Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2020.0072
Oracle CPU for April 2020 for Fusion Middleware products
15 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle WebLogic
Oracle Fusion Middleware products
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2952 CVE-2020-2950 CVE-2020-2949
CVE-2020-2915 CVE-2020-2884 CVE-2020-2883
CVE-2020-2869 CVE-2020-2867 CVE-2020-2829
CVE-2020-2828 CVE-2020-2811 CVE-2020-2801
CVE-2020-2798 CVE-2020-2787 CVE-2020-2786
CVE-2020-2785 CVE-2020-2784 CVE-2020-2783
CVE-2020-2766 CVE-2020-2747 CVE-2020-2745
CVE-2020-2740 CVE-2020-2739 CVE-2019-17571
CVE-2019-17359 CVE-2019-16943 CVE-2019-16168
CVE-2019-15903 CVE-2019-13990 CVE-2019-12415
CVE-2019-11358 CVE-2019-10247 CVE-2019-10088
CVE-2019-1547 CVE-2019-0222 CVE-2018-20843
CVE-2018-20622 CVE-2018-15756 CVE-2017-12626
CVE-2017-5130 CVE-2016-1000031 CVE-2016-10328
CVE-2015-7940
Member content until: Friday, May 15 2020
Reference: ASB-2020.0071
ESB-2018.1724
ESB-2017.2080
ESB-2015.3119
OVERVIEW
Multiple vulnerabilities have been identified in:
o Identity Manager Connector, version 9.0
o Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0
o Oracle API Gateway, version 11.1.2.4.0
o Oracle Big Data Discovery, version 1.6
o Oracle Business Intelligence Enterprise Edition, versions
5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
o Oracle Business Process Management Suite, version 12.2.1.4.0
o Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
o Oracle Endeca Information Discovery Integrator, version 3.2.0
o Oracle Endeca Server, version 7.7.0
o Oracle Fusion Middleware MapViewer, version 12.2.1.3.0
o Oracle Global Lifecycle Management NextGen OUI Framework,
versions 12.2.1.3.0, 12.2.1.4.0, 13.9.4.2.2
o Oracle HTTP Server, version 11.1.1.9.0
o Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
o Oracle Outside In Technology, versions 8.5.4, 8.5.5
o Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0
o Oracle Unified Directory, versions 12.2.1.3.0, 12.2.1.4.0
o Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0
o Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
o Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0, 12.2.1.4.0
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 51 new security patches for
Oracle Fusion Middleware. 44 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials." [1]
CVE-2020-2950
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Business Intelligence Enterprise Edition. Successful attacks
of this vulnerability can result in takeover of Oracle Business
Intelligence Enterprise Edition.
Affects:
o Oracle Business Intelligence Enterprise Edition 5.5.0.0.0,
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-1000031
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and
12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle Business
Intelligence Enterprise Edition. Successful attacks of this
vulnerability can result in takeover of Oracle Business Intelligence
Enterprise Edition.
Affects:
o Oracle Business Intelligence Enterprise Edition 11.1.1.9.0,
12.2.1.3.0, 12.2.1.4.0
CVE-2020-2915
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 3.7.1.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via T3 to compromise
Oracle Coherence. Successful attacks of this vulnerability can result
in takeover of Oracle Coherence.
Affects:
o Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-13990
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
The supported version that is affected is 12.2.1.3.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Fusion Middleware
MapViewer. Successful attacks of this vulnerability can result in
takeover of Oracle Fusion Middleware MapViewer.
Affects:
o Oracle Fusion Middleware MapViewer 12.2.1.3.0
CVE-2019-16943
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 13.9.4.2.2, 12.2.1.3.0 and
12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle Global
Lifecycle Management NextGen OUI Framework. Successful attacks of
this vulnerability can result in takeover of Oracle Global Lifecycle
Management NextGen OUI Framework.
