Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_WEBCENTER_PORTAL_CPU_OCT_2022.NASL
HistoryOct 20, 2022 - 12:00 a.m.

Oracle WebCenter Portal Multiple Vulnerabilities (Oct 2022 CPU)

2022-10-2000:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
6
JSON

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the Oct 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilites:

  • Vulnerability in the Oracle Communications Convergence product of Oracle Communications Applications (component: Framework (dojo)). The supported version that is affected is 3.0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Convergence. Successful attacks of this vulnerability can result in takeover of Oracle Communications Convergence. (CVE-2021-23450)

  • Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (jackson-databind)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebCenter Portal. (CVE-2020-36518)

  • Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (Apache Santuario XML Security For Java)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Portal accessible data. (CVE-2021-40690)

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(166335);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/24");

  script_cve_id(
    "CVE-2020-36518",
    "CVE-2021-23450",
    "CVE-2021-40690",
    "CVE-2021-43859",
    "CVE-2022-23437",
    "CVE-2022-24729",
    "CVE-2022-24823",
    "CVE-2022-30126"
  );
  script_xref(name:"IAVA", value:"2022-A-0431");
  script_xref(name:"IAVA", value:"2023-A-0558");

  script_name(english:"Oracle WebCenter Portal Multiple Vulnerabilities (Oct 2022 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"An application server installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the Oct 2022
Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilites:

  - Vulnerability in the Oracle Communications Convergence product of Oracle Communications Applications (component: 
    Framework (dojo)). The supported version that is affected is 3.0.3.0. Easily exploitable vulnerability allows 
    unauthenticated attacker with network access via HTTP to compromise Oracle Communications Convergence. Successful 
    attacks of this vulnerability can result in takeover of Oracle Communications Convergence. (CVE-2021-23450)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework 
    (jackson-databind)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable 
    vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. 
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently 
    repeatable crash (complete DOS) of Oracle WebCenter Portal. (CVE-2020-36518)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework 
    (Apache Santuario XML Security For Java)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. 
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle 
    WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized access to critical data or 
    complete access to all Oracle WebCenter Portal accessible data. (CVE-2021-40690)

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported 
version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuoct2022cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2022.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2022 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-23450");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:webcenter_portal");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_webcenter_portal_installed.nbin");
  script_require_keys("installed_sw/Oracle WebCenter Portal");

  exit(0);
}

include('vcf_extras_oracle_webcenter_portal.inc');

var app_info = vcf::oracle_webcenter_portal::get_app_info();

var constraints = [
  {'min_version' : '12.2.1.3', 'fixed_version' : '12.2.1.3.220901'},
  {'min_version' : '12.2.1.4', 'fixed_version' : '12.2.1.4.220902'}
];

vcf::oracle_webcenter_portal::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);
VendorProductVersionCPE
oraclefusion_middlewarecpe:/a:oracle:fusion_middleware
oraclewebcenter_portalcpe:/a:oracle:webcenter_portal

