Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (July 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.

Synopsis :

An enterprise management application installed on the remote host is
affected by multiple vulnerabilities.

Description :

The version of Oracle Enterprise Manager Cloud Control installed on
the remote host is affected by multiple vulnerabilities in the
Enterprise Manager Base Platform component :

- Multiple flaws exist in the OpenSSL library bundled in
the Discovery Framework subcomponent, specifically in
the aesni_cbc_hmac_sha1_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha1.c and the
aesni_cbc_hmac_sha256_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha256.c, that are triggered
when the connection uses an AES-CBC cipher and AES-NI
is supported by the server. A man-in-the-middle attacker
can exploit these to conduct a padding oracle attack,
resulting in the ability to decrypt the network traffic.

- An unspecified flaw exists in the UI Framework
subcomponent that allows an unauthenticated, remote
attacker to disclose potentially sensitive information.

- An unspecified flaw exists in the Security Framework
subcomponent that allows a local attacker to impact
confidentiality and integrity. (CVE-2016-3563)

Note that the product was formerly known as Enterprise Manager Grid

See also :

Solution :

Apply the appropriate patch according to the July 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Medium / CVSS Base Score : 5.4
CVSS Temporal Score : 4.2
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 92585 ()

Bugtraq ID: 89760

CVE ID: CVE-2016-2107

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now