Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_OBIEE_CPU_JUL_2023.NASL
HistoryJul 21, 2023 - 12:00 a.m.

Oracle Business Intelligence Enterprise Edition (July 2023 CPU)

2023-07-2100:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
JSON

The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host are affected by a vulnerability as referenced in the July 2023 CPU advisory.

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Server (Apache Hive)). Supported versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
    (CVE-2018-1282)

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Framework (Quartz)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2019-13990)

  • Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Web Answers (Apache Commons FileUpload)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2023-24998)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(178711);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/24");

  script_cve_id(
    "CVE-2018-1282",
    "CVE-2019-0227",
    "CVE-2019-10086",
    "CVE-2019-13990",
    "CVE-2022-25647",
    "CVE-2023-24998"
  );
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");
  script_xref(name:"IAVA", value:"2023-A-0558");
  script_xref(name:"IAVA", value:"2023-A-0559");

  script_name(english:"Oracle Business Intelligence Enterprise Edition (July 2023 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an information disclosure vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host are affected by a 
vulnerability as referenced in the July 2023 CPU advisory. 

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Server (Apache Hive)). Supported versions that are affected are 6.4.0.0.0, 
    7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network 
    access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of 
    this vulnerability can result in unauthorized creation, deletion or modification access to critical data 
    or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to 
    critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
    (CVE-2018-1282)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Framework (Quartz)). The supported version that is affected is 12.2.1.4.0. Easily exploitable 
    vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business 
    Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of 
    Oracle Business Intelligence Enterprise Edition. (CVE-2019-13990)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Web Answers (Apache Commons FileUpload)). The supported version that is affected is 
    12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP 
    to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability 
    can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of 
    Oracle Business Intelligence Enterprise Edition. (CVE-2023-24998)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujul2023cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2023.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2023 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-13990");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_business_intelligence_enterprise_edition_installed.nbin");
  script_require_keys("installed_sw/Oracle Business Intelligence Enterprise Edition");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Business Intelligence Enterprise Edition');

# based on Oracle CPU data
var constraints = [
  {'min_version': '12.2.1.4', 'fixed_version': '12.2.1.4.230628', 'fixed_display': '12.2.1.4.230628 patch: 35548198'}
];

vcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);
VendorProductVersionCPE
oraclebusiness_intelligencecpe:/a:oracle:business_intelligence

