SynopsisAn application server installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the April 2019 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:
- A flaw exists in FasterXML jackson-databind 2.x before 2.9.8 due to a failure to block the jboss-common-core class from polymorphic deserialization. A remote attacker can exploit this, via leveraging this failure, to cause unspecified impact. (CVE-2018-19362)
- A vulnerability exists in Apache Commons FileUpload before 1.3.3. If an application deserializes data from an untrusted source without filtering and/or validation, a remote attacker can exploit this to cause remote code execution. (CVE-2016-1000031)
SolutionApply the appropriate patch according to the April 2019 Oracle Critical Patch Update advisory.