Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_ACCESS_MANAGER_CPU_JAN_2018.NASL
HistoryApr 15, 2019 - 12:00 a.m.

Oracle Access Manager Multiple Vulnerabilities (Jan 2018 CPU)

2019-04-1500:00:00
This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
26
JSON

The version of Oracle Access Manager installed on the remote host is 10.1.4.3.x prior to 10.1.4.3.13 or 11.1.2.3.x prior to 11.1.2.3.180116. It is, therefore, affected by multiple vulnerabilities as noted in the October 2018 Critical Patch Update advisory:

  • A Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Web Server Plugin (OpenSSL)). The affected version is 10.1.4.3.0. This is a difficult to exploit vulnerability that allows unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager. A successful attack of this vulnerability may result in unauthorized access to critical data or complete access to all Oracle Access Manager accessible data. (CVE-2017-3732)

  • A vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Web Server Plugin). The affected version is 11.1.2.3.0. This is a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager. A successful attack of this vulnerability may result in unauthorized access to critical data or complete access to all Oracle Access Manager accessible data. (CVE-2017-10262)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(124059);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2016-2177",
    "CVE-2016-2178",
    "CVE-2016-2180",
    "CVE-2016-2181",
    "CVE-2016-2182",
    "CVE-2016-2183",
    "CVE-2016-6302",
    "CVE-2016-6303",
    "CVE-2016-6304",
    "CVE-2016-6306",
    "CVE-2016-7052",
    "CVE-2016-7055",
    "CVE-2017-3731",
    "CVE-2017-3732",
    "CVE-2017-10262"
  );
  script_bugtraq_id(
    91081,
    91319,
    92117,
    92557,
    92628,
    92630,
    92982,
    92984,
    93150,
    93153,
    93171,
    94242,
    95813,
    95814,
    102562
  );

  script_name(english:"Oracle Access Manager Multiple Vulnerabilities (Jan 2018 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Access Manager installed on the remote
host is 10.1.4.3.x prior to 10.1.4.3.13 or 11.1.2.3.x prior
to 11.1.2.3.180116. It is, therefore, affected by multiple
vulnerabilities as noted in the October 2018 Critical 
Patch Update advisory:

  - A Vulnerability in the Oracle Access Manager component
    of Oracle Fusion Middleware (subcomponent: Web Server
    Plugin (OpenSSL)). The affected version is 10.1.4.3.0. 
    This is a difficult to exploit vulnerability that allows
    unauthenticated attacker with network access via HTTPS
    to compromise Oracle Access Manager. A successful attack
    of this vulnerability may result in unauthorized access
    to critical data or complete access to all Oracle Access
    Manager accessible data. (CVE-2017-3732)

  - A vulnerability in the Oracle Access Manager component
    of Oracle Fusion Middleware (subcomponent: Web Server
    Plugin). The affected version is 11.1.2.3.0. This is a
    difficult to exploit vulnerability that allows an
    unauthenticated attacker with network access via HTTPS
    to compromise Oracle Access Manager. A successful 
    attack of this vulnerability may result in unauthorized
    access to critical data or complete access to all Oracle
    Access Manager accessible data. (CVE-2017-10262)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ae82f1b1");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patches according to the January 2018 Oracle
Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6303");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_access_manager_installed.nbin");
  script_require_keys("Oracle/OAM/Installed", "installed_sw/Oracle Access Manager");

  exit(0);
}

include('vcf.inc');
appname = 'Oracle Access Manager';

app_info = vcf::get_app_info(app:appname);

constraints = [
  {'min_version': '10.1.4.3.0', 'fixed_version': '10.1.4.3.13'},
  {'min_version': '11.1.2.3.0', 'fixed_version': '11.1.2.3.180116'}
];

vcf::check_version_and_report(app_info: app_info, constraints: constraints, severity: SECURITY_HOLE);
VendorProductVersionCPE
oraclefusion_middlewarecpe:/a:oracle:fusion_middleware

