Lucene search

K

Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2019 CPU)

Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2019 CPU). Vulnerabilities include arbitrary file read, denial of service, and remote code execution

Show more
Related
Refs
Code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(130019);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/17");

  script_cve_id("CVE-2017-12626", "CVE-2019-12086", "CVE-2019-14379");
  script_bugtraq_id(102879, 109227);
  script_xref(name:"IAVA", value:"2019-A-0380");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2019 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web
server is 15.x prior to 15.2.17, 16.x prior to 16.2.10, 17.x prior to 17.12.5, or 18.x prior to 18.8.7. It is,
therefore, affected by multiple vulnerabilities:

  - An arbitrary file read vulnerability exists in the FasterXML jackson-databind component, which is version
    2.x prior to 2.9.9. This vulnerability is due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. An
    unauthenticated, remote attacker can exploit this by hosting a crafted MySQL server reachable by the
    victim and sending a crated JSON message that allows them to read arbitrary files and disclose sensitive
    information. (CVE-2019-12086)

  - Denial of service (DoS) vulnerabilities exist in the Apache POI component, which is prior to 3.1.7, due
    to a flaw when parsing crafted WMF, EMF, MSG, macros, DOC, PPT, and XLS. An unauthenticated, remote
    attacker can exploit this issue, via sending crafted input, to cause the application to stop responding.
    (CVE-2017-12626)

  - A remote code execution vulnerability exists in the FasterXML jackson-databind component, which is prior
    to 2.9.0.2, due to a flaw in how default typing is handled when ehcache is used because of 
    net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup. An unauthenticated, remote attacker
    can exploit this to bypass authentication and execute arbitrary commands. (CVE-2019-14379)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixPVA
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7302206");
  # https://support.oracle.com/rs?type=doc&id=2593049.1%20
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8f2e008f");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle Primavera Gateway version 15.2.17 / 16.2.10 / 17.12.5 / 18.8.7 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14379");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:primavera_gateway");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_primavera_gateway.nbin");
  script_require_keys("installed_sw/Oracle Primavera Gateway");
  script_require_ports("Services/www", 8006);

  exit(0);
}

include('http.inc');
include('vcf.inc');

get_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE);

port = get_http_port(default:8006);

app_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port);

vcf::check_granularity(app_info:app_info, sig_segments:2);

constraints = [
  { 'min_version' : '15.0.0', 'fixed_version' : '15.2.17' },
  { 'min_version' : '16.0.0', 'fixed_version' : '16.2.10' },
  { 'min_version' : '17.0.0', 'fixed_version' : '17.12.5' },
  { 'min_version' : '18.0.0', 'fixed_version' : '18.8.7' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo