Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0046
Security Advisory: Oracle Commerce
20 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Commerce
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3572 CVE-2016-6304 CVE-2016-2107
Member content until: Friday, May 19 2017
Reference: ASB-2017.0001
ASB-2016.0087
ESB-2017.0994
ESB-2017.0972
ESB-2017.0362
OVERVIEW
Multiple vulnerabilities have been identified in Oracle Commerce
Guided Search / Oracle Commerce Experience Manager, version(s)
6.1.4, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1,
11.2.[1]
IMPACT
The vendor has provided the following information:
"CVE-2017-3572 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle Commerce Guided
Search / Oracle Commerce Experience Manager. Successful attacks of
this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of Oracle
Commerce Guided Search / Oracle Commerce Experience Manager.
CVE-2016-6304 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise Oracle Commerce Guided
Search / Oracle Commerce Experience Manager. Successful attacks of
this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of Oracle
Commerce Guided Search / Oracle Commerce Experience Manager.
CVE-2016-2107 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise Oracle Commerce Guided
Search / Oracle Commerce Experience Manager. Successful attacks of
this vulnerability can result in unauthorized access to critical
data or complete access to all Oracle Commerce Guided Search /
Oracle Commerce Experience Manager accessible data."[2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as
possible. Until you apply the CPU fixes, it may be possible to
reduce the risk of successful attack by blocking network protocols
required by an attack. For attacks that require certain privileges
or access to certain packages, removing the privileges or the
ability to access the packages from users that do not need the
privileges may help reduce the risk of successful attack. Both
approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems.
Neither approach should be considered a long-term solution as
neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2017
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
[2] Text Form of Oracle Critical Patch Update - April 2017 Risk
Matrices
https://www.oracle.com/technetwork/topics/security/cpuapr2017verbose-3236619.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWPgcZox+lLeg9Ub1AQhHIw/+O1LmPs4SBusIZyaXV/5Rv6Xg7HJvSHYN
O5mvm0/MfvrxK6IVzEbFNsIllfDwXdTV4ZdaBxvLCaI1TXNnBW50qfSnnCV770vX
/EG+NaD1RqcTUcAOoUGjOdi7h5aqZN9mK06D0Tr4O9ddqOGsibXyGnW5UhF+8iH6
atz69EhOZW15ddYcAKCr2B2QbU/bcG5UHsIqQhm4mAUR+nNV+GYoXXrRdsm0/esO
CEwuoEg2gOMlOSKWVUN1Bj4p91Qncue11oX45LBDqNFDgXMKVb8kLGk7ggJd5lvk
qTC+XQqTo/2R4xRrc6g4aEqaHy9FxenSijKZRGsjEz6QbygZeJfJckOnYvzzgXyN
85K30Al/algAp23HATcP9Mo3wVgTetSmH+b0btjoZHDzcXAIJhOC0Z45h3meqQmP
yyJvOL0/HiSnrx6B9p9LkhzrjV3MzCi05lG5mf+g9+yq+usXi4RtfjZbePD+/DyQ
tCDHMun8uoN1onxXrvAGp7My3tp3wwQEK7BnEwVZM7YrtHe97ytDW5dFpRgWrQyx
/wRTFa/TNtXHLd98KjETD37UIWI71WSJlkMybrgVMUK+EM3qZacfezjxc97UgJ9l
3I1MChjhh4zIVy78PRcry62zJfFz89zBQe+X1Qtt82eyVrernsv3L3y1P39VQbrh
GMVN9qTL7W0=
=0EsP
-----END PGP SIGNATURE-----