Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_ENTERPRISE_MANAGER_CPU_JUL_2021.NASL
HistoryJul 21, 2021 - 12:00 a.m.

Oracle Enterprise Manager Cloud Control (Jul 2021 CPU)

2021-07-2100:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29

6.9 Medium

AI Score

Confidence

High

JSON

The 13.4.0.0 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  • Vulnerability in the StorageTek Tape Analytics SW Tool product of Oracle Systems (component: Software (dom4j)). The supported version that is affected is 2.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool.
    Successful attacks of this vulnerability can result in takeover of StorageTek Tape Analytics SW Tool. (CVE-2020-10683)

  • Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:
    Application Service Level Mgmt (OpenCV)). The supported version that is affected is 13.4.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. (CVE-2019-5064)

  • Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:
    Discovery Framework (OpenSSL)). The supported version that is affected is 13.4.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Base Platform. (CVE-2020-1971)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(151903);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/07");

  script_cve_id(
    "CVE-2017-14735",
    "CVE-2019-2897",
    "CVE-2019-5064",
    "CVE-2020-1971",
    "CVE-2020-10683"
  );
  script_xref(name:"IAVA", value:"2021-A-0328");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"Oracle Enterprise Manager Cloud Control (Jul 2021 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The 13.4.0.0 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple
vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the StorageTek Tape Analytics SW Tool product of Oracle Systems (component: Software
    (dom4j)). The supported version that is affected is 2.3. Easily exploitable vulnerability allows
    unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool.
    Successful attacks of this vulnerability can result in takeover of StorageTek Tape Analytics SW Tool. 
    (CVE-2020-10683)

  - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:
    Application Service Level Mgmt (OpenCV)). The supported version that is affected is 13.4.0.0. Easily
    exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise
    Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than
    the attacker. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base
    Platform. (CVE-2019-5064)

  - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:
    Discovery Framework (OpenSSL)). The supported version that is affected is 13.4.0.0. Easily exploitable
    vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise
    Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to
    cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Base Platform. (CVE-2020-1971)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpujul2021cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2021.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2021 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10683");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_enterprise_manager_installed.nbin");
  script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Enterprise Manager Cloud Control');

var constraints = [
  { 'min_version' : '13.4.0.0', 'fixed_version' : '13.4.0.11', 'fixed_display': '13.4.0.11 (Patch 32436128)'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
VendorProductVersionCPE
oracleenterprise_managercpe:/a:oracle:enterprise_manager

