Lucene search
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_WEBCENTER_PORTAL_CPU_JAN_2021.NASLHistoryFeb 02, 2021 - 12:00 a.m.
Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2021 CPU)
2021-02-0200:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
196
The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021 Critical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities :
-
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Portlet Services (dom4j)). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.
Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. (CVE-2020-10683) -
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (Apache Commons BeanUtils)). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Portal accessible data as well as unauthorized read access to a subset of Oracle WebCenter Portal accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2019-10086)
Note that Nessus has not attempted to exploit these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(146048);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/24");
script_cve_id("CVE-2019-10086", "CVE-2020-10683");
script_xref(name:"IAVA", value:"2021-A-0326");
script_xref(name:"CEA-ID", value:"CEA-2021-0004");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_xref(name:"IAVA", value:"2023-A-0559");
script_name(english:"Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2021 CPU)");
script_set_attribute(attribute:"synopsis", value:
"An application server installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021
Critical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities :
- Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Portlet
Services (dom4j)). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.
Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. (CVE-2020-10683)
- Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security
Framework (Apache Commons BeanUtils)). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and
12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP
to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle WebCenter Portal accessible data as well as unauthorized
read access to a subset of Oracle WebCenter Portal accessible data and unauthorized ability to cause a
partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2019-10086)
Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's
self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2021.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2021 Oracle Critical Patch Update advisory.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10683");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/01");
script_set_attribute(attribute:"patch_publication_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/02/02");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:webcenter_portal");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_webcenter_portal_installed.nbin");
script_require_keys("installed_sw/Oracle WebCenter Portal");
exit(0);
}
include('vcf_extras_oracle_webcenter_portal.inc');
var app_info = vcf::oracle_webcenter_portal::get_app_info();
var constraints = [
{'min_version' : '11.1.1.9', 'fixed_version' : '11.1.1.9.210115'},
{'min_version' : '12.2.1.3', 'fixed_version' : '12.2.1.3.201202'},
{'min_version' : '12.2.1.4', 'fixed_version' : '12.2.1.4.201126'}
];
vcf::oracle_webcenter_portal::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | fusion_middleware | cpe:/a:oracle:fusion_middleware | |
| oracle | webcenter_portal | cpe:/a:oracle:webcenter_portal |
Related
nessus
nessus
EulerOS 2.0 SP3 : dom4j (EulerOS-SA-2020-2102)
2020-09-28 00:00:00
Debian DLA-2191-1 : dom4j security update
2020-05-01 00:00:00
EulerOS 2.0 SP2 : dom4j (EulerOS-SA-2020-1677)
2020-06-17 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2020-1596)
2020-06-03 00:00:00
Debian LTS: Security Advisory for dom4j (DLA-2191-1)
2020-05-01 00:00:00
openSUSE: Security Advisory for dom4j (openSUSE-SU-2020:0719-1)
2020-05-27 00:00:00
osv
osv
dom4j vulnerability
2020-10-13 23:28:44
CVE-2020-10683
2020-05-01 19:15:12
dom4j allows External Entities by default which might enable XXE attacks
2020-06-05 16:13:36
ibm
ibm
cve
cve
CVE-2020-10683
2020-05-01 19:15:00
CVE-2019-10086
2019-08-20 21:15:00
prion
prion
Xxe
2020-05-01 19:15:00
Default configuration
2019-08-20 21:15:00
ubuntu
ubuntu
dom4j vulnerability
2020-10-13 00:00:00
Apache Commons BeanUtils vulnerabilities
2021-03-15 00:00:00
mageia
mageia
Updated dom4j packages fix a security vulnerability
2021-01-17 19:07:01
Updated apache-commons-beanutils packages fix security vulnerability
2019-12-19 16:44:26
redhatcve
redhatcve
CVE-2020-10683
2022-05-14 11:33:01
CVE-2019-10086
2020-02-14 11:44:26
f5
f5
K02349370 : dom4j library vulnerability CVE-2020-10683
2020-05-12 00:00:00
veracode
veracode
XML External Entity
2020-04-22 04:37:29
Authorization Bypass
2019-08-16 00:43:09
suse
suse
Security update for dom4j (important)
2020-05-26 00:00:00
Security update for apache-commons-beanutils (important)
2019-09-03 00:00:00
debiancve
debiancve
CVE-2020-10683
2020-05-01 19:15:00
CVE-2019-10086
2019-08-20 21:15:00
ubuntucve
ubuntucve
CVE-2020-10683
2020-05-01 00:00:00
CVE-2019-10086
2019-08-20 00:00:00
debian
debian
[SECURITY] [DLA 2191-1] dom4j security update
2020-04-30 22:00:18
[SECURITY] [DLA 1896-1] commons-beanutils security update
2019-08-24 14:49:34
github
github
dom4j allows External Entities by default which might enable XXE attacks
2020-06-05 16:13:36
Insecure Deserialization in Apache Commons Beanutils
2020-06-15 20:36:17
fedora
fedora
[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30
2019-11-13 09:58:19
[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31
2019-11-13 10:08:09
redhat
redhat
(RHSA-2020:0057) Important: rh-java-common-apache-commons-beanutils security update
2020-01-08 11:00:17
(RHSA-2020:0194) Important: apache-commons-beanutils security update
2020-01-21 18:21:47
(RHSA-2020:2619) Important: Red Hat Fuse 7.6.0 on EAP security update
2020-06-18 14:53:14
symantec
symantec
Apache Commons Beanutils CVE-2019-10086 Remote Security Vulnerability
2019-08-15 00:00:00
amazon
amazon
Important: apache-commons-beanutils
2020-02-17 19:50:00
cgr
cgr
CVE-2019-10086 vulnerabilities
2024-04-16 09:09:05
centos
centos
apache security update
2020-01-28 21:30:14
wolfi
wolfi
CVE-2019-10086 vulnerabilities
2024-04-16 09:08:09
oraclelinux
oraclelinux
apache-commons-beanutils security update
2020-01-22 00:00:00
Related for ORACLE_WEBCENTER_PORTAL_CPU_JAN_2021.NASL