Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_JDEVELOPER_CPU_APR_2022.NASL
HistoryApr 26, 2022 - 12:00 a.m.

Oracle JDeveloper Multiple Vulnerabilities (April 2022 CPU)

2022-04-2600:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
220

8.6 High

AI Score

Confidence

High

JSON

The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory:

  • Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: Oracle JDeveloper (Apache Log4j)). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper. (CVE-2021-44832)

  • Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper. (CVE-2022-21445)

  • Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: Oracle JDeveloper (Apache Log4j)). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper. (CVE-2022-23305)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(160204);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/31");

  script_cve_id("CVE-2021-44832", "CVE-2022-21445", "CVE-2022-23305");
  script_xref(name:"IAVA", value:"2022-A-0171");

  script_name(english:"Oracle JDeveloper Multiple Vulnerabilities (April 2022 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by a multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by 
multiple vulnerabilities as referenced in the April 2022 CPU advisory:

  - Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: Oracle JDeveloper 
    (Apache Log4j)). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability 
    allows high privileged attacker with network access via HTTP to compromise Oracle JDeveloper. Successful 
    attacks of this vulnerability can result in takeover of Oracle JDeveloper. (CVE-2021-44832)

  - Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces). 
    Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability 
    allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful 
    attacks of this vulnerability can result in takeover of Oracle JDeveloper. (CVE-2022-21445)

  - Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: Oracle JDeveloper 
    (Apache Log4j)). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability 
    allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful 
    attacks of this vulnerability can result in takeover of Oracle JDeveloper. (CVE-2022-23305)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2022.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2022cvrf.xml");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2022 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-44832");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-23305");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/04/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdeveloper");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_jdeveloper_installed.nbin");
  script_require_keys("installed_sw/Oracle JDeveloper");

  exit(0);
}

include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_jdev::get_app_info();

var constraints = [
  { 'min_version':'12.2.1.3', 'fixed_version':'12.2.1.3.220310', 'missing_patch':'33949366' },
  { 'min_version':'12.2.1.4', 'fixed_version':'12.2.1.4.220314', 'missing_patch':'33958532' }
];

vcf::oracle_jdev::check_version_and_report(
  app_info:app_info,
  severity:SECURITY_HOLE,
  constraints:constraints
);
VendorProductVersionCPE
oraclejdevelopercpe:/a:oracle:jdeveloper

