Detections
Analytics
Oracle JDeveloper Multiple RCE (July 2016 CPU)
critical Nessus Plugin ID 93592
Language:
Synopsis
A software development application installed on the remote host is affected by multiple remote code execution vulnerabilities.Description
The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple remote code execution vulnerabilities :- A remote code execution vulnerability exists in the Application Development Framework (ADF) Faces subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3504)
- A remote code execution vulnerability exists in the Apache MyFaces Trinidad component in the CoreResponseStateManager subcomponent due to improper validation of the ObjectInputStream and ObjectOutputStream strings prior to deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5019)
Solution
Apply the appropriate patch according to the July 2016 Oracle Critical Patch Update advisory.See Also
Plugin Details
Severity: Critical
ID: 93592
File Name: oracle_jdeveloper_cpu_july_2016.nasl
Version: 1.15
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 9/19/2016
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2016-5019
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:oracle:fusion_middleware, cpe:/a:oracle:jdeveloper
Required KB Items: installed_sw/Oracle JDeveloper
Exploit Ease: No known exploits are available
Patch Publication Date: 7/19/2016
Vulnerability Publication Date: 7/19/2016
Reference Information
CVE: CVE-2016-3504, CVE-2016-5019