Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_JDEVELOPER_CPU_JAN_2024.NASL
HistoryJan 19, 2024 - 12:00 a.m.

Oracle JDeveloper Multiple Vulnerabilities (January 2024 CPU)

2024-01-1900:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
oracle jdeveloper
vulnerabilities
security patch
oracle fusion middleware
apache commons compress
adf faces
google guava
cve-2021-36090
cve-2023-2976
nessus scanner

8.6 High

AI Score

Confidence

High

JSON

The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities as referenced in the January 2024 CPU advisory.

  • Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: Oracle JDeveloper (Apache Commons Compress)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle JDeveloper. (CVE-2021-36090)

  • Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces (Google Guava)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle JDeveloper executes to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle JDeveloper accessible data as well as unauthorized access to critical data or complete access to all Oracle JDeveloper accessible data. (CVE-2023-2976)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(189243);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/22");

  script_cve_id(
    "CVE-2021-35515",
    "CVE-2021-35516",
    "CVE-2021-35517",
    "CVE-2021-36090",
    "CVE-2023-2976"
  );
  script_xref(name:"IAVA", value:"2024-A-0031");

  script_name(english:"Oracle JDeveloper Multiple Vulnerabilities (January 2024 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by 
multiple vulnerabilities as referenced in the January 2024 CPU advisory. 
  - Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: Oracle JDeveloper 
    (Apache Commons Compress)). The supported version that is affected is 12.2.1.4.0. Easily exploitable 
    vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. 
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently 
    repeatable crash (complete DOS) of Oracle JDeveloper. (CVE-2021-36090)

  - Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces (Google Guava)). 
    The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged 
    attacker with logon to the infrastructure where Oracle JDeveloper executes to compromise Oracle JDeveloper. 
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access 
    to critical data or all Oracle JDeveloper accessible data as well as unauthorized access to critical data or 
    complete access to all Oracle JDeveloper accessible data. (CVE-2023-2976)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2024.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujan2024csaf.json");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2024 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-36090");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-2976");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdeveloper");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_jdeveloper_installed.nbin");
  script_require_keys("installed_sw/Oracle JDeveloper");

  exit(0);
}

include('vcf_extras_oracle.inc');
set_kb_item(name:"global_settings/enable_plugin_debugging", value:TRUE);

var app_info = vcf::oracle_jdev::get_app_info();
var constraints = [
  { 'min_version':'12.2.1.4', 'fixed_version':'12.2.1.4.231205', 'missing_patch':'36074941' }
];

vcf::oracle_jdev::check_version_and_report(
  app_info:app_info,
  severity:SECURITY_WARNING,
  constraints:constraints
);
VendorProductVersionCPE
oraclejdevelopercpe:/a:oracle:jdeveloper

Related

ibm 94
suse 2
nessus 29
mageia 2
openvas 6
redhat 13
cnvd 1
redhatcve 5
veracode 5
github 5
osv 10
prion 5
cve 5
ubuntucve 5
debiancve 5
f5 1
atlassian 3
cgr 1
wolfi 1
intel 1
ibm
ibm
Security Bulletin: IBM Content Navigator is vulnerable to a denial of service vulnerabilty.
2021-08-19 16:20:09
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Compress
2021-10-01 06:22:55
Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to Apache Commons Compress
2023-02-20 06:25:38
suse
suse
Security update for apache-commons-compress (important)
2021-08-05 00:00:00
Security update for apache-commons-compress (important)
2021-08-10 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 Security Update : apache-commons-compress (SUSE-SU-2021:2612-1)
2021-08-06 00:00:00
openSUSE 15 Security Update : apache-commons-compress (openSUSE-SU-2021:2612-1)
2021-08-06 00:00:00
openSUSE 15 Security Update : apache-commons-compress (openSUSE-SU-2021:1115-1)
2021-08-11 00:00:00
mageia
mageia
Updated osgi-core/apache-commons-compress packages fix security vulnerability
2022-01-11 10:12:42
Updated guava packages fix security vulnerabilities
2024-05-01 01:25:14
openvas
openvas
openSUSE: Security Advisory for apache-commons-compress (openSUSE-SU-2021:2612-1)
2021-08-07 00:00:00
Mageia: Security Advisory (MGASA-2022-0009)
2022-01-28 00:00:00
openSUSE: Security Advisory for apache-commons-compress (openSUSE-SU-2021:1115-1)
2021-08-11 00:00:00
redhat
redhat
(RHSA-2022:5555) Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update
2022-07-14 12:11:20
(RHSA-2023:5491) Moderate: Red Hat AMQ Broker 7.11.2 release and security update
2023-10-05 22:36:05
(RHSA-2024:0798) Important: Red Hat Single Sign-On 7.6.7 security update on RHEL 7
2024-02-13 16:48:43
cnvd
cnvd
Apache Commons Compress Resource Management Error Vulnerability (CNVD-2022-62077)
2021-07-19 00:00:00
redhatcve
redhatcve
CVE-2021-35515
2021-07-13 17:52:15
CVE-2021-35516
2021-07-13 17:52:22
CVE-2021-35517
2021-07-13 17:52:15
veracode
veracode
Denial Of Service (DoS)
2021-07-14 06:32:21
Denial Of Service (DoS)
2021-09-22 02:44:38
Denial Of Service (DoS)
2021-07-14 07:52:36
github
github
Excessive Iteration in Compress
2021-08-02 16:55:07
Improper Handling of Length Parameter Inconsistency in Compress
2021-08-02 16:55:15
Improper Handling of Length Parameter Inconsistency in Compress
2021-08-02 16:55:39
osv
osv
Improper Handling of Length Parameter Inconsistency in Compress
2021-08-02 16:55:15
Excessive Iteration in Compress
2021-08-02 16:55:07
CVE-2021-35516
2021-07-13 08:15:07
prion
prion
Design/Logic Flaw
2021-07-13 08:15:00
Design/Logic Flaw
2021-07-13 08:15:00
Design/Logic Flaw
2021-07-13 08:15:00
cve
cve
CVE-2021-35515
2021-07-13 08:15:00
CVE-2021-35517
2021-07-13 08:15:00
CVE-2021-35516
2021-07-13 08:15:00
ubuntucve
ubuntucve
CVE-2021-35515
2021-07-13 00:00:00
CVE-2021-35516
2021-07-13 00:00:00
CVE-2021-35517
2021-07-13 00:00:00
debiancve
debiancve
CVE-2021-35515
2021-07-13 08:15:00
CVE-2021-35516
2021-07-13 08:15:00
CVE-2021-36090
2021-07-13 08:15:00
f5
f5
K000133710 : apache-commons-compress vulnerability CVE-2021-36090
2023-04-28 00:00:00
atlassian
atlassian
com.google.guava:guava Dependency in Confluence Data Center and Server
2024-02-14 20:46:01
Info Disclosure com.google.guava:guava in Jira Software Data Center and Server
2023-11-14 03:45:23
com.google.guava:guava Dependency in Jira Service Management Data Center and Server
2024-02-12 03:45:36
cgr
cgr
CVE-2023-2976 vulnerabilities
2024-05-03 09:06:23
wolfi
wolfi
CVE-2023-2976 vulnerabilities
2024-05-03 09:06:24
intel
intel
Intel® Unison™ Software Advisory
2024-02-13 00:00:00

8.6 High

AI Score

Confidence

High

JSON
Related for ORACLE_JDEVELOPER_CPU_JAN_2024.NASL
ibm94suse2nessus29mageia2openvas6redhat13cnvd1redhatcve5veracode5github5osv10prion5cve5ubuntucve5debiancve5f51atlassian3cgr1wolfi1intel1