Related

nessus 23
ibm 88
githubexploit 4
cve 3
prion 3
freebsd 1
openvas 16
mageia 1
debian 1
osv 6
broadcom 1
redos 1
checkpoint_advisories 1
huntr 1
amazon 3
redhat 16
redhatcve 2
suse 4
f5 3
veracode 2
fedora 2
debiancve 2
ubuntucve 2
cnvd 1
attackerkb 1
github 3
cloudlinux 1
ubuntu 1
thn 1
oraclelinux 1
centos 1
hivepro 1
cisco 1
threatpost 1
nessus
nessus
Oracle Identity Manager (Apr 2022 CPU)
2022-04-25 00:00:00
Oracle Enterprise Manager Cloud Control (Apr 2022 CPU)
2022-04-29 00:00:00
openSUSE 15 Security Update : log4j (openSUSE-SU-2021:4208-1)
2021-12-31 00:00:00
ibm
ibm
Security Bulletin: IBM Telco Network Cloud Manager - Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305)
2022-06-02 03:33:47
Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect for Manufacturing 2.0 (CVE-2021-44832)
2022-01-11 08:02:44
Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44832) affects the IBM Performance Management product
2022-01-05 22:36:11
githubexploit
githubexploit
Exploit for Vulnerability in Oracle Jdeveloper
2024-03-12 04:47:02
Exploit for Improper Input Validation in Apache Log4J
2021-12-29 07:50:05
Exploit for Improper Input Validation in Apache Log4J
2021-12-30 20:24:07
cve
cve
CVE-2022-21445
2022-04-19 21:15:00
CVE-2021-44832
2021-12-28 20:15:00
CVE-2022-23305
2022-01-18 16:15:00
prion
prion
Design/Logic Flaw
2022-04-19 21:15:00
Remote code execution
2021-12-28 20:15:00
Design/Logic Flaw
2022-01-18 16:15:00
freebsd
freebsd
Rundeck3 -- Log4J RCE vulnerability
2021-12-11 00:00:00
openvas
openvas
openSUSE: Security Advisory for log4j (openSUSE-SU-2022:0002-1)
2022-02-01 00:00:00
Apache Log4j 2.x < 2.3.2, 2.4.x < 2.12.4, 2.13.x < 2.17.1 RCE Vulnerability (Dec 2021) - Linux
2022-01-10 00:00:00
Fedora: Security Advisory for log4j (FEDORA-2021-c6f471ce0f)
2022-01-07 00:00:00
mageia
mageia
Updated log4j packages fix security vulnerability
2022-01-03 10:36:40
debian
debian
[SECURITY] [DLA 2870-1] apache-log4j2 security update
2021-12-29 22:57:42
osv
osv
apache-log4j2 - security update
2021-12-29 00:00:00
Improper Input Validation and Injection in Apache Log4j2
2022-01-04 16:14:20
SQL Injection in Log4j 1.2.x
2022-01-21 23:26:47
broadcom
broadcom
BSA-2021-1658
2021-12-30 00:00:00
redos
redos
ROS-20220125-04
2022-01-25 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Log4j Remote Code Execution (CVE-2021-44832)
2022-01-03 00:00:00
huntr
huntr
Static Code Injection in playframework/play-samples
2022-01-16 20:00:18
amazon
amazon
Medium: aws-kinesis-agent
2022-01-18 21:37:00
Important: log4j
2023-03-30 22:50:00
Important: log4j
2022-02-15 22:54:00
redhat
redhat
(RHSA-2022:0225) Moderate: Red Hat OpenShift Enterprise Logging bug fix and security update (5.0.12)
2022-01-20 21:04:07
(RHSA-2022:0467) Important: Red Hat AMQ Streams 1.6.7 release and security update
2022-02-08 12:43:39
(RHSA-2022:0230) Moderate: Red Hat OpenShift Enterprise Logging bug fix and security update (5.2.6)
2022-01-21 19:00:15
redhatcve
redhatcve
CVE-2022-23305
2022-01-18 16:16:17
CVE-2021-44832
2022-05-07 14:30:53
suse
suse
Security update for log4j (moderate)
2021-12-30 00:00:00
Security update for log4j (moderate)
2022-01-02 00:00:00
Security update for log4j12 (important)
2022-01-28 00:00:00
f5
f5
K14122652 : Apache Log4j2 vulnerability CVE-2021-44832
2021-12-30 00:00:00
K97120268 : Apache Log4j SQL injection vulnerability CVE-2022-23305
2022-01-31 00:00:00
K34002344 : Overview of Log4j vulnerabilities (2021 and 2022)
2022-02-01 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2021-12-29 01:02:12
SQL Injection
2022-01-19 12:47:45
fedora
fedora
[SECURITY] Fedora 34 Update: log4j-2.17.1-1.fc34
2022-01-06 00:51:53
[SECURITY] Fedora 35 Update: log4j-2.17.1-1.fc35
2022-01-06 01:12:26
debiancve
debiancve
CVE-2021-44832
2021-12-28 20:15:00
CVE-2022-23305
2022-01-18 16:15:00
ubuntucve
ubuntucve
CVE-2022-23305
2022-01-18 00:00:00
CVE-2021-44832
2021-12-28 00:00:00
cnvd
cnvd
Apache Log4j SQL Injection Vulnerability
2022-01-20 00:00:00
attackerkb
attackerkb
CVE-2021-44832
2021-12-28 00:00:00
github
github
Improper Input Validation and Injection in Apache Log4j2
2022-01-04 16:14:20
SQL Injection in Log4j 1.2.x
2022-01-21 23:26:47
GitHub’s response to Log4j vulnerability CVE-2021-44228
2021-12-13 19:06:34
cloudlinux
cloudlinux
Fix of CVE: CVE-2022-23305
2022-02-03 20:01:40
ubuntu
ubuntu
Apache Log4j 2 vulnerabilities
2022-01-11 00:00:00
thn
thn
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
2023-12-11 13:00:00
oraclelinux
oraclelinux
log4j security update
2022-02-08 00:00:00
centos
centos
log4j security update
2022-02-07 16:47:44
hivepro
hivepro
Prophet Spider exploits Log4j and Citrix vulnerabilities to deploy webshells
2022-03-10 16:20:17
cisco
cisco
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
2021-12-10 18:45:00
threatpost
threatpost
Microsoft Sees Rampant Log4j Exploit Attempts, Testing
2022-01-04 22:49:54

8.6 High

AI Score

Confidence

High

JSON
Related for ORACLE_JDEVELOPER_CPU_APR_2022.NASL
nessus23ibm88githubexploit4cve3prion3freebsd1openvas16mageia1debian1osv6broadcom1redos1checkpoint_advisories1huntr1amazon3redhat16redhatcve2suse4f53veracode2fedora2debiancve2ubuntucve2cnvd1attackerkb1github3cloudlinux1ubuntu1thn1oraclelinux1centos1hivepro1cisco1threatpost1