References

Related

suse 11
aix 1
openvas 33
nessus 42
osv 3
debian 2
archlinux 2
ibm 75
ubuntu 2
fedora 3
altlinux 6
oraclelinux 2
centos 1
cloudfoundry 1
mageia 2
redhat 2
freebsd_advisory 1
amazon 1
arista 1
cisco 1
huawei 1
freebsd 1
slackware 1
fortinet 1
f5 1
symantec 1
nodejsblog 1
suse
suse
Security update for openssl-steam (important)
2018-02-16 12:07:45
Security update for openssl (important)
2016-09-27 11:09:12
Security update for openssl (important)
2016-09-27 19:11:34
aix
aix
Vulnerabilities in OpenSSL affect AIX
2016-11-14 13:29:26
openvas
openvas
openSUSE: Security Advisory for openssl-steam (openSUSE-SU-2018:0458-1)
2018-02-17 00:00:00
Debian: Security Advisory (DSA-3673-1)
2016-09-21 00:00:00
Ubuntu: Security Advisory (USN-3087-1)
2016-09-23 00:00:00
nessus
nessus
AIX OpenSSL Advisory : openssl_advisory21.asc (SWEET32)
2016-11-22 00:00:00
SUSE SLES12 Security Update : openssl (SUSE-SU-2016:2387-1)
2016-09-27 00:00:00
MySQL Enterprise Monitor 3.2.x < 3.2.5.1141 Multiple Vulnerabilities (SWEET32) (January 2017 CPU)
2017-01-25 00:00:00
osv
osv
openssl - security update
2016-09-25 00:00:00
openssl - regression update
2016-09-22 00:00:00
openssl - security update
2016-09-22 00:00:00
debian
debian
[SECURITY] [DLA 637-1] openssl security update
2016-09-25 11:55:01
[SECURITY] [DSA 3673-1] openssl security update
2016-09-22 16:50:14
archlinux
archlinux
[ASA-201609-24] lib32-openssl: multiple issues
2016-09-26 00:00:00
[ASA-201609-23] openssl: multiple issues
2016-09-26 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC5022 16Gb SAN Scalable Switch
2019-01-31 02:25:02
Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-6303, CVE-2016-2182, CVE-2016-2178, CVE-2016-6306, CVE-2016-2183, CVE-2016-2177, CVE-2016-7052)
2018-06-17 15:36:58
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Transfer Cluster Manager, Faspex on Demand, Server on Demand, Application on Demand, and Azure on Demand (CVE-2016-6302 CVE-2016-6304 CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 ...)
2018-06-15 07:08:22
ubuntu
ubuntu
OpenSSL vulnerabilities
2016-09-22 00:00:00
OpenSSL regression
2016-09-23 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: openssl-1.0.2j-1.fc24
2016-09-28 01:57:16
[SECURITY] Fedora 23 Update: openssl-1.0.2j-1.fc23
2016-10-11 23:24:05
[SECURITY] Fedora 25 Update: openssl-1.0.2j-1.fc25
2016-10-09 03:28:42
altlinux
altlinux
Security fix for the ALT Linux 10 package openssl1.1 version 1.0.2i-alt1
2016-09-22 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.2i-alt1
2016-09-22 00:00:00
Security fix for the ALT Linux 7 package openssl10 version 1.0.1u-alt0.M70P.1
2016-09-23 00:00:00
oraclelinux
oraclelinux
openssl security update
2016-09-27 00:00:00
openssl security update
2016-10-13 00:00:00
centos
centos
openssl security update
2016-09-28 14:48:04
cloudfoundry
cloudfoundry
USN-3087-2 OpenSSL Regression | Cloud Foundry
2016-09-28 00:00:00
mageia
mageia
Updated openssl packages fix security vulnerabilities
2016-10-12 01:12:20
Updated openssl packages fix security vulnerability
2017-02-05 23:42:41
redhat
redhat
(RHSA-2016:1940) Important: openssl security update
2016-09-27 11:50:45
(RHSA-2018:2187) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
2018-07-12 16:04:13
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:26.openssl
2016-09-23 00:00:00
amazon
amazon
Medium: openssl
2016-10-12 17:00:00
arista
arista
Security Advisory 0024
2016-10-04 00:00:00
cisco
cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
2016-09-27 22:40:00
huawei
huawei
Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products
2017-03-22 00:00:00
freebsd
freebsd
OpenSSL -- multiple vulnerabilities
2016-09-22 00:00:00
slackware
slackware
[slackware-security] openssl
2016-09-22 18:53:12
fortinet
fortinet
OpenSSL Security Advisory [22 Sept 2016]
2017-04-03 00:00:00
f5
f5
SOL22071504 - September 2016 OpenSSL security vulnerability announcement
2016-09-22 00:00:00
symantec
symantec
SA132 : OpenSSL Vulnerabilities 22-Sep-2016 and 26-Sep-2016
2016-10-06 08:00:00
nodejsblog
nodejsblog
Security updates for all active release lines, September 2016
2016-09-23 00:00:00
JSON
Related for ORACLE_ACCESS_MANAGER_CPU_JAN_2018.NASL
suse11aix1openvas33nessus42osv3debian2archlinux2ibm75ubuntu2fedora3altlinux6oraclelinux2centos1cloudfoundry1mageia2redhat2freebsd_advisory1amazon1arista1cisco1huawei1freebsd1slackware1fortinet1f51symantec1nodejsblog1