SynopsisThe website content management system installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe Oracle WebCenter Sites installed on the remote host is missing patches from the April 2015 CPU. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists within 'MultipartStream.java' in Apache Commons FileUpload when parsing malformed Content-Type headers. A remote attacker, using a crafted header, can exploit this to cause an infinite loop, resulting in a denial of service. (CVE-2014-0050)
- ParametersInterceptor in Apache Struts does not properly restrict access to the getClass method. A remote attacker, using a crafted request, can exploit this to manipulate the ClassLoader, thus allowing the execution of arbitrary code. (CVE-2014-0112)
SolutionApply the appropriate patch according to the April 2015 Oracle Critical Patch Update advisory.