Operating System:

[WIN][UNIX/Linux]

Published:

18 July 2018

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ASB-2018.0178 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0178
                  Security Advisory: Oracle Support Tools
                               18 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Support Tools
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-1000300  
Member content until: Friday, August 17 2018
Reference:            ESB-2018.1504

OVERVIEW

        A vulnerability has been identified in 
         OSS Support Tools, versions prior to  18.3
        [1]


IMPACT

        The vendor has provided the following information regarding
        the vulnerability:
        
        "This Critical Patch Update contains 1 new security fix for
        Oracle Support Tools.   This vulnerability is remotely
        exploitable without authentication,  i.e.,  may be exploited
        over a network without requiring user credentials." [1]
        
        
        
        "CVE-2018-1000300
        
        7.5
        
        AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
        
        The supported version that is affected is Prior to 18.3.
        Difficult to exploit vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise OSS
        Support Tools.  Successful attacks require human interaction
        from a person other than the attacker. Successful attacks of
        this vulnerability can result in takeover of OSS Support
        Tools." [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon
        as possible. Until you apply the CPU fixes, it may be
        possible to reduce the risk of successful attack by blocking
        network protocols required by an attack. For attacks that
        require certain privileges or access to certain packages,
        removing the privileges or the ability to access the
        packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may
        break application functionality, so Oracle strongly
        recommends that customers test changes on non-production
        systems. Neither approach should be considered a long-term
        solution as neither corrects the underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2018
            http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

        [2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
            http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW07oGmaOgq3Tt24GAQgj/w//VZ8eYWQLkkQIEzSMtUaRbKqAOO5frJSD
OSGt+rf4OFjLGVglLFXGumgLBI1/T/LABq46kGunZye8rMMsQkRsm6pS4NHnWPqJ
s2DOuLDX0uZwj7fBgSFOefaef488nydC0tea3HaoVRir4S0LFNlacK6n5/BeTLbq
+y4YdpZg2izN3CDi1nSdiZz2c/HAbsLepd/EImrZXqvc6UCC4qLupimR3xVhCu8O
oH13XKhIbvchtbGT88EC+1k974PhTbhVjJWbBdU1WAtyfVxGiT3c/AgaSoXFZV2g
4V+UNe2TydaQ3gp0yXK+w0KnUCF45QZRX12GNdXHefEttTMDlspUVvxAkLb6HhSX
8XfO4CoDsrjhGcRFnmROR4kIoGUbqiUbbumqXhSZX9gchCwirHobz2LTpZv1275D
uBnM+YtJEtWEa7SxyWArnr0EjwzK2QinRI8GZFL/UtK/9e8c7reSPyXRDU4Rpij9
zNBk6TgZF7H3ZjRvkD6vJVJHLQGsZ/s2F4Pm8K8dhSQD1ViIbmfzVlXa5odT0rwI
HW6cp5zpGik5KTn1JZIaU++GrdMPe8QnPTZ+yfSbIrzR7GplJnqlDY8fUgk2aWat
Z64759S1ytLTQRnGwE1XyLVUnG3wccAoLfBToWAyrngt32khA7/tv7Nc7477B0iU
vAETvMzUErU=
=mSPy
-----END PGP SIGNATURE-----