Affects:
o Oracle Global Lifecycle Management NextGen OUI Framework
13.9.4.2.2, 12.2.1.3.0, 12.2.1.4.0
o Oracle WebCenter Portal 12.2.1.3.0, 12.2.1.4.0
o Oracle WebCenter Sites 12.2.1.3.0, 12.2.1.4.0
CVE-2016-10328
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in takeover of
Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2019-17571
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and
12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle WebLogic
Server. Successful attacks of this vulnerability can result in
takeover of Oracle WebLogic Server.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2801
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via T3 to compromise
Oracle WebLogic Server. Successful attacks of this vulnerability can
result in takeover of Oracle WebLogic Server.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
CVE-2020-2883
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via T3 to compromise
Oracle WebLogic Server. Successful attacks of this vulnerability can
result in takeover of Oracle WebLogic Server.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
CVE-2020-2884
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via T3 to compromise
Oracle WebLogic Server. Successful attacks of this vulnerability can
result in takeover of Oracle WebLogic Server.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
CVE-2019-10088
8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ( legend ) [ Advisory
The supported version that is affected is 12.2.1.4.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Business Process
Management Suite. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in takeover of Oracle Business Process
Management Suite.
Affects:
o Oracle Business Process Management Suite 12.2.1.4.0
CVE-2017-5130
8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ( legend ) [ Advisory
The supported version that is affected is 11.1.1.9.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle HTTP Server. Successful
attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in
takeover of Oracle HTTP Server.
Affects:
o Oracle HTTP Server 11.1.1.9.0
CVE-2020-2867
8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N ( legend ) [ Advisory
Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0 and
12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle WebLogic
Server. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all Oracle WebLogic Server accessible data as well as
unauthorized read access to a subset of Oracle WebLogic Server
accessible data.
Affects:
o Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-0222
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
The supported version that is affected is 9.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Identity Manager Connector. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Identity Manager
Connector.
Affects:
o Identity Manager Connector 9.0
CVE-2018-15756
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
The supported version that is affected is 9.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Identity Manager Connector. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Identity Manager
Connector.
Affects:
o Identity Manager Connector 9.0
CVE-2015-7940
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and
12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTPS to compromise Oracle Business
Intelligence Enterprise Edition. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Business Intelligence Enterprise
Edition accessible data.
Affects:
o Oracle Business Intelligence Enterprise Edition 11.1.1.9.0,
12.2.1.3.0, 12.2.1.4.0
CVE-2017-12626
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
The supported version that is affected is 3.2.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Endeca Information Discovery Integrator.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle Endeca Information Discovery Integrator.
Affects:
o Oracle Endeca Information Discovery Integrator 3.2.0
CVE-2019-17359
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTPS to compromise Oracle Managed File Transfer.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle Managed File Transfer.
Affects:
o Oracle Managed File Transfer 12.2.1.3.0, 12.2.1.4.0
o Oracle SOA Suite 12.2.1.3.0, 12.2.1.4.0
o Oracle WebCenter Portal 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-15903
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2019-16168
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
Supported versions that are affected are 8.5.5 and 8.5.4. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.5, 8.5.4
CVE-2018-20843
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
The supported version that is affected is 8.5.4. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Outside In Technology. Successful attacks
of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of Oracle Outside
In Technology. Note
: Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4
CVE-2020-2828
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
The supported version that is affected is 10.3.6.0.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via T3 to compromise Oracle WebLogic Server.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle WebLogic
Server accessible data.
Affects:
o Oracle WebLogic Server 10.3.6.0.0
CVE-2020-2739
7.4 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N ( legend ) [ Advisory
The supported version that is affected is 12.2.1.3.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle WebCenter Sites.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle WebCenter
Sites, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle WebCenter
Sites accessible data.
