Security Bulletin: Multiple vulnerabilities may affect Oracle Outside In Technology (OIT) Version 8.5.3 used by IBM FileNet Content Manager and IBM Content Foundation
## Summary
Security Bulletin: Multiple vulnerabilities may affect Oracle Outside In Technology (OIT) Version 8.5.3 used by IBM FileNet Content Manager and IBM Content Foundation.
Oracle OIT issues disclosed in the Oracle April 2018 Critical Patch Update.
## Vulnerability Details
**Advisory CVEs: **
**CVEID:** [_CVE-2018-2768_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2768>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/141924_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141924>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)
**CVEID:** [_CVE-2018-2801_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2801>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Image Export SDK component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/141957_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141957>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)
**CVEID:** [_CVE-2018-2806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2806>)
**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/141962_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141962>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)
## Affected Products and Versions
FileNet Content Manager 5.2.1, 5.5.0
IBM Content Foundation 5.2.1, 5.5.0
## Remediation/Fixes
To resolve these vulnerabilities, install one of the patch sets listed below to upgrade Oracle Outside In Technology (OIT) to the April 2018 v8.5.3 patch 27695571 release.
**Product** | **VRMF** | **APAR** | **Remediation/First Fix**
---|---|---|---
FileNet Content Manager | 5.2.1
5.5.0 | [_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>)
[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>)
[_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>)
[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>) | [_5.2.1.7-P8CPE-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.1.7&platform=All&function=all>) \- 5/24/2018
[_5.2.1.7-P8CSS-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Search+Services&release=5.2.1.7&platform=All&function=all>) \- 5/24/2018
5.5.1.0-P8CPE - 6/28/2018
5.5.1.0-P8CSS - 6/28/2018
IBM Content Foundation | 5.2.1
5.5.0 | [_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>)
[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>)
[_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>)
[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>) | [_5.2.1.7-P8CPE-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.1.7&platform=All&function=all>) \- 5/24/2018
[_5.2.1.7-P8CSS-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Search+Services&release=5.2.1.7&platform=All&function=all>) \- 5/24/2018
5.5.1.0-P8CPE - 6/28/2018
5.5.1.0-P8CSS - 6/28/2018
In the above table, the APAR links will provide more information about the fix.
## Workarounds and Mitigations
None
## Get Notified about Future Security Bulletins
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
## Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
### References
[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" )
[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" )
Off
## Related Information
[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>)
[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)
## Change History
6 June, 2018 - initial release
28 June, 2018 - 5.5.1.0 release
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
## Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.5.0;5.2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Search Services","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.5.0;5.2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSGLW6","label":"IBM Content Foundation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"","label":""}],"Version":"5.5.0;5.2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSGLW6","label":"IBM Content Foundation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Search Services","Platform":[{"code":"","label":""}],"Version":"5.5.1;5.2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
{"id": "2A84C7580EAED7276A9993E833138AE80A43F567508BEBF1A41E640D7981916B", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Multiple vulnerabilities may affect Oracle Outside In Technology (OIT) Version 8.5.3 used by IBM FileNet Content Manager and IBM Content Foundation", "description": "## Summary\n\nSecurity Bulletin: Multiple vulnerabilities may affect Oracle Outside In Technology (OIT) Version 8.5.3 used by IBM FileNet Content Manager and IBM Content Foundation. \nOracle OIT issues disclosed in the Oracle April 2018 Critical Patch Update.\n\n## Vulnerability Details\n\n**Advisory CVEs: **\n\n**CVEID:** [_CVE-2018-2768_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2768>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/141924_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141924>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2018-2801_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2801>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Image Export SDK component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/141957_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141957>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2018-2806_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2806>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/141962_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141962>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.2.1, 5.5.0 \nIBM Content Foundation 5.2.1, 5.5.0\n\n## Remediation/Fixes\n\nTo resolve these vulnerabilities, install one of the patch sets listed below to upgrade Oracle Outside In Technology (OIT) to the April 2018 v8.5.3 patch 27695571 release.\n\n**Product** | **VRMF** | **APAR** | **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager | 5.2.1 \n \n5.5.0 | [_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>) \n[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>) \n[_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>) \n[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>) | [_5.2.1.7-P8CPE-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.1.7&platform=All&function=all>) \\- 5/24/2018 \n[_5.2.1.7-P8CSS-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Search+Services&release=5.2.1.7&platform=All&function=all>) \\- 5/24/2018 \n5.5.1.0-P8CPE - 6/28/2018 \n5.5.1.0-P8CSS - 6/28/2018 \nIBM Content Foundation | 5.2.1 \n \n5.5.0 | [_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>) \n[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>) \n[_PJ45337_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45337>) \n[_PJ45338_](<http://www.ibm.com/support/docview.wss?uid=swg1PPJ45338>) | [_5.2.1.7-P8CPE-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.1.7&platform=All&function=all>) \\- 5/24/2018 \n[_5.2.1.7-P8CSS-IF002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Search+Services&release=5.2.1.7&platform=All&function=all>) \\- 5/24/2018 \n5.5.1.0-P8CPE - 6/28/2018 \n5.5.1.0-P8CSS - 6/28/2018 \n \n \nIn the above table, the APAR links will provide more information about the fix. \n\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n6 June, 2018 - initial release \n28 June, 2018 - 5.5.1.0 release\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSNVNV\",\"label\":\"FileNet Content Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Content Engine\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.5.0;5.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSNVNV\",\"label\":\"FileNet Content Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Content Search Services\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.5.0;5.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSGLW6\",\"label\":\"IBM Content Foundation\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Content Engine\",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"5.5.0;5.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSGLW6\",\"label\":\"IBM Content Foundation\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Content Search Services\",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"5.5.1;5.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "published": "2018-08-17T09:36:22", "modified": "2018-08-17T09:36:22", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, "href": "https://www.ibm.com/support/pages/node/715201", "reporter": "IBM", "references": [], "cvelist": ["CVE-2018-2768", "CVE-2018-2801", "CVE-2018-2806"], "immutableFields": [], "lastseen": "2022-06-28T22:10:51", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-2768", "CVE-2018-2801", "CVE-2018-2806"]}, {"type": "ibm", "idList": ["0AC7DE991DF402831E8AD32E4C18270626833A138940F88E5E06E77DEC0B4EE8"]}, {"type": "mscve", "idList": ["MS:ADV180010"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_OOB_JUN_EXCHANGE.NASL"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-2768", "CVE-2018-2801", "CVE-2018-2806"]}, {"type": "mscve", "idList": ["MS:ADV180010"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_OOB_JUN_EXCHANGE.