Lucene search
This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_RDBMS_CPU_JAN_2020.NASLHistoryJan 17, 2020 - 12:00 a.m.
Oracle Database Server Multiple Vulnerabilities (Jan 2020 CPU)
2020-01-1700:00:00
This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
354
The remote Oracle Database Server is missing the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:
-
A denial of service (DoS) vulnerability exists in the Core RDBMS component of Oracle Database Server. An authenticated, remote attacker can exploit this issue, to cause the application to stop responding.
(CVE-2020-2511) -
A remote code execution vulnerability exists in the Core RDBMS component of Oracle Database Server. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
(CVE-2020-2510) -
An unspecified vulnerability exists in the JavaVM component of Oracle Database Server. An authenicated, remote attacker can exploit this issue, to affect the confidentiality, integrity and availability of the application.
It is also affected by additional vulnerabilities; see the vendor advisory for more information.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(133047);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/21");
script_cve_id(
"CVE-2019-10072",
"CVE-2020-2510",
"CVE-2020-2511",
"CVE-2020-2512",
"CVE-2020-2515",
"CVE-2020-2516",
"CVE-2020-2517",
"CVE-2020-2518",
"CVE-2020-2527",
"CVE-2020-2568",
"CVE-2020-2569",
"CVE-2020-2731"
);
script_bugtraq_id(108874);
script_xref(name:"IAVA", value:"2020-A-0020-S");
script_name(english:"Oracle Database Server Multiple Vulnerabilities (Jan 2020 CPU)");
script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Database Server is missing the January 2020 Critical Patch Update (CPU). It is, therefore, affected
by multiple vulnerabilities:
- A denial of service (DoS) vulnerability exists in the Core RDBMS component of Oracle Database Server. An
authenticated, remote attacker can exploit this issue, to cause the application to stop responding.
(CVE-2020-2511)
- A remote code execution vulnerability exists in the Core RDBMS component of Oracle Database Server. An
unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
(CVE-2020-2510)
- An unspecified vulnerability exists in the JavaVM component of Oracle Database Server. An authenicated,
remote attacker can exploit this issue, to affect the confidentiality, integrity and availability of the
application.
It is also affected by additional vulnerabilities; see the vendor advisory for more information.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://www.oracle.com/security-alerts/cpujan2020.html#AppendixDB
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?58180da1");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2020 Oracle Critical Patch Update advisory.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2510");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/14");
script_set_attribute(attribute:"patch_publication_date", value:"2020/01/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Databases");
script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin");
exit(0);
}
include('vcf_extras_oracle.inc');
var app_info = vcf::oracle_rdbms::get_app_info();
var constraints = [
# RDBMS:
{'min_version': '19.6', 'fixed_version': '19.6.0.0.200114', 'missing_patch':'30557433', 'os':'unix', 'component':'db'},
{'min_version': '19.0', 'fixed_version': '19.6.0.0.200114', 'missing_patch':'30445947', 'os':'win', 'component':'db'},
{'min_version': '19.5', 'fixed_version': '19.5.1.0.200114', 'missing_patch':'30446054', 'os':'unix', 'component':'db'},
{'min_version': '19.0', 'fixed_version': '19.4.2.0.200114', 'missing_patch':'30446228', 'os':'unix', 'component':'db'},
{'min_version': '18.9', 'fixed_version': '18.9.0.0.200114', 'missing_patch':'30480385', 'os':'unix', 'component':'db'},
{'min_version': '18.0', 'fixed_version': '18.9.0.0.200114', 'missing_patch':'30445951', 'os':'win', 'component':'db'},
{'min_version': '18.8', 'fixed_version': '18.8.1.0.200114', 'missing_patch':'30445895', 'os':'unix', 'component':'db'},
{'min_version': '18.0', 'fixed_version': '18.7.2.0.200114', 'missing_patch':'30446239', 'os':'unix', 'component':'db'},
{'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.200114', 'missing_patch':'30445968, 30446254, 30593149', 'os':'unix', 'component':'db'},
{'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.200114', 'missing_patch':'30446296', 'os':'win', 'component':'db'},
{'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.200114', 'missing_patch':'30340202, 30364137', 'os':'unix', 'component':'db'},
{'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.200114', 'missing_patch':'30455401', 'os':'win', 'component':'db'},
{'min_version': '11.2.0.4', 'fixed_version': '11.2.0.4.200114', 'missing_patch':'30298532, 30310975, 30559616', 'os':'unix', 'component':'db'},
{'min_version': '11.2.0.4', 'fixed_version': '11.2.0.4.200114', 'missing_patch':'30502376', 'os':'win', 'component':'db'},