Related

ibm 65
osv 13
redhatcve 5
prion 5
cve 5
github 5
ubuntucve 4
nessus 29
openvas 19
veracode 4
atlassian 4
debiancve 4
mageia 3
rosalinux 1
fedora 2
redhat 5
suse 2
amazon 1
cgr 2
symantec 2
debian 4
centos 1
wolfi 2
rhino 1
f5 1
githubexploit 1
exploitpack 1
packetstorm 1
zdt 1
checkpoint_advisories 1
alpinelinux 1
ubuntu 1
broadcom 1
vaadin 1
tomcat 1
ibm
ibm
Security Bulletin: IBM Operational Decision Manager March 2023 - CVE-2014-0114, CVE-2019-10086, CVE-2023-24998
2023-04-11 14:02:03
Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Terracotta Quartz ( CVE-2019-13990)
2020-10-27 23:52:58
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Terracotta Quartz Scheduler
2020-08-29 08:57:53
osv
osv
CVE-2019-13990
2019-07-26 19:15:11
XML external entity injection in Terracotta Quartz Scheduler
2020-07-01 17:55:03
Insecure Deserialization in Apache Commons Beanutils
2020-06-15 20:36:17
redhatcve
redhatcve
CVE-2019-13990
2020-02-10 11:44:18
CVE-2018-1282
2018-04-06 04:49:33
CVE-2019-10086
2020-02-14 11:44:26
prion
prion
Design/Logic Flaw
2019-07-26 19:15:00
Default configuration
2019-08-20 21:15:00
Information disclosure
2018-04-05 13:29:00
cve
cve
CVE-2019-13990
2019-07-26 19:15:00
CVE-2019-10086
2019-08-20 21:15:00
CVE-2018-1282
2018-04-05 13:29:00
github
github
XML external entity injection in Terracotta Quartz Scheduler
2020-07-01 17:55:03
Insecure Deserialization in Apache Commons Beanutils
2020-06-15 20:36:17
SQL Injection in hive-jdbc
2018-11-21 22:24:34
ubuntucve
ubuntucve
CVE-2019-13990
2019-07-26 00:00:00
CVE-2019-10086
2019-08-20 00:00:00
CVE-2019-0227
2019-05-01 00:00:00
nessus
nessus
Atlassian JIRA Service Desk < 4.20.26 / 5.4.x < 5.4.10 / 5.5.x < 5.7.2 / 5.8.x < 5.8.2 / 5.9.x < 5.9.2 / 5.10.x < 5.10.1 (JSDSERVER-14401)
2023-10-20 00:00:00
Fedora 31 : apache-commons-beanutils (2019-bcad44b5d6)
2019-11-14 00:00:00
Scientific Linux Security Update : apache-commons-beanutils on SL7.x (noarch) (20200121)
2020-01-23 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2021-0133)
2022-01-28 00:00:00
Fedora Update for apache-commons-beanutils FEDORA-2019-79b5790566
2019-11-14 00:00:00
Fedora Update for apache-commons-beanutils FEDORA-2019-bcad44b5d6
2020-01-09 00:00:00
veracode
veracode
XML External Entity (XXE)
2020-02-19 04:27:53
Authorization Bypass
2019-08-16 00:43:09
SQL Injection
2018-04-05 03:36:26
atlassian
atlassian
XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990
2023-09-20 15:53:19
com.google.code.gson Vulnerability in Bitbucket Data Center and Server
2023-10-04 19:45:55
DoS (Denial of Service) com.google.code.gson:gson in Jira Software Data Center and Server
2023-11-12 13:45:35
debiancve
debiancve
CVE-2019-13990
2019-07-26 19:15:00
CVE-2019-10086
2019-08-20 21:15:00
CVE-2019-0227
2019-05-01 21:29:00
mageia
mageia
Updated quartz packages fix a security vulnerability
2021-03-15 00:20:42
Updated apache-commons-beanutils packages fix security vulnerability
2019-12-19 16:44:26
Updated google-gson packages fix security vulnerability
2022-09-21 21:15:27
rosalinux
rosalinux
Advisory ROSA-SA-2023-2272
2023-10-22 06:16:50
fedora
fedora
[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30
2019-11-13 09:58:19
[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31
2019-11-13 10:08:09
redhat
redhat
(RHSA-2020:0057) Important: rh-java-common-apache-commons-beanutils security update
2020-01-08 11:00:17
(RHSA-2020:0194) Important: apache-commons-beanutils security update
2020-01-21 18:21:47
(RHSA-2020:2740) Important: candlepin and satellite security update
2020-06-24 14:05:48
suse
suse
Security update for apache-commons-beanutils (important)
2019-09-03 00:00:00
Security update for google-gson (important)
2022-06-10 00:00:00
amazon
amazon
Important: apache-commons-beanutils
2020-02-17 19:50:00
cgr
cgr
CVE-2019-10086 vulnerabilities
2024-04-28 09:06:10
CVE-2022-25647 vulnerabilities
2024-04-28 09:06:10
symantec
symantec
Apache Commons Beanutils CVE-2019-10086 Remote Security Vulnerability
2019-08-15 00:00:00
Apache Axis CVE-2019-0227 Remote Code Execution Vulnerability
2019-04-09 00:00:00
debian
debian
[SECURITY] [DLA 1896-1] commons-beanutils security update
2019-08-24 14:49:34
[SECURITY] [DSA 5227-1] libgoogle-gson-java security update
2022-09-07 10:22:18
[SECURITY] [DLA 3100-1] libgoogle-gson-java security update
2022-09-07 09:14:24
centos
centos
apache security update
2020-01-28 21:30:14
wolfi
wolfi
CVE-2019-10086 vulnerabilities
2024-04-28 09:06:10
CVE-2022-25647 vulnerabilities
2024-04-28 09:06:10
rhino
rhino
CVE-2019-0227: Expired Domain to Remote Code Execution in Apache Axis
2019-04-09 10:30:52
f5
f5
K00994461 : GSON vulnerability CVE-2022-25647
2022-08-29 00:00:00
githubexploit
githubexploit
Exploit for Server-Side Request Forgery in Apache Axis
2019-10-27 14:42:54
exploitpack
exploitpack
Apache Axis 1.4 - Remote Code Execution
2019-04-09 00:00:00
packetstorm
packetstorm
Apache Axis 1.4 Remote Code Execution
2019-04-10 00:00:00
zdt
zdt
Apache Axis 1.4 - Remote Code Execution Exploit
2019-04-09 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Axis Remote Code Execution (CVE-2019-0227)
2019-04-22 00:00:00
alpinelinux
alpinelinux
CVE-2022-25647
2022-05-01 16:15:00
ubuntu
ubuntu
Gson vulnerability
2024-03-12 00:00:00
broadcom
broadcom
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization
2023-08-29 00:00:00
vaadin
vaadin
Apache Commons FileUpload - DoS with excessive parts
2023-06-22 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 10.1.5
2023-01-13 00:00:00
JSON
Related for ORACLE_OBIEE_CPU_JUL_2023.NASL
ibm65osv13redhatcve5prion5cve5github5ubuntucve4nessus29openvas19veracode4atlassian4debiancve4mageia3rosalinux1fedora2redhat5suse2amazon1cgr2symantec2debian4centos1wolfi2rhino1f51githubexploit1exploitpack1packetstorm1zdt1checkpoint_advisories1alpinelinux1ubuntu1broadcom1vaadin1tomcat1