SynopsisAn application installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe version of Oracle Secure Global Desktop installed on the remote host is 5.3 and is missing a security patch from the January 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:
- The included OpenSSL library has a off-by-one out-of-bounds read flaw within the X509v3_addr_get_afi() function of crypto/x509v3/v3_addr.c when handling the IPAddressFamily extension of X.509 certificates. A content-dependent attacker, with a specially crafted request, could potentially read limited memory information. (CVE-2017-3735)
- The included OpenSSL library has a carry propagating flaw within the bn_sqrx8x_internal() function in crypto/bn/asm/x86_64-mont5.pl when handling RSA / DSA encryption. A content-dependent attacker, with a specially crafted request, could potentially determine the private key. (CVE-2017-3736)
- The included Apache Log4j contains a flaw due to improper validation of log events before deserializing. A remote attacker, with a specially crafted log event, could potentially execute arbitrary script code. (CVE-2017-5645)
SolutionApply the appropriate patch according to the January 2018 Oracle Critical Patch Update advisory.