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2018-3678067"]}, {"type": "symantec", "idList": ["SMNTC-111284"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "FileNet Content Manager", "version": 5}, {"name": "FileNet Content Manager", "version": 5}, {"name": "FileNet Content Manager", "version": 5}, {"name": "FileNet Content Manager", "version": 5}, {"name": "IBM Content Foundation", "version": 5}, {"name": "IBM Content Foundation", "version": 5}, {"name": "IBM Content Foundation", "version": 5}, {"name": "IBM Content Foundation", "version": 5}]}, "vulnersScore": 0.1}, "_state": {"dependencies": 1662401848, "score": 1662402037, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "ad9ca1fd7577aca5ca19ffb1c50ce5ec"}, "affectedSoftware": [{"name": "FileNet Content Manager", "version": "5.5.0", "operator": "eq"}, {"name": "FileNet Content Manager", "version": "5.2.1", "operator": "eq"}, {"name": "FileNet Content Manager", "version": "5.5.0", "operator": "eq"}, {"name": "FileNet Content Manager", "version": "5.2.1", "operator": "eq"}, {"name": "IBM Content Foundation", "version": "5.5.0", "operator": "eq"}, {"name": "IBM Content Foundation", "version": "5.2.1", "operator": "eq"}, {"name": "IBM Content Foundation", "version": "5.5.1", "operator": "eq"}, {"name": "IBM Content Foundation", "version": "5.2.1", "operator": "eq"}]}
{"nessus": [{"lastseen": "2023-01-11T14:46:52", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.2}, "published": "2018-06-22T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (Jun 2018)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2768", "CVE-2018-2801", "CVE-2018-2806"], "modified": "2019-11-04T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS18_OOB_JUN_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/110642", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110642);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\"CVE-2018-2768\", \"CVE-2018-2801\", \"CVE-2018-2806\");\n script_bugtraq_id(103815, 103816, 103819);\n\n script_name(english:\"Security Updates for Exchange (Jun 2018)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?819cd7a6\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?76507bf8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB4295699\n -KB4099855\n -KB4099852\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-2768\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_exchange_installed.nbin\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nappname = 'Microsoft Exchange';\nport = kb_smb_transport();\n\nkbs = [\n 'KB4295699',\n 'KB4099855',\n 'KB4099852'\n];\n\nreport = '';\n\n# Check install and determine fixed version\ninstall = get_single_install(app_name:appname);\n\npath = install[\"path\"];\nversion = install[\"version\"];\nrelease = install[\"RELEASE\"];\n\nif (release != 140 && release != 150 && release != 151)\n audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n\nif (!empty_or_null(install[\"SP\"]))\n sp = install[\"SP\"];\nif (!empty_or_null(install[\"CU\"]))\n cu = install[\"CU\"];\n\nif (release == 140) # Exchange Server 2010 SP3\n{\n fixedver = \"14.3.411.0\";\n kb = kbs[0];\n}\nelse if (release == 150) # Exchange Server 2013\n{\n fixedver = \"15.0.1395.4\";\n kb = kbs[1];\n}\nelse if (release == 151) # Exchange Server 2016\n{\n fixedver = \"15.1.1531.3\";\n kb = kbs[2];\n}\n\nif (!fixedver)\n audit(AUDIT_HOST_NOT, 'affected');\n\n\n# Check version of binary to verify\nif ( hcf_init == 0 )\n{\n if(hotfix_check_fversion_init() != HCF_OK)\n exit(0, \"Could not start an SMB session\");\n}\n\ndir_path = hotfix_append_path(path:path, value:'Bin');\nexe_path = hotfix_append_path(path:dir_path, value:'ExSetup.exe');\n\nif ( hotfix_file_exists(path:exe_path) &&\n hotfix_check_fversion(file:\"ExSetup.exe\", path:dir_path, version:fixedver) == HCF_OLDER )\n{\n report =\n '\\n Path : ' + exe_path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixedver +\n '\\n Patch : ' + kb +\n '\\n';\n}\nhotfix_check_fversion_end();\n\nif ( report != '' )\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\nelse\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "ibm": [{"lastseen": "2022-10-01T01:54:44", "description": "## Summary\n\nIBM Rational DOORS Next Generation\u00ae is affected by multiple vulnerabilities in the Oracle Outside In Technology\u00ae that is used as a component.