Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_OPATCH_CPU_JAN_2023.NASL
HistoryJul 06, 2023 - 12:00 a.m.

Oracle Global Lifecycle Management (OPatch) (Jan 2023 CPU)

2023-07-0600:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
169
JSON

The installation of Oracle Global Lifecycle Management (OPatch) installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory.

  • Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion Middleware (component: NextGen Installer issues (jackson-databind)). Supported versions that are affected are Prior to 13.9.4.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Global Lifecycle Management NextGen OUI Framework. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Global Lifecycle Management NextGen OUI Framework. (CVE-2022-42003)

  • Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion Middleware (component: NextGen Installer issues (Apache Mina SSHD)). Supported versions that are affected are Prior to 13.9.4.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Global Lifecycle Management NextGen OUI Framework. Successful attacks of this vulnerability can result in takeover of Oracle Global Lifecycle Management NextGen OUI Framework.
    (CVE-2022-45047)

  • Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion Middleware (component: NextGen Installer issues). Supported versions that are affected are Prior to 13.9.4.2.11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Global Lifecycle Management NextGen OUI Framework executes to compromise Oracle Global Lifecycle Management NextGen OUI Framework. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Global Lifecycle Management NextGen OUI Framework. (CVE-2023-21894)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(178010);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/07");

  script_cve_id("CVE-2022-42003", "CVE-2022-45047", "CVE-2023-21894");

  script_name(english:"Oracle Global Lifecycle Management (OPatch) (Jan 2023 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The installation of Oracle Global Lifecycle Management (OPatch) installed on the remote host is affected by multiple
vulnerabilities as referenced in the January 2023 CPU advisory.

  - Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion
    Middleware (component: NextGen Installer issues (jackson-databind)). Supported versions that are affected
    are Prior to 13.9.4.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network
    access via HTTP to compromise Oracle Global Lifecycle Management NextGen OUI Framework. Successful attacks
    of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash
    (complete DOS) of Oracle Global Lifecycle Management NextGen OUI Framework. (CVE-2022-42003)

  - Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion
    Middleware (component: NextGen Installer issues (Apache Mina SSHD)). Supported versions that are affected
    are Prior to 13.9.4.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network
    access via HTTP to compromise Oracle Global Lifecycle Management NextGen OUI Framework. Successful attacks
    of this vulnerability can result in takeover of Oracle Global Lifecycle Management NextGen OUI Framework.
    (CVE-2022-45047)

  - Vulnerability in the Oracle Global Lifecycle Management NextGen OUI Framework product of Oracle Fusion
    Middleware (component: NextGen Installer issues). Supported versions that are affected are Prior to
    13.9.4.2.11. Easily exploitable vulnerability allows low privileged attacker with logon to the
    infrastructure where Oracle Global Lifecycle Management NextGen OUI Framework executes to compromise
    Oracle Global Lifecycle Management NextGen OUI Framework. Successful attacks require human interaction
    from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of
    Oracle Global Lifecycle Management NextGen OUI Framework. (CVE-2023-21894)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujan2023cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2023.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2023 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-45047");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/01/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:global_lifecycle_management_opatch");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_opatch_installed.nbin");
  script_require_keys("installed_sw/Oracle OPatch");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle OPatch');

# OUI NextGen OPatch is version 13.x
var constraints = [
  { 'min_version': '13.0.0.0', 'fixed_version': '13.9.4.2.11', 'fixed_display': '13.9.4.2.11 (Patch 28186730)'}
];

vcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);
VendorProductVersionCPE
oracleglobal_lifecycle_management_opatchcpe:/a:oracle:global_lifecycle_management_opatch

