Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2019-04406

Опубликовано: 15 янв. 2019
Источник: fstec
CVSS3: 7.5
CVSS2: 7.9
EPSS Критический

Описание

Уязвимость платформы Web-сервисов Apache Axis связана с недостаточной проверкой поступающих запросов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, осуществить SSRF-атаку

Вендор

Oracle Corp.
Apache Software Foundation
АО «Концерн ВНИИНС»

Наименование ПО

Primavera Unifier
Tuxedo
PeopleSoft Enterprise PeopleTools
WebCenter Portal
Oracle Secure Global Desktop
Oracle Retail Order Broker
Instantis EnterpriseTrack
Agile Engineering Data Management
Enterprise Manager Base Platform
Oracle Hospitality Guest Access
Application Testing Suite
Retail Xstore Point of Service
Axis
Oracle Policy Automation Connector for Siebel
PeopleSoft Enterprise HCM Human Resources
Primavera Gateway
Oracle Communications Design Studio
Financial Services Analytical Applications Infrastructure
Oracle Endeca Information Discovery Studio
Oracle Agile PLM Framework
Oracle Communications Element Manager
Oracle Communications Session Report Manager
Oracle Communications Session Route Manager
Oracle FLEXCUBE Private Banking
Oracle Big Data Discovery
Oracle Communications ASAP Cartridges
Oracle Knowledge
Financial Services Funds Transfer Pricing
Rapid Planning
Oracle Communications Order and Service Management
Oracle Communications Network Integrity
Enterprise Manager for Fusion Middleware
Financial Services Compliance Regulatory Reporting
Oracle Real-Time Decision Server
ОС ОН «Стрелец»

Версия ПО

16.2 (Primavera Unifier)
16.1 (Primavera Unifier)
12.1.1.0 (Tuxedo)
8.56 (PeopleSoft Enterprise PeopleTools)
8.57 (PeopleSoft Enterprise PeopleTools)
12.2.1.3.0 (WebCenter Portal)
5.4 (Oracle Secure Global Desktop)
15.0 (Oracle Retail Order Broker)
16.0 (Oracle Retail Order Broker)
17.1 (Instantis EnterpriseTrack)
17.2 (Instantis EnterpriseTrack)
17.3 (Instantis EnterpriseTrack)
6.2.1 (Agile Engineering Data Management)
12.1.0.5 (Enterprise Manager Base Platform)
4.2.0 (Oracle Hospitality Guest Access