Oracle Enterprise Manager Cloud Control (Jan 2020 CPU)

high Nessus Plugin ID 133055

Synopsis

An enterprise management application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

- Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager, Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform.

Following components of Enterprise Manager Base Platform product are vulnerable to above vulnerability:

- Application Service Level Mgmt (CVE-2020-2631, CVE-2020-2636)
- Connector Framework (CVE-2020-2624, CVE-2020-2633, CVE-2020-2642, CVE-2020-2645)
- Enterprise Config Management (CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621)
- Cloud Control Manager - OMS (CVE-2020-2626)
- Configuration Standard Framewk (CVE-2020-2634)
- Discovery Framework (CVE-2020-2617)
- Enterprise Manager Repository (CVE-2020-2616)
- Event Management (CVE-2020-2622)
- Extensibility Framework (CVE-2020-2629, CVE-2020-2630)
- Global EM Framework (CVE-2020-2613)
- Host Management (CVE-2020-2628, CVE-2020-2639)
- Job System (CVE-2020-2625, CVE-2020-2643)
- Metrics Framework (CVE-2020-2623)
- Oracle Management Service (CVE-2020-2615, CVE-2020-2644)
- Repository (CVE-2020-2608)
- System Monitoring (CVE-2020-2632, CVE-2020-2635)

Solution

Apply the appropriate patch according to the Jan 2020 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?d3df84e9

http://www.nessus.org/u?91e1354f

Plugin Details

Severity: High

ID: 133055

File Name: oracle_enterprise_manager_jan_2020_cpu.nasl

Version: 1.5

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/17/2020

Updated: 5/18/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2020-2645

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-2618

Vulnerability Information

CPE: cpe:/a:oracle:enterprise_manager

Required KB Items: installed_sw/Oracle Enterprise Manager Cloud Control

Exploit Ease: No known exploits are available

Patch Publication Date: 1/14/2020

Vulnerability Publication Date: 1/14/2020

Reference Information

CVE: CVE-2020-2608, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2639, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645

IAVA: 2020-A-0017