# OJVM:
{'min_version': '19.0', 'fixed_version': '19.6.0.0.200114', 'missing_patch':'30484981', 'os':'unix', 'component':'ojvm'},
{'min_version': '19.0', 'fixed_version': '19.6.0.0.200114', 'missing_patch':'30484981', 'os':'win', 'component':'ojvm'},
{'min_version': '18.0', 'fixed_version': '18.9.0.0.200114', 'missing_patch':'30501926', 'os':'unix', 'component':'ojvm'},
{'min_version': '18.0', 'fixed_version': '18.9.0.0.200114', 'missing_patch':'30501926', 'os':'win', 'component':'ojvm'},
{'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.200114', 'missing_patch':'30502018', 'os':'unix', 'component':'ojvm'},
{'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.200114', 'missing_patch':'30525838', 'os':'win', 'component':'ojvm'},
{'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.200114', 'missing_patch':'30502041', 'os':'unix', 'component':'ojvm'},
{'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.200114', 'missing_patch':'30671054', 'os':'win', 'component':'ojvm'},
{'min_version': '11.2.0.4', 'fixed_version': '11.2.0.4.200114', 'missing_patch':'30503372', 'os':'unix', 'component':'ojvm'},
{'min_version': '11.2.0.4', 'fixed_version': '11.2.0.4.200114', 'missing_patch':'30671044', 'os':'win', 'component':'ojvm'}
];
vcf::oracle_rdbms::check_version_and_report(app_info:app_info, severity:SECURITY_HOLE, constraints:constraints);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | database_server | cpe:/a:oracle:database_server |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2510
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2511
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2512
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2515
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2516
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2517
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2518
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2568
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2569
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2731
www.nessus.org/u?58180da1
Related
ibm
ibm
prion
prion
Design/Logic Flaw
2020-01-15 17:15:00
Design/Logic Flaw
2020-01-15 17:15:00
Code injection
2020-01-15 17:15:00
cve
cve
nessus
nessus
MySQL Enterprise Monitor 8.x < 8.0.18 DoS (Oct 2019 CPU)
2020-07-24 00:00:00
Photon OS 3.0: Apache PHSA-2019-3.0-0024
2019-08-26 00:00:00
Photon OS 1.0: Apache PHSA-2019-1.0-0244
2019-07-24 00:00:00
cisa
cisa
Apache Releases Security Advisory for Apache Tomcat
2019-06-20 00:00:00
kaspersky
kaspersky
KLA11571 DoS vulnerability in Apache Tomcat
2019-05-13 00:00:00
openvas
openvas
Apache Tomcat DoS Vulnerability (Jun 2019) - Linux
2019-06-21 00:00:00
Apache Tomcat DoS Vulnerability (Jun 2019) - Windows
2019-06-21 00:00:00
Apache Tomcat DoS Vulnerability (Jun 2019) - Windows
2019-08-28 00:00:00
symantec
symantec
Oracle Database Server CVE-2020-2569 Local Security Vulnerability
2020-01-14 00:00:00
Apache Tomcat CVE-2019-10072 Incomplete Fix Denial of Service Vulnerability
2019-06-20 00:00:00
Oracle Database Server CVE-2020-2517 Remote Security Vulnerability
2020-01-14 00:00:00
photon
photon
Home
Download Photon OS
User Documentation
FAQ
Security Advisories
Related Information
Lightwave - PHSA-2019-1.0-0244
2019-07-19 00:00:00
Important Photon OS Security Update - PHSA-2019-0244
2019-07-19 00:00:00
Critical Photon OS Security Update - PHSA-2019-0171
2019-08-02 00:00:00
zdi
zdi
Apache Tomcat reserveWindowSize Denial-Of-Service Vulnerability
2019-06-21 00:00:00
osv
osv
Improper Locking in Apache Tomcat
2019-06-26 01:09:40
CVE-2019-10072
2019-06-21 18:15:09
tomcat9 - security update
2020-05-06 00:00:00
redhatcve
redhatcve
CVE-2019-10072
2019-06-25 08:51:26
github
github
Improper Locking in Apache Tomcat
2019-06-26 01:09:40
tomcat
tomcat
Fixed in Apache Tomcat 9.0.20
2019-05-13 00:00:00
Fixed in Apache Tomcat 8.5.41
2019-05-13 00:00:00
debiancve
debiancve
CVE-2019-10072
2019-06-21 18:15:00
veracode
veracode
Denial Of Service (DoS)
2019-06-21 05:42:50
f5
f5
K17321505 : Apache Tomcat vulnerability CVE-2019-10072
2019-06-27 00:00:00
ubuntucve
ubuntucve
CVE-2019-10072
2019-06-21 00:00:00
suse
suse
Security update for tomcat (important)
2020-01-14 00:00:00
mageia
mageia
Updated tomcat packages fix security vulnerabilities
2019-09-08 17:09:05
ubuntu
ubuntu
Tomcat vulnerabilities
2019-09-10 00:00:00
Tomcat vulnerabilities
2019-09-18 00:00:00
threatpost
threatpost
Oracle Ties Previous All-Time Patch High with January Updates
2020-01-14 23:43:10
redhat
redhat
(RHSA-2019:3931) Important: Red Hat JBoss Web Server 5.2 security release
2019-11-20 16:01:32
(RHSA-2019:3929) Important: Red Hat JBoss Web Server 5.2 security release
2019-11-20 15:52:12
debian
debian
[SECURITY] [DSA 4680-1] tomcat9 security update
2020-05-06 20:58:40
hackerone
hackerone
oracle
oracle
Oracle Critical Patch Update Advisory - January 2020
2020-01-14 00:00:00
Oracle Critical Patch Update Advisory - October 2019
2020-01-22 00:00:00
Oracle Critical Patch Update Advisory - April 2021
2021-04-20 00:00:00
Related for ORACLE_RDBMS_CPU_JAN_2020.NASL