Lucene search

HistoryApr 25, 2023 - 12:00 a.m.

Oracle Business Intelligence Enterprise Edition (Apr 2023 CPU)

2023-04-2500:00:00

www.tenable.com

The versions of Oracle Business Intelligence Enterprise Edition (OBIEE) installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory.

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. (CVE-2019-10172)
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
(CVE-2020-28052)
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. (CVE-2021-23926)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(174742);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/21");

  script_cve_id(
    "CVE-2019-10172",
    "CVE-2020-28052",
    "CVE-2021-23926",
    "CVE-2021-36090",
    "CVE-2022-34169",
    "CVE-2023-21910",
    "CVE-2023-21941"
  );
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"Oracle Business Intelligence Enterprise Edition (Apr 2023 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The versions of Oracle Business Intelligence Enterprise Edition (OBIEE) installed
on the remote host are affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory.

  - A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity
    vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different
    classes. (CVE-2019-10172)

  - An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The
    OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing
    incorrect passwords to indicate they were matching with previously hashed ones that were different.
    (CVE-2020-28052)

  - The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user
    from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects
    XMLBeans up to and including v2.6.0. (CVE-2021-23926)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2023cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2023.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2023 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-28052");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-23926");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/04/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_business_intelligence_enterprise_edition_installed.nbin");
  script_require_keys("installed_sw/Oracle Business Intelligence Enterprise Edition");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Business Intelligence Enterprise Edition');

var constraints = [
  {'min_version': '12.2.1.4.0', 'fixed_version': '12.2.1.4.230407', 'fixed_display': '12.2.1.4.230407 patch: 35268009'}
];

vcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_WARNING);

VendorProductVersionCPE
oraclebusiness_intelligencecpe:/a:oracle:business_intelligence

Vendor	Product	Version	CPE
oracle	business_intelligence		cpe:/a:oracle:business_intelligence

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23926

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21910

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21941

www.oracle.com/docs/tech/security-alerts/cpuapr2023cvrf.xml

www.oracle.com/security-alerts/cpuapr2023.html

JSON

Related for ORACLE_OBIEE_CPU_APR_2023.NASL