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-2768](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2768>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141924> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2018-2801](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2801>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Image Export SDK component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141957> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2018-2806](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2806>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141962> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)\n\n## Affected Products and Versions\n\nRational DOORS Next Generation 6.0.5\n\nPrevious versions are not affected\n\n## Remediation/Fixes\n\nFor Rational DOORS Next Generation 6.0.5, a fix is available by upgrading to 6.0.5 iFix006 or later \n[_Rational DOORS Next Generation 6.0.5 iFix006_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.5&platform=All&function=all>) \n \nFor any prior versions of the products listed above, IBM reccomends upgrading to a fixed, supported version/release/platform of the product. \n \nIf the iFix is not found in the iFix Portal please contact IBM support.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nInitial Publication: 9 July 2018\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SSPRJQ\",\"label\":\"IBM Engineering Lifecycle Management Base\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}},{\"Product\":{\"code\":\"SSUVLZ\",\"label\":\"IBM Engineering Requirements Management DOORS Next\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"General information\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"6.0.5\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}] \n\n## Product Synonym\n\nRational DOORS Next Generation;Rational Collaborative Lifecycle Management Solution", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.2}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation (CVE-2018-2768, CVE-2018-2801, CVE-2018-2806)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2768", "CVE-2018-2801", "CVE-2018-2806"], "modified": "2021-04-28T18:35:50", "id": "0AC7DE991DF402831E8AD32E4C18270626833A138940F88E5E06E77DEC0B4EE8", "href": "https://www.ibm.com/support/pages/node/715275", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "mscve": [{"lastseen": "2022-10-26T18:28:14", "description": "Microsoft Exchange Server contains some elements of the Oracle Outside In libraries. The June 19, 2018 releases of Microsoft Exchange Server contain fixes to the following vulnerabilities, which are described in:\n\n * [Oracle Critical Patch Update Advisory - April 2018](<http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html>): CVE-2018-2768, CVE-2018-2806, CVE-2018-2801.\n\nThe following software releases include updates to address the identified vulnerabilities. Product versions or releases that are not listed are past their support life cycle or must be updated to the appropriate June 19, 2018 release of Microsoft Exchange Server to receive the fixes for these vulnerabilities.\n", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.2}, "published": "2018-06-19T07:00:00", "type": "mscve", "title": "June 2018 Oracle Outside In Library Security Update", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2768", "CVE-2018-2801", "CVE-2018-2806"], "modified": "2018-06-19T07:00:00", "id": "MS:ADV180010", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV180010", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "cve": [{"lastseen": "2022-03-23T16:44:29", "description": "Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.2}, "published": "2018-04-19T02:29:00", "type": "cve", "title": "CVE-2018-2768", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2768"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:outside_in_technology:8.5.3"], "id": "CVE-2018-2768", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2768", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:outside_in_technology:8.5.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T16:45:11", "description": "Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.2}, "published": "2018-04-19T02:29:00", "type": "cve", "title": "CVE-2018-2806", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2806"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:outside_in_technology:8.5.3"], "id": "CVE-2018-2806", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2806", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:outside_in_technology:8.5.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T16:45:07", "description": "Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Image Export SDK). