Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2019-04006

Опубликовано: 15 окт. 2019
Источник: fstec
CVSS3: 9.8
CVSS2: 10
EPSS Средний

Описание

Уязвимость подкомпонента ADF Faces компонента Oracle JDeveloper and ADF программной платформы Oracle Fusion Middleware связана с недостатками контроля доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить полный контроль над приложением с помощью сетевого HTTP протокола

Вендор

Oracle Corp.

Наименование ПО

Fusion Middleware
Enterprise Repository
Business Process Management Suite
Hyperion Planning
Application Testing Suite
Oracle Retail Clearance Optimization Engine
Oracle Hyperion Financial Close Management
Oracle Retail Assortment Planning
Banking Platform
Banking Enterprise Product Manufacturing
Oracle FLEXCUBE Private Banking
Clinical
Oracle Health Sciences Data Management Workbench
Oracle Retail Markdown Optimization
Oracle Retail Sales Audit
Oracle Communications Service Broker
Oracle Communications Services Gatekeeper
Oracle Banking Enterprise Collections
Oracle Banking Enterprise Originations
Oracle Financial Services Revenue Management and Billing
Communications Diameter Signaling Router

Версия ПО

11.1.1.9.0 (Fusion Middleware)
12.1.3.0.0 (Fusion Middleware)
12.2.1.3.0 (Fusion Middleware)
11.1.1.7.0 (Enterprise Repository)
12.2.1.3.0 (Business Process Management Suite)
11.1.2.4 (Hyperion Planning)
13.3.0.1 (Application Testing Suite)
12.5.0.3 (Application Testing Suite)
13.1.0.1 (Application Testing Suite)
13.2.0.1 (Application Testing Suite)
14.0.5 (Oracle Retail Clearance Optimization Engine)
11.1.2.4 (Oracle Hyperion Financial Close Management)
16.0.3 (Oracle Retail Assortment Planning)
2.5.0 (Banking Platform)
2.6.0 (Banking Platform)
2.6.1 (Banking Platform)
2.6.2 (Banking Platform)
2.7.0 (Banking Enterprise Product Manufacturing)
2.8.0 (Banking Enterprise Product Manufacturing)
12.0 (Oracle FLEXCUBE Private Banking)
12.1 (Oracle FLEXCUBE Private Banking)
2.4.0 (Banking Platform)
2.4.1 (Banking Platform)
2.7.0 (Banking Platform)
2.7.2 (Banking Platform)
2.7.1 (Banking Platform)
2.9.0 (Banking Platform)
5.2 (Clinical)
2.4 (Oracle Health Sciences Data Management Workbench)
2.5 (Oracle Health Sciences Data Management Workbench)
15.0.3 (Oracle Retail Assortment Planning)
13.4 (Oracle Retail Markdown Optimization)
15.0.3 (Oracle Retail Sales Audit)
16.0.2 (Oracle Retail Sales Audit)
6.0 (Oracle Communications Service Broker)
6.1 (Oracle Communications Service Broker)
6.0 (Oracle Communications Services Gatekeeper)
6.1 (Oracle Communications Services Gatekeeper)
2.7.0 (Oracle Banking Enterprise Collections)
2.8.0 (Oracle Banking Enterprise Collections)
2.7.0 (Oracle Banking Enterprise Originations)
2.8.0 (Oracle Banking Enterprise Originations)
2.6 (Oracle Financial Services Revenue Management and Billing)
2.7 (Oracle Financial Services Revenue Management and Billing)
2.8 (Oracle Financial Services Revenue Management and Billing)
12.2.1.4.0 (Business Process Management Suite)
от 8.0.0.0 до 8.4.0.5 включительно (Communications Diameter Signaling Router)

Тип ПО

ПО виртуализации/ПО виртуального программно-аппаратного средства
Прикладное ПО информационных систем
Сетевое программное средство
ПО сетевого программно-аппаратного средства

Операционные системы и аппаратные платформы

-

Уровень опасности уязвимости

Критический уровень опасности (базовая оценка CVSS 2.0 составляет 10)
Критический уровень опасности (базовая оценка CVSS 3.0 составляет 9,8)

Возможные меры по устранению уязвимости

Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 94%
0.12605
Средний

9.8 Critical

CVSS3

10 Critical

CVSS2

Связанные уязвимости

nvd логотип

CVE-2019-2904

CVSS3: 9.8
nvd
больше 6 лет назад

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

github логотип

GHSA-c5wp-xqq4-5j7g

github
больше 3 лет назад

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

EPSS

Процентиль: 94%
0.12605
Средний

9.8 Critical

CVSS3

10 Critical

CVSS2