Related

nessus 41
cve 3
prion 3
veracode 2
ibm 79
github 2
osv 6
redhatcve 2
cnvd 1
f5 2
atlassian 4
debiancve 1
broadcom 1
ubuntucve 1
redhat 37
openvas 6
gentoo 1
mageia 1
debian 2
freebsd 1
qualysblog 2
rocky 1
nessus
nessus
Oracle GoldenGate (April 2023 CPU)
2023-04-19 00:00:00
Oracle Business Process Management Suite (Apr 2023 CPU)
2023-04-19 00:00:00
Atlassian Jira Service Management Data Center and Server 4.20.x < 4.20.27 / 5.4.x < 5.4.11 (JSDSERVER-14751)
2023-12-11 00:00:00
cve
cve
CVE-2023-21894
2023-01-18 00:15:17
CVE-2022-45047
2022-11-16 09:15:00
CVE-2022-42003
2022-10-02 05:15:00
prion
prion
Deserialization of untrusted data
2022-11-16 09:15:00
Design/Logic Flaw
2023-01-18 00:15:00
Code injection
2022-10-02 05:15:00
veracode
veracode
Deserialization Of Untrusted Data
2022-11-17 08:30:02
Denial Of Service (DoS)
2022-10-03 10:42:53
ibm
ibm
Security Bulletin: A vulnerability has been identified in the IBM Spectrum Scale GUI where a remote authenticated user can execute commands [CVE-2022-45047]
2023-04-14 11:30:36
Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to unsafe deserialization due to Apache MINA SSHD (CVE-2022-45047)
2022-12-21 19:28:57
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to FasterXML jackson-databind denial of service (CVE-2022-42003)
2022-12-05 06:49:13
github
github
Unsafe deserialization in Apache MINA SSHD
2022-11-16 12:00:18
Uncontrolled Resource Consumption in Jackson-databind
2022-10-03 00:00:31
osv
osv
CVE-2022-45047
2022-11-16 09:15:14
Unsafe deserialization in Apache MINA SSHD
2022-11-16 12:00:18
CVE-2022-42003
2022-10-02 05:15:09
redhatcve
redhatcve
CVE-2022-45047
2022-11-23 13:56:39
CVE-2022-42003
2022-10-17 07:01:04
cnvd
cnvd
Apache MINA deserialization vulnerability
2022-11-18 00:00:00
f5
f5
K91021753 : Apache MINA vulnerability CVE-2022-45047
2022-11-18 00:00:00
K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003
2023-08-15 00:00:00
atlassian
atlassian
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and Server
2023-11-12 13:45:23
FasterXML Vulnerability in Bamboo Data Center and Server
2023-10-06 17:45:19
FasterXML Vulnerability in Jira Service Management Data Center and Server
2023-10-09 01:44:35
debiancve
debiancve
CVE-2022-42003
2022-10-02 05:15:00
broadcom
broadcom
CVE-2022-42003 - In FasterXML jackson-databind before 2.14.0-rc1, ressource exhaustion
2023-05-03 00:00:00
ubuntucve
ubuntucve
CVE-2022-42003
2022-10-02 00:00:00
redhat
redhat
(RHSA-2023:0713) Important: Red Hat Data Grid 8.4.1 security update
2023-02-09 11:33:55
(RHSA-2023:0074) Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
2023-01-11 11:20:51
(RHSA-2023:1151) Critical: Satellite 6.11.5 Async Security Update
2023-03-07 18:53:49
openvas
openvas
openSUSE: Security Advisory for apache (SUSE-SU-2024:0224-1)
2024-03-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0224-1)
2024-01-26 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3995-1)
2022-11-16 00:00:00
gentoo
gentoo
FasterXML jackson-databind: Multiple vulnerabilities
2022-10-31 00:00:00
mageia
mageia
Updated jackson-databind packages fix security vulnerabilities
2024-03-16 19:28:17
debian
debian
[SECURITY] [DSA 5283-1] jackson-databind security update
2022-11-17 11:17:07
[SECURITY] [DLA 3207-1] jackson-databind security update
2022-11-27 18:53:52
freebsd
freebsd
cassandra3 -- multiple vulnerabilities
2023-01-11 00:00:00
qualysblog
qualysblog
Oracle Patch Tuesday April 2023 Security Update Review
2023-04-19 11:47:21
Oracle Patch Tuesday, July 2023 Security Update Review
2023-07-19 15:56:06
rocky
rocky
Satellite 6.13 Release
2023-05-05 15:39:58
JSON
Related for ORACLE_OPATCH_CPU_JAN_2023.NASL
nessus41cve3prion3veracode2ibm79github2osv6redhatcve2cnvd1f52atlassian4debiancve1broadcom1ubuntucve1redhat37openvas6gentoo1mageia1debian2freebsd1qualysblog2rocky1