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.2}, "published": "2018-04-19T02:29:00", "type": "cve", "title": "CVE-2018-2801", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2801"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:outside_in_technology:8.5.3"], "id": "CVE-2018-2801", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2801", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:outside_in_technology:8.5.3:*:*:*:*:*:*:*"]}], "oracle": [{"lastseen": "2021-10-22T15:44:26", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n * Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 255 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2383583.1>).\n\nThe January 2018 Critical Patch Update provided patches in response to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note ([Doc ID 2347948.1](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2347948.1>)) for information on how to obtain these patches.\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-17T00:00:00", "title": "Oracle Critical Patch Update - April 2018", "type": "oracle", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2768", "CVE-2018-2802", "CVE-2018-2775", "CVE-2018-2815", "CVE-2018-2748", "CVE-2018-2836", "CVE-2017-9798", "CVE-2018-2878", "CVE-2018-2826", "CVE-2018-2827", "CVE-2017-5753", "CVE-2017-5754", "CVE-2018-2817", "CVE-2018-2800", "CVE-2018-2868", "CVE-2018-2832", "CVE-2018-2789", "CVE-2018-2852", "CVE-2018-2808", "CVE-2018-2749", "CVE-2018-2747", "CVE-2018-2563", "CVE-2018-2860", "CVE-2018-2769", "CVE-2017-13080", "CVE-2016-5019", "CVE-2018-2776", "CVE-2018-7489", "CVE-2016-6306", "CVE-2018-2841", "CVE-2018-2759", "CVE-2016-2183", "CVE-2018-2870", "CVE-2018-2844", "CVE-2018-2822", "CVE-2018-2853", "CVE-2018-2746", "CVE-2016-2178", "CVE-2018-2755", "CVE-2018-2810", "CVE-2018-2812", "CVE-2018-2803", "CVE-2016-9878", "CVE-2017-10400", "CVE-2017-3735", "CVE-2018-2823", "CVE-2018-2842", "CVE-2018-2786", "CVE-2018-2778", "CVE-2018-2820", "CVE-2018-2765", "CVE-2018-2876", "CVE-2016-3092", "CVE-2018-2856", "CVE-2018-2872", "CVE-2018-2858", "CVE-2016-6302", "CVE-2017-13082", "CVE-2018-2819", "CVE-2018-2783", "CVE-2018-2774", "CVE-2016-8745", "CVE-2016-2177", "CVE-2018-2784", "CVE-2018-2771", "CVE-2018-2835", "CVE-2018-2848", "CVE-2018-2840", "CVE-2016-0635", "CVE-2018-2863", "CVE-2018-2867", "CVE-2018-2845", "CVE-2018-2824", "CVE-2018-2861", "CVE-2018-2777", "CVE-2018-2738", "CVE-2018-2838", "CVE-2018-2849", "CVE-2015-7501", "CVE-2018-2754", "CVE-2018-2795", "CVE-2016-6307", "CVE-2017-3737", "CVE-2013-1768", "CVE-2017-15707", "CVE-2018-2791", "CVE-2018-2807", "CVE-2018-2766", "CVE-2018-2763", "CVE-2018-2780", "CVE-2018-2879", "CVE-2018-2752", "CVE-2016-6308", "CVE-2017-13078", "CVE-2017-5662", "CVE-2018-2816", "CVE-2014-0054", "CVE-2018-2793", "CVE-2016-2180", "CVE-2018-2742", "CVE-2018-2739", "CVE-2017-7805", "CVE-2018-2798", "CVE-2018-2814", "CVE-2018-2855", "CVE-2018-2799", "CVE-2017-5715", "CVE-2018-2787", "CVE-2016-2181", "CVE-2018-2818", "CVE-2016-6304", "CVE-2018-2753", "CVE-2018-2756", "CVE-2018-2851", "CVE-2018-2796", "CVE-2018-2764", "CVE-2018-2837", "CVE-2018-2847", "CVE-2018-0739", "CVE-2017-17562", "CVE-2018-2805", "CVE-2018-2572", "CVE-2018-2801", "CVE-2018-2761", "CVE-2018-2821", "CVE-2018-2782", "CVE-2018-2831", "CVE-2018-2773", "CVE-2018-2797", "CVE-2018-2864", "CVE-2018-2828", "CVE-2018-2866", "CVE-2018-2587", "CVE-2018-2829", "CVE-2017-7525", "CVE-2018-2770", "CVE-2016-7052", "CVE-2018-2718", "CVE-2018-2781", "CVE-2018-2830", "CVE-2018-2806", "CVE-2017-5664", "CVE-2018-2779", "CVE-2018-2825", "CVE-2018-2813", "CVE-2016-5007", "CVE-2018-2854", "CVE-2018-2811", "CVE-2018-2762", "CVE-2018-2869", "CVE-2018-2790", "CVE-2017-3738", "CVE-2018-2877", "CVE-2018-2865", "CVE-2018-2760", "CVE-2018-2834", "CVE-2016-6305", "CVE-2016-6303", "CVE-2018-2772", "CVE-2018-2846", "CVE-2018-2792", "CVE-2017-5645", "CVE-2016-2182", "CVE-2018-2833", "CVE-2017-12617", "CVE-2018-2859", "CVE-2018-2843", "CVE-2018-2804", "CVE-2017-10393", "CVE-2018-2788", "CVE-2018-2628", "CVE-2018-2785", "CVE-2018-2750", "CVE-2018-2873", "CVE-2015-7940", "CVE-2017-3736", "CVE-2018-2758", "CVE-2017-13077", "CVE-2016-3506", "CVE-2018-2737", "CVE-2018-2809", "CVE-2018-2871", "CVE-2017-15095", "CVE-2016-2179", "CVE-2016-6814", "CVE-2017-7674", "CVE-2018-2857", "CVE-2018-2839", "CVE-2018-2850", "CVE-2018-2862", "CVE-2016-6309", "CVE-2018-2794", "CVE-2018-2874"], "modified": "2018-12-10T00:00:00", "id": "ORACLE:CPUAPR2018", "href": "https://www.oracle.com/security-alerts/cpuapr2018.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}