Related

nessus 29
redhat 3
ibm 71
ubuntucve 7
prion 7
cve 7
osv 17
cnvd 2
debiancve 5
redhatcve 6
github 4
openvas 13
veracode 5
suse 2
debian 4
atlassian 8
fedora 2
cgr 2
checkpoint_advisories 1
ubuntu 1
freebsd 1
oraclelinux 1
almalinux 1
nessus
nessus
Oracle Primavera Unifier (Jul 2022 CPU)
2022-07-20 00:00:00
Oracle WebCenter Sites (Oct 2022 CPU)
2022-10-21 00:00:00
Oracle Primavera Gateway (Jul 2022 CPU)
2022-07-21 00:00:00
redhat
redhat
(RHSA-2022:6819) Important: Red Hat AMQ Streams 2.2.0 release and security update
2022-10-05 14:27:55
(RHSA-2022:5596) Moderate: Red Hat build of Quarkus 2.7.6 release and security update
2022-07-19 11:26:48
(RHSA-2023:2312) Moderate: jackson security update
2023-05-09 05:07:11
ibm
ibm
Security Bulletin: Multiple Vulnerabilities discovered in libraries used by Apache Zookeeper that is included in ITNM (CVE-2020-36518, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823)
2023-01-04 15:58:13
Security Bulletin: Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859)
2023-01-17 16:19:21
Security Bulletin: IBM Tivoli Netcool Impact vulnerable to security bypass due to Apache Santuario XML Security (CVE-2021-40690)
2022-03-31 05:53:30
ubuntucve
ubuntucve
CVE-2022-24729
2022-03-16 00:00:00
CVE-2022-30126
2022-05-16 00:00:00
CVE-2021-43859
2022-02-01 00:00:00
prion
prion
Input validation
2022-03-16 17:15:00
Code injection
2022-05-16 17:15:00
Design/Logic Flaw
2022-02-01 12:15:00
cve
cve
CVE-2022-24729
2022-03-16 17:15:00
CVE-2022-30126
2022-05-16 17:15:00
CVE-2021-43859
2022-02-01 12:15:00
osv
osv
Regular expression denial of service in apache tika
2022-05-17 00:00:37
CVE-2022-30126
2022-05-16 17:15:09
libxstream-java - security update
2022-02-15 00:00:00
cnvd
cnvd
Apache Tika Denial of Service Vulnerability (CNVD-2022-73491)
2022-05-27 00:00:00
CKEditor4 authentication vulnerability
2022-03-17 00:00:00
debiancve
debiancve
CVE-2022-30126
2022-05-16 17:15:00
CVE-2022-24729
2022-03-16 17:15:00
CVE-2021-40690
2021-09-19 18:15:00
redhatcve
redhatcve
CVE-2022-30126
2022-06-06 22:57:18
CVE-2021-40690
2021-10-06 08:58:16
CVE-2021-43859
2022-02-02 17:17:46
github
github
Regular expression denial of service in apache tika
2022-05-17 00:00:37
Denial of Service by injecting highly recursive collections or maps in XStream
2022-02-01 00:48:15
Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario
2021-09-20 23:18:41
openvas
openvas
openSUSE: Security Advisory for xstream (openSUSE-SU-2022:0817-1)
2022-03-23 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:0817-1)
2022-03-14 00:00:00
Debian: Security Advisory (DLA-2924-1)
2022-02-16 00:00:00
veracode
veracode
Denial Of Service (DoS)
2022-05-17 07:13:07
Bypass Of Secure Validation
2021-09-20 03:36:05
Regular Expression Denial Of Service (ReDoS)
2022-03-17 08:30:53
suse
suse
Security update for xstream (moderate)
2022-03-14 00:00:00
Security update for xerces-j2 (important)
2022-02-18 00:00:00
debian
debian
[SECURITY] [DSA 5010-1] libxml-security-java security update
2021-11-15 17:27:50
[SECURITY] [DLA 2767-1] libxml-security-java security update
2021-09-27 12:36:42
[SECURITY] [DLA 2924-1] libxstream-java security update
2022-02-15 21:37:16
atlassian
atlassian
Vulnerable version of xmlsec used - CVE-2021-40690
2022-03-15 19:56:03
Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server
2023-12-14 07:45:31
Vulnerable version of xmlsec used - CVE-2021-40690 in atlassian-authentication-plugin
2022-10-19 10:02:11
fedora
fedora
[SECURITY] Fedora 34 Update: xstream-1.4.19-1.fc34
2022-02-12 01:16:35
[SECURITY] Fedora 35 Update: xstream-1.4.19-1.fc35
2022-02-12 01:20:20
cgr
cgr
CVE-2021-40690 vulnerabilities
2024-04-26 03:19:48
CVE-2022-24823 vulnerabilities
2024-04-26 03:19:48
checkpoint_advisories
checkpoint_advisories
Dojo Prototype Pollution (CVE-2021-23450)
2022-05-15 00:00:00
ubuntu
ubuntu
Apache XML Security for Java vulnerability
2022-07-20 00:00:00
freebsd
freebsd
kafka -- Denial Of Service vulnerability
2022-03-11 00:00:00
oraclelinux
oraclelinux
jackson security update
2023-05-15 00:00:00
almalinux
almalinux
Moderate: jackson security update
2023-05-09 00:00:00
JSON
Related for ORACLE_WEBCENTER_PORTAL_CPU_OCT_2022.NASL
nessus29redhat3ibm71ubuntucve7prion7cve7osv17cnvd2debiancve5redhatcve6github4openvas13veracode5suse2debian4atlassian8fedora2cgr2checkpoint_advisories1ubuntu1freebsd1oraclelinux1almalinux1