_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha1.c and the
aesni_cbc_hmac_sha256_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha256.c, that are triggered
when the connection uses an AES-CBC cipher and AES-NI
is supported by the server. A man-in-the-middle attacker
can exploit these to conduct a padding oracle attack,
resulting in the ability to decrypt the network traffic.
- An unspecified flaw exists in the UI Framework
subcomponent that allows an unauthenticated, remote
attacker to disclose potentially sensitive information.
- An unspecified flaw exists in the Security Framework
subcomponent that allows a local attacker to impact
confidentiality and integrity. (CVE-2016-3563)
Note that the product was formerly known as Enterprise Manager Grid
See also :
Apply the appropriate patch according to the July 2016 Oracle
Critical Patch Update advisory.
Risk factor :
Medium / CVSS Base Score : 5.4
CVSS Temporal Score : 4.2
Public Exploit Available : true