Affects:
o Oracle WebCenter Sites 12.2.1.3.0
CVE-2020-2784
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
The supported version that is affected is 8.5.4. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Outside In Technology. Successful attacks
of this vulnerability can result in unauthorized update, insert or
delete access to some of Oracle Outside In Technology accessible data
as well as unauthorized read access to a subset of Oracle Outside In
Technology accessible data and unauthorized ability to cause a
partial denial of service (partial DOS) of Oracle Outside In
Technology. Note :
Outside In Technology is a suite of software development kits (SDKs).
The protocol and CVSS score depend on the software that uses the
Outside In Technology code. The CVSS score assumes that the software
passes data received over a network directly to Outside In Technology
code, but if data is not received over a network the CVSS score may
be lower.
Affects:
o Oracle Outside In Technology 8.5.4
CVE-2020-2785
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Outside In
Technology accessible data as well as unauthorized read access to a
subset of Oracle Outside In Technology accessible data and
unauthorized ability to cause a partial denial of service (partial
DOS) of Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2020-2786
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Outside In
Technology accessible data as well as unauthorized read access to a
subset of Oracle Outside In Technology accessible data and
unauthorized ability to cause a partial denial of service (partial
DOS) of Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2020-2787
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Outside In
Technology accessible data as well as unauthorized read access to a
subset of Oracle Outside In Technology accessible data and
unauthorized ability to cause a partial denial of service (partial
DOS) of Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2020-2798
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
high privileged attacker with network access via T3 to compromise
Oracle WebLogic Server. Successful attacks of this vulnerability can
result in takeover of Oracle WebLogic Server.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
CVE-2020-2952
6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ( legend ) [ Advisory
The supported version that is affected is 11.1.1.9.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle HTTP Server. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle HTTP Server accessible data
as well as unauthorized read access to a subset of Oracle HTTP Server
accessible data.
Affects:
o Oracle HTTP Server 11.1.1.9.0
CVE-2018-20622
6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Outside In Technology.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2019-11358
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ( legend ) [ Advisory
The supported version that is affected is 1.6. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Big Data Discovery. Successful attacks
require human interaction from a person other than the attacker and
while the vulnerability is in Oracle Big Data Discovery, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete
access to some of Oracle Big Data Discovery accessible data as well
as unauthorized read access to a subset of Oracle Big Data Discovery
accessible data.
Affects:
o Oracle Big Data Discovery 1.6
o Oracle Fusion Middleware MapViewer 12.2.1.3.0
o Oracle WebCenter Sites 12.2.1.3.0
CVE-2020-2811
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle WebLogic Server. Successful attacks require human interaction
from a person other than the attacker and while the vulnerability is
in Oracle WebLogic Server, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of
Oracle WebLogic Server accessible data as well as unauthorized read
access to a subset of Oracle WebLogic Server accessible data.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
CVE-2019-12415
5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
The supported version that is affected is 1.6. Easily exploitable
vulnerability allows low privileged attacker with logon to the
infrastructure where Oracle Big Data Discovery executes to compromise
Oracle Big Data Discovery. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle Big Data Discovery accessible data.
Affects:
o Oracle Big Data Discovery 1.6
CVE-2020-2747
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N ( legend ) [ Advisory
Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise Oracle Access Manager.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle Access Manager,
attacks may significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Access Manager accessible
data as well as unauthorized read access to a subset of Oracle Access
Manager accessible data.
Affects:
o Oracle Access Manager 11.1.2.3.0, 12.2.1.3.0
CVE-2020-2949
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ( legend ) [ Advisory
Supported versions that are affected are 3.7.1.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Coherence. Successful attacks of this vulnerability can result
in unauthorized read access to a subset of Oracle Coherence
accessible data.
Affects:
o Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10247
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ( legend ) [ Advisory
The supported version that is affected is 3.2.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Endeca Information Discovery Integrator.
Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Oracle Endeca Information Discovery
Integrator accessible data.
Affects:
o Oracle Endeca Information Discovery Integrator 3.2.0
o Oracle Unified Directory 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2783
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N ( legend ) [ Advisory
Supported versions that are affected are 8.5.4 and 8.5.5. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Outside In
Technology accessible data.
