Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0199 Oracle Communications Applications CPU 17 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Communications applications Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12086 CVE-2019-11358 CVE-2019-2729 CVE-2018-1000180 CVE-2018-1000120 CVE-2018-19362 CVE-2018-18311 CVE-2018-17197 CVE-2018-15756 CVE-2018-12023 CVE-2018-8039 CVE-2018-8013 CVE-2018-1305 CVE-2018-1275 CVE-2018-0732 CVE-2017-5715 CVE-2017-5664 CVE-2017-5645 CVE-2017-3736 CVE-2016-1000031 CVE-2015-9251 Member content until: Friday, August 16 2019 Reference: ASB-2019.0127 OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0 o Oracle Communications Billing and Revenue Management, versions 7.5, 12.0 o Oracle Communications Converged Application Server, versions 5.1, 7.0, 7.1 o Oracle Communications Converged Application Server - Service Controller, versions 6.0, 6.1 o Oracle Communications Convergence, version 3.0.2 o Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3 o Oracle Communications EAGLE (Software), versions 46.5, 46.6, 46.7 o Oracle Communications Instant Messaging Server, version 10.0.1.2.0 o Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2 o Oracle Communications Messaging Server, versions 8.0.2, 8.1.0 o Oracle Communications Online Mediation Controller, version 6.1 o Oracle Communications Unified, version 8.0.0.2.0 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 24 new security fixes for Oracle Communications Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2016-1000031 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Application Session Controller 3.7.1, 3.8.0 o Oracle Communications Convergence 3.0.2 o Oracle Communications Online Mediation Controller 6.1 o Oracle Communications Unified 8.0.0.2.0 CVE-2019-2729 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Converged Application Server 5.1, 7.0, 7.1 CVE-2018-1275 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Converged Application Server - Service Controller 6.0, 6.1 CVE-2017-5645 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Interactive Session Recorder 6.0, 6.1, 6.2 CVE-2018-19362 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Unified 8.0.0.2.0 CVE-2018-18311 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Billing and Revenue Management 7.5, 12.0 CVE-2018-8039 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Diameter Signaling Router (DSR) 8.0, 8.1, 8.2 CVE-2018-12023 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Instant Messaging Server 10.0.1.2.0 CVE-2018-1000120 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Communications Application Session Controller 3.7.1, 3.8.0 CVE-2019-12086 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all the affected system's accessible data. Affects: o Oracle Communications Billing and Revenue Management 7.5, 12.0 CVE-2018-1000180 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all the affected system's accessible data. Affects: o Oracle Communications Convergence 3.0.2 CVE-2018-0732 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the affected system. Affects: o Oracle Communications Diameter Signaling Router (DSR) 8.0, 8.1, 8.2, 8.3 CVE-2017-5664 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all the affected system's accessible data. Affects: o Oracle Communications Interactive Session Recorder 6.0, 6.1, 6.2 CVE-2018-15756 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the affected system. Affects: o Oracle Communications Online Mediation Controller 6.1 CVE-2018-8013 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of the affected system's accessible data as well as unauthorized read access to a subset of the affected system's accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of the affected system. Affects: o Oracle Communications Application Session Controller 3.7.1, 3.8.0 CVE-2017-3736 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Easily exploitable vulnerability allows low privileged attacker with network access via TLS to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all the affected system's accessible data. Affects: o Oracle Communications EAGLE (Software) 46.5, 46.6, 46.7 CVE-2018-1305 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all the affected system's accessible data. Affects: o Oracle Communications Instant Messaging Server 10.0.1.2.0 CVE-2018-17197 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the affected system. Affects: o Oracle Communications Messaging Server 8.0.2, 8.1.0 CVE-2015-9251 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in the affected system, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of the affected system's accessible data as well as unauthorized read access to a subset of the affected system's accessible data. Affects: o Oracle Communications Application Session Controller 3.7.1, 3.8.0 CVE-2019-11358 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise the affected system. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in the affected system, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of the affected system's accessible data as well as unauthorized read access to a subset of the affected system's accessible data. Affects: o Oracle Communications Billing and Revenue Management 7.5, 12.0 CVE-2017-5715 5.6 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where the affected system executes to compromise the affected system. While the vulnerability is in the affected system, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all the affected system's accessible data. Affects: o Oracle Communications Diameter Signaling Router (DSR) 8.0, 8.1, 8.2, 8.3" [1] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - July 2019 https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html [2] Text Form of Oracle Critical Patch Update - July 2019 Risk Matrices https://www.oracle.com/technetwork/security-advisory/cpujul2019verbose-5072838.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXS6zEGaOgq3Tt24GAQiEYg//dujaswEUp7yN6oMVd/6n2yPjMfVHyTcQ YJZoMaCU5GkwlF9WEidpYWxL8D5kdWNwpAptFjDR/kVd5Tv/LyR9awFYOx63ETAT 2dunC632NHqoyngltvwkWO9i4x/pn6prS7VH5zNJM23pV84dE3sq1NwQz4mUBLYs bb2zTX3uLQlC4IVgt10mA5MvgsEwZ07gvMsuN1S3Yr9zU4JOW1BKye23O1ul2h0l 9sPDfLrz9kqPqeaW3yKCc+ef+AyPqjKy4zCFujIk2SSmodU2/KRXNtGS93DIR8MS xXbynwLbw9i9oBS7GIuFINzV5UoTQhm5Y3EDjWUtGMaL9p3PBQdX3Tt68O2lW3F5 Qk5vSrmgQqGa3KUS/ieMzoWDheHqEvoQOwRhngZK6UMVyQfBq3x1GjG2V/ieHYOj Ytg5GilWsX6Zuz9MyfPplwcdtPR3E9h8zDA+Ls7fS/pZWfv9YPoHW8hXDI60FxQm vWhz2g3fEtdBlD6P9IQByJTV8HDlxgS2/4qHGQs4LzHqEWb5TnZKnhQDajw2jgJu Dqj6r7I3FfxTFn80/lgq/8zvihAe47VwjE2nlxn29EHyf8TT4/hSn1n2K4Mk1pHW Uw9MfzYGfhq1qOOHUh/7eky1RNV58c2C75LnT6j2Wdx9pBDwz6bCbPL4G3mYmq7m 7B/H1Tvmzog= =WWCW -----END PGP SIGNATURE-----