Oracle JDeveloper Multiple RCE (July 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

A software development application installed on the remote host is
affected by multiple remote code execution vulnerabilities.

Description :

The version of Oracle JDeveloper installed on the remote host is
missing a security patch. It is, therefore, affected by multiple
remote code execution vulnerabilities :

- A remote code execution vulnerability exists in the
Application Development Framework (ADF) Faces
subcomponent that allows an unauthenticated, remote
attacker to execute arbitrary code. (CVE-2016-3504)

- A remote code execution vulnerability exists in the
Apache MyFaces Trinidad component in the
CoreResponseStateManager subcomponent due to improper
validation of the ObjectInputStream and
ObjectOutputStream strings prior to deserialization. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-5019)

See also :

http://www.nessus.org/u?453b5f8c

Solution :

Apply the appropriate patch according to the July 2016 Oracle Critical
Patch Update advisory.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 93592 ()

Bugtraq ID: 92023
93236

CVE ID: CVE-2016-3504
CVE-2016-5019

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now