Note : Outside In Technology is a suite of software development kits
(SDKs). The protocol and CVSS score depend on the software that uses
the Outside In Technology code. The CVSS score assumes that the
software passes data received over a network directly to Outside In
Technology code, but if data is not received over a network the CVSS
score may be lower.
Affects:
o Oracle Outside In Technology 8.5.4, 8.5.5
CVE-2020-2766
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle WebLogic Server. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of Oracle WebLogic
Server accessible data.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
CVE-2020-2829
4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
The supported version that is affected is 10.3.6.0.0. Easily
exploitable vulnerability allows high privileged attacker with
network access via HTTP to compromise Oracle WebLogic Server.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle WebLogic
Server accessible data.
Affects:
o Oracle WebLogic Server 10.3.6.0.0
CVE-2019-1547
4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
The supported version that is affected is 11.1.2.4.0. Difficult to
exploit vulnerability allows low privileged attacker with logon to
the infrastructure where Oracle API Gateway executes to compromise
Oracle API Gateway. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle API Gateway accessible data.
Affects:
o Oracle API Gateway 11.1.2.4.0
o Oracle Endeca Server 7.7.0
CVE-2020-2740
4.6 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N ( legend ) [ Advisory
Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise Oracle Access Manager.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle Access
Manager accessible data as well as unauthorized read access to a
subset of Oracle Access Manager accessible data.
Affects:
o Oracle Access Manager 11.1.2.3.0, 12.2.1.3.0
CVE-2020-2745
4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ( legend ) [ Advisory
Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Access Manager.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial
DOS) of Oracle Access Manager.
Affects:
o Oracle Access Manager 11.1.2.3.0, 12.2.1.3.0
CVE-2020-2869
4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N ( legend ) [ Advisory
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle WebLogic Server. Successful attacks require human interaction
from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete
access to some of Oracle WebLogic Server accessible data.
Affects:
o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0
[1]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2020
https://www.oracle.com/security-alerts/cpuapr2020.html
[2] Text Form of Oracle Critical Patch Update - April 2020 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2020verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXpZ30WaOgq3Tt24GAQgc1w//VQa+OScVnTZBQDXhg0PLuiKHgPUPvp05
4pdgVlaz6dVol9OGoFLbs80F0XLAPQsjQ4E3kCgtfec7Ra4SdyiY3kxdKqUpL+bm
engAFNe3wVgJ0dQE2hCOCkdTq0JGERQ0mYk/W10XVxk57/IRx1PNsGYQAq9Q44Qv
tV0E3UZk8JZX96B64KmkfQRmmylg6O9WhLVhNbHuw1r7pxcrQspCrK4MoH6abPJN
w4j40ZWIGYOSAoBvtkBomOsUYh506eAK/gECGCCIYEC1LtrMMDN14PigMG08lGiD
RaWf/BtqzpkN/YDlxqKNpUqcwbd7314pTnxR+P4pVIhTCF5s8tP1KcszALBLqX3i
f17jNE9KKtQOZ+TwP8dZi2ulhC0EbffIygWHwKAuTLixHSs/X3dMbvyTlaXSgnMc
SEIQ5bhlk6+Kg/lZIBzeh1d00zRblx+FM7oicTcDs9uPys9gX30DhXXCK2A5O7A0
8smK08B27vJBqPxlv/LU+G73MsgorYaCMWikBP/Yx/hXjSAzUdsGpxRBg4sgdlAy
fCbf5e33L1dailQVnsWVNn177DQS6umxjJtEd+lLSXlMIqLH/bvZO88w8St0EV2P
EvLeYM0kF+caJYcKYv4CpwlLO5CjBfQiT5WjIl71POSIGrj25pWvnQ5vQSyut22Y
+UPF6TX4FL0=
=el6T
-----END PGP SIGNATURE-----