Related

symantec 1
osv 13
veracode 4
debiancve 4
cve 5
prion 5
github 3
ubuntucve 4
mageia 1
ibm 28
ubuntu 1
openvas 29
redhatcve 3
nessus 63
debian 2
f5 2
suse 4
talos 1
atlassian 2
freebsd_advisory 1
gentoo 1
redhat 6
archlinux 1
cbl_mariner 1
altlinux 2
fedora 2
oraclelinux 2
alpinelinux 1
cloudlinux 1
freebsd 1
openssl 1
photon 1
githubexploit 1
almalinux 1
mscve 1
symantec
symantec
OWASP AntiSamy CVE-2017-14735 Cross Site Scripting Vulnerability
2017-09-25 00:00:00
osv
osv
OWASP AntiSamy Cross-site Scripting vulnerability
2018-10-18 17:22:11
CVE-2017-14735
2017-09-25 21:29:01
CVE-2020-10683
2020-05-01 19:15:12
veracode
veracode
Cross-site Scripting (XSS)
2017-11-13 05:25:15
XML External Entity
2020-04-22 04:37:29
Denial Of Service (DoS)
2020-01-06 07:48:58
debiancve
debiancve
CVE-2017-14735
2017-09-25 21:29:00
CVE-2020-10683
2020-05-01 19:15:00
CVE-2019-5064
2020-01-03 17:15:00
cve
cve
CVE-2017-14735
2017-09-25 21:29:00
CVE-2020-10683
2020-05-01 19:15:00
CVE-2019-5064
2020-01-03 17:15:00
prion
prion
Cross site scripting
2017-09-25 21:29:00
Xxe
2020-05-01 19:15:00
Heap overflow
2020-01-03 17:15:00
github
github
OWASP AntiSamy Cross-site Scripting vulnerability
2018-10-18 17:22:11
dom4j allows External Entities by default which might enable XXE attacks
2020-06-05 16:13:36
Out-of-bounds Write in OpenCV
2021-10-12 22:23:21
ubuntucve
ubuntucve
CVE-2017-14735
2017-09-25 00:00:00
CVE-2020-10683
2020-05-01 00:00:00
CVE-2019-5064
2020-01-03 00:00:00
mageia
mageia
Updated dom4j packages fix a security vulnerability
2021-01-17 19:07:01
ibm
ibm
Security Bulletin: ITCAM for Transactions affect by the Security vulnerability CVE-2020-10683 found in dom4j-1.6.1.jar
2023-08-30 15:30:21
Security Bulletin:IBM Resilient SOAR is Using Components with Known Vulnerabilities - dom4j (CVE-2020-10683)
2020-08-31 21:38:10
Security Bulletin: IBM Security Verify Information Queue uses a dom4j version with improper XXE restrictions (CVE-2020-10683)
2022-07-07 17:43:49
ubuntu
ubuntu
dom4j vulnerability
2020-10-13 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2020-2102)
2020-09-29 00:00:00
Ubuntu: Security Advisory (USN-4575-1)
2020-10-14 00:00:00
Debian: Security Advisory (DLA-2191-1)
2020-05-01 00:00:00
redhatcve
redhatcve
CVE-2020-10683
2022-05-14 11:33:01
CVE-2019-5064
2020-01-11 15:24:58
CVE-2020-1971
2020-12-08 16:10:44
nessus
nessus
Ubuntu 16.04 LTS : dom4j vulnerability (USN-4575-1)
2020-10-14 00:00:00
EulerOS 2.0 SP5 : dom4j (EulerOS-SA-2020-1596)
2020-06-02 00:00:00
EulerOS 2.0 SP2 : dom4j (EulerOS-SA-2020-1677)
2020-06-17 00:00:00
debian
debian
[SECURITY] [DLA 2191-1] dom4j security update
2020-04-30 22:00:18
[SECURITY] [DSA 4807-1] openssl security update
2020-12-08 15:25:11
f5
f5
K02349370 : dom4j library vulnerability CVE-2020-10683
2020-05-12 00:00:00
K42910051 : OpenSSL vulnerability CVE-2020-1971
2021-01-14 00:00:00
suse
suse
Security update for dom4j (important)
2020-05-26 00:00:00
Security update for openssl-1_0_0 (important)
2020-12-17 00:00:00
Security update for openssl-1_1 (important)
2020-12-10 00:00:00
talos
talos
OpenCV JSON persistence parser buffer overflow vulnerability
2020-01-02 00:00:00
atlassian
atlassian
Update the bundled version of OWASP AntiSamy to address issues
2019-07-09 02:33:28
Update the bundled version of OWASP AntiSamy to address issues
2019-07-09 02:33:28
freebsd_advisory
freebsd_advisory
FreeBSD-SA-20:33.openssl
2020-12-08 00:00:00
gentoo
gentoo
OpenSSL: Denial of service
2020-12-23 00:00:00
redhat
redhat
(RHSA-2021:0491) Low: Red Hat JBoss Web Server 3.1 Service Pack 11 security update
2021-02-11 13:35:32
(RHSA-2021:0488) Low: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP6 security update
2021-02-11 13:24:10
(RHSA-2021:0486) Low: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP6 security update
2021-02-11 13:09:49
archlinux
archlinux
[ASA-202012-24] openssl: denial of service
2020-12-16 00:00:00
cbl_mariner
cbl_mariner
CVE-2020-1971 affecting package mysql 8.0.22-2
2021-08-25 19:57:27
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl1.1 version 1.1.1i-alt1
2020-12-09 00:00:00
Security fix for the ALT Linux 10 package openssl1.1 version 1.1.1i-alt1
2020-12-08 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: openssl-1.1.1i-1.fc32
2020-12-21 01:36:23
[SECURITY] Fedora 33 Update: openssl-1.1.1i-1.fc33
2020-12-16 01:43:55
oraclelinux
oraclelinux
openssl security and bug fix update
2020-12-17 00:00:00
openssl security update
2021-03-26 00:00:00
alpinelinux
alpinelinux
CVE-2020-1971
2020-12-08 16:15:00
cloudlinux
cloudlinux
Fix CVE: CVE-2020-1971
2020-12-09 11:10:00
freebsd
freebsd
OpenSSL -- NULL pointer de-reference
2020-12-08 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2020-1971
2020-12-08 00:00:00
photon
photon
Moderate Photon OS Security Update - PHSA-2020-0175
2020-12-10 00:00:00
githubexploit
githubexploit
Exploit for NULL Pointer Dereference in Openssl
2020-12-09 21:32:15
almalinux
almalinux
Important: openssl security and bug fix update
2020-12-15 15:55:57
mscve
mscve
OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference
2021-10-12 07:00:00

6.9 Medium

AI Score

Confidence

High

JSON
Related for ORACLE_ENTERPRISE_MANAGER_CPU_JUL_2021.NASL
symantec1osv13veracode4debiancve4cve5prion5github3ubuntucve4mageia1ibm28ubuntu1openvas29redhatcve3nessus63debian2f52suse4talos1atlassian2freebsd_advisory1gentoo1redhat6archlinux1cbl_mariner1altlinux2fedora2oraclelinux2alpinelinux1cloudlinux1freebsd1openssl1photon1githubexploit1almalinux1mscve1