Описание
Уязвимость компонента Spring Framework программных продуктов Oracle связана с неправильной авторизацией. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации
Вендор
Oracle Corp.
Pivotal Software Inc.
Red Hat Inc.
Наименование ПО
Enterprise Manager Ops Center
Enterprise Repository
Insurance Policy Administration
PeopleSoft Enterprise FIN Install
Retail Back Office
Retail Central Office
Retail Returns Management
Retail Point-of-Service
MySQL Enterprise Monitor
Communications Diameter Signaling Router
Oracle Endeca Information Discovery Integrator
WebLogic Server
WebCenter Sites
Oracle Retail Order Broker
Enterprise Manager Base Platform
Spring Framework
Oracle Communications Unified Inventory Management
Oracle FLEXCUBE Private Banking
Oracle Utilities Network Management System
Communications Converged Application Server
Insurance Policy Administration J2EE
Financial Services Analytical Applications Infrastructure
Jboss Fuse
Oracle Hospitality Guest Access
Application Testing Suite
Primavera Gateway
Retail Xstore Point of Service
Oracle Retail Clearance Optimization Engine
Oracle Retail Markdown Optimization
Oracle Retail Customer Insights
Communications Online Mediation Controller
Primavera Analytics
Retail Integration Bus
Oracle Retail Predictive Application Server
Oracle Retail Assortment Planning
Oracle Big Data Discovery
Oracle Insurance Calculation Engine
Oracle Insurance Rules Palette
Oracle Retail Financial Integration
Oracle Retail Service Backbone
Oracle Healthcare Master Person Index
Oracle Agile PLM
Financial Services Behavior Detection Platform
MICROS Lucas
Enterprise Manager for MySQL Database
Oracle GoldenGate for Big Data
Tape Library ACSLS
Oracle Communications Services Gatekeeper
Retail Open Commerce Platform
Oracle Health Sciences Information Manager
Oracle Service Architecture Leveraging Tuxedo
Communications Performance Intelligence Center (PIC) Software
Enterprise Manager for Fusion Applications
Версия ПО
12.2.2 (Enterprise Manager Ops Center)
12.3.3 (Enterprise Manager Ops Center)
11.1.1.7.0 (Enterprise Repository)
12.1.3.0.0 (Enterprise Repository)
10.0 (Insurance Policy Administration)
10.1 (Insurance Policy Administration)
10.2 (Insurance Policy Administration)
11.0 (Insurance Policy Administration)
9.2 (PeopleSoft Enterprise FIN Install)
14.0 (Retail Back Office)
14.1 (Retail Back Office)
14.0 (Retail Central Office)
14.1 (Retail Central Office)
14.0 (Retail Returns Management)
14.1 (Retail Returns Management)
14.0 (Retail Point-of-Service)
14.1 (Retail Point-of-Service)
до 3.4.9.4237 включительно (MySQL Enterprise Monitor)
до 4.0.6.5281 включительно (MySQL Enterprise Monitor)
до 8.0.2.8191 включительно (MySQL Enterprise Monitor)
до 8.3 (Communications Diameter Signaling Router)
3.2.0 (Oracle Endeca Information Discovery Integrator)
3.1.0 (Oracle Endeca Information Discovery Integrator)
12.2.1.3.0 (WebLogic Server)
12.2.1.3.0 (WebCenter Sites)
5.1 (Oracle Retail Order Broker)
5.2 (Oracle Retail Order Broker)
15.0 (Oracle Retail Order Broker)
16.0 (Oracle Retail Order Broker)
13.2.0.0.0 (Enterprise Manager Base Platform)
13.3.0.0.0 (Enterprise Manager Base Platform)
5.0.5 (Spring Framework)
12.1.0.5.0 (Enterprise Manager Base Platform)
7.3.2 (Oracle Communications Unified Inventory Management)
7.3.4 (Oracle Communications Unified Inventory Management)
7.3.5 (Oracle Communications Unified Inventory Management)
7.4.0 (Oracle Communications Unified Inventory Management)
2.0.0.0 (Oracle FLEXCUBE Private Banking)
2.2.0.1 (Oracle FLEXCUBE Private Banking)
12.0.1.0 (Oracle FLEXCUBE Private Banking)
12.0.3.0 (Oracle FLEXCUBE Private Banking)
12.1.0.0 (Oracle FLEXCUBE Private Banking)
1.12.0.3 (Oracle Utilities Network Management System)
до 7.0.0.1 (Communications Converged Application Server)
10.0 (Insurance Policy Administration J2EE)
10.2 (Insurance Policy Administration J2EE)
8.0.0.0.0 (Financial Services Analytical Applications Infrastructure)
7 (Jboss Fuse)
4.2.0 (Oracle Hospitality Guest Access)
4.2.1 (Oracle Hospitality Guest Access)
13.3.0.1 (Application Testing Suite)
15.2 (Primavera Gateway)
16.2 (Primavera Gateway)
17.12 (Primavera Gateway)
18.8 (Primavera Gateway)
17.0 (Retail Xstore Point of Service)
от 8.0.2 до 8.0.8 включительно (Financial Services Analytical Applications Infrastructure)
12.5.0.3 (Application Testing Suite)
13.1.0.1 (Application Testing Suite)
13.2.0.1 (Application Testing Suite)
14.0.5 (Oracle Retail Clearance Optimization Engine)
13.4.4 (Oracle Retail Markdown Optimization)
15.0 (Oracle Retail Customer Insights)
16.0 (Oracle Retail Customer Insights)
6.1 (Communications Online Mediation Controller)
18.8 (Primavera Analytics)
15.0 (Retail Integration Bus)
16.0 (Retail Integration Bus)
6.0 (Communications Converged Application Server)
6.1 (Communications Converged Application Server)
16.0 (Oracle Retail Predictive Application Server)
14.0.3.26 (Oracle Retail Predictive Application Server)
14.1.3.37 (Oracle Retail Predictive Application Server)
15.0.3.100 (Oracle Retail Predictive Application Server)
15.0 (Oracle Retail Assortment Planning)
16.0 (Oracle Retail Assortment Planning)
1.6 (Oracle Big Data Discovery)
9.7 (Oracle Insurance Calculation Engine)
10.0 (Oracle Insurance Calculation Engine)
10.1 (Oracle Insurance Calculation Engine)
10.2 (Oracle Insurance Calculation Engine)
10.1 (Insurance Policy Administration J2EE)
11.0 (Insurance Policy Administration J2EE)
10.0 (Oracle Insurance Rules Palette)
10.1 (Oracle Insurance Rules Palette)
10.2 (Oracle Insurance Rules Palette)
11.0 (Oracle Insurance Rules Palette)
от 4.0.0 до 4.0.9 включительно (MySQL Enterprise Monitor)
от 8.0.0 до 8.0.14 включительно (MySQL Enterprise Monitor)
14.0 (Oracle Retail Financial Integration)
14.1 (Oracle Retail Financial Integration)
15.0 (Oracle Retail Financial Integration)
16.0 (Oracle Retail Financial Integration)
16.0.1 (Oracle Retail Service Backbone)
3.0 (Oracle Healthcare Master Person Index)
9.3.3 (Oracle Agile PLM)
9.3.5 (Oracle Agile PLM)
9.3.6 (Oracle Agile PLM)
8.0.0 (Financial Services Behavior Detection Platform)
2.9.5 (MICROS Lucas)
14.0.0 (Retail Integration Bus)
14.1.0 (Retail Integration Bus)
14.1.2 (Retail Integration Bus)
13.2 (Enterprise Manager for MySQL Database)
14.1 (Oracle Retail Assortment Planning)
13.2 (Oracle Retail Financial Integration)
9.3.4 (Oracle Agile PLM)
12.2.0.1 (Oracle GoldenGate for Big Data)
12.3.1.1 (Oracle GoldenGate for Big Data)
12.3.2.1 (Oracle GoldenGate for Big Data)
10.1.1 (Oracle Insurance Calculation Engine)
10.2.1 (Oracle Insurance Calculation Engine)
11.1 (Oracle Insurance Rules Palette)
14.0 (Oracle Retail Predictive Application Server)
14.1 (Oracle Retail Predictive Application Server)
15.0 (Oracle Retail Predictive Application Server)
8.4 (Tape Library ACSLS)
до 6.1.0.4.0 (Oracle Communications Services Gatekeeper)
4.0 (Oracle Healthcare Master Person Index)
5.3.0 (Retail Open Commerce Platform)
6.0.0 (Retail Open Commerce Platform)
6.0.1 (Retail Open Commerce Platform)
3.0 (Oracle Health Sciences Information Manager)
12.1.3.0.0 (Oracle Service Architecture Leveraging Tuxedo)
12.2.2.0.0 (Oracle Service Architecture Leveraging Tuxedo)
до 10.2.1 (Communications Performance Intelligence Center (PIC) Software)
13.3.0.0 (Enterprise Manager for Fusion Applications)
Тип ПО
Сетевое программное средство
Прикладное ПО информационных систем
ПО сетевого программно-аппаратного средства
Программное средство защиты
Операционные системы и аппаратные платформы
-
Уровень опасности уязвимости
Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 9)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 8,8)
Возможные меры по устранению уязвимости
Для программной платформы Spring Framework использование рекомендаций:
https://pivotal.io/security/cve-2018-1258
Для продуктов Oracle:
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Для Red Hat:
https://access.redhat.com/security/cve/CVE-2018-1258?extIdCarryOver=true&sc_cid=701f2000001OH7JAAW
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 38%
0.0016
Низкий
8.8 High
CVSS3
9 Critical
CVSS2
Связанные уязвимости
CVSS3: 8.8
ubuntu
около 7 лет назад
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVSS3: 5.6
redhat
около 7 лет назад
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVSS3: 8.8
nvd
около 7 лет назад
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVSS3: 8.8
debian
около 7 лет назад
Spring Framework version 5.0.5 when used in combination with any versi ...
CVSS3: 8.8
github
больше 6 лет назад
Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass
EPSS
Процентиль: 38%
0.0016
Низкий
8.8 High
CVSS3
9 Critical
CVSS2