Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)
critical Nessus Plugin ID 121257
Language:
Synopsis
The remote host has a web application installed that is affected by multiple vulnerabilities.Description
The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities :- Enterprise Manager Base Platform Agent Next Gen (Jython) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)
- Enterprise Manager Base Platform Discovery Framework (OpenSSL) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to cause a frequent crash (DoS) of the Enterprise Manager Base Platform. (CVE-2018-0732)
- Enterprise Manager Ops Center Networking (OpenSSL) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to cause a frequent crash (DoS) of the Enterprise Manager Ops Center Platform. (CVE-2018-0732)
- Oracle Application Testing Suite Load Testing for Web Apps (Spring Framework) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to takeover the Enterprise Manager Base Platform. (CVE-2018-1258)
- Enterprise Manager Base Platform EM Console component is easily exploited by an unauthenticated attacker. Successful attacks can result in unauthorized update, insert, or delete access. (CVE-2018-3303)
- Oracle Application Testing Suite Load Testing for Web Apps component is easily exploited by an unauthenticated attacker. Successful attacks can result in unauthorized update, insert, or delete access and a partial denial of service. (CVE-2018-3304)
- Oracle Application Testing Suite Load Testing for Web Apps component is easily exploited by an unauthenticated attacker. Successful attacks can result in unauthorized update, insert, or delete access and a partial denial of service. (CVE-2018-3305)
- Enterprise Manager for Virtualization Plug-In Lifecycle (jackson-databind) component of Oracle Enterprise Manager allows an unauthenticated attacker the ability to takeover Enterprise Manager for Virtualization. (CVE-2018-12023)
- Enterprise Manager for Virtualization Plug-In Lifecycle (jackson-databind) component of Oracle Enterprise Manager allows an unauthenticated attacker the ability to takeover Enterprise Manager for Virtualization. (CVE-2018-14718)
- Enterprise Manager Ops Center Networking (cURL) component of Oracle Enterprise Manager allows an unauthenticated attacker the ability to takeover Enterprise Manager Ops Center. (CVE-2018-1000300)
Solution
Apply the appropriate patch according to the January 2019 Oracle Critical Patch Update advisory.See Also
Plugin Details
Severity: Critical
ID: 121257
File Name: oracle_oats_cpu_jan_2019.nasl
Version: 1.4
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 1/21/2019
Updated: 4/11/2022
Supported Sensors: Nessus Agent
Risk Information
CVSS Score Source: CVE-2018-14718
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal Vector: E:U/RL:OF/RC:C
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:oracle:application_testing_suite
Required KB Items: installed_sw/Oracle Application Testing Suite
Exploit Ease: No known exploits are available
Patch Publication Date: 1/16/2019
Vulnerability Publication Date: 1/16/2019
Reference Information
CVE: CVE-2015-9251, CVE-2016-4000, CVE-2018-0732, CVE-2018-1258, CVE-2018-3303, CVE-2018-3304, CVE-2018-3305, CVE-2018-12023, CVE-2018-14718, CVE-2018-1000300
BID: 104207, 104222, 104442, 105647, 105658, 105659, 106601, 106615, 106618