Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU)

medium Nessus Plugin ID 133042
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle Secure Global Desktop installed on the remote host is missing a security patch from the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

- A remote code execution vulnerability exists in the Core (Apache Axis) component. An unauthenticated, adjacent attacker can exploit this issue, to execute arbitrary commands. (CVE-2019-0227)

- A cross-site scripting vulnerability exists in the Web Server (Appache HTTPD Server) component. An unauthenticated, remote attacker can exploit this issue via causing the link on the mod_proxy error page to be malformed and point to a page of the attacker's choice. (CVE-2019-10092)

- A cross-site scripting vulnerability exists in faces/context/PartialViewContextImpl.java in Eclipse (Mojarra) due to mishandling of a client window field. An unauthenticated, remote attacker can exploit this issue, to perform unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as to perform an unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data. (CVE-2019-17091)

Solution

Apply the appropiate patch according to the January 2020 Oracle Critical Patch Update Advisory.

See Also

http://www.nessus.org/u?bc4414d8

http://www.nessus.org/u?2cb6a420

Plugin Details

Severity: Medium

ID: 133042

File Name: oracle_secure_global_desktop_jan_2020_cpu.nasl

Version: 1.3

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/17/2020

Updated: 10/25/2021

Dependencies: oracle_secure_global_desktop_installed.nbin

Risk Information

CVSS Score Source: CVE-2019-10098

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:virtualization_secure_global_desktop

Required KB Items: Host/Oracle_Secure_Global_Desktop/Version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/14/2020

Vulnerability Publication Date: 1/14/2020

Reference Information

CVE: CVE-2019-0227, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-10092, CVE-2019-10098, CVE-2019-17091

BID: 107867