SynopsisAn application installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe version of Oracle Secure Global Desktop installed on the remote host is 5.4 and is missing a security patch from the January 2019 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:
- A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections.
A possible mitigation is to not enable the h2 protocol.
- An unvalidated redirect vulnerability exists in the default servlet in Apache Tomcat due to improper input validation. An unauthenticated remote attack can exploit this issue via a specially crafted URL to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)
SolutionApply the appropriate patch according to the January 2019 Oracle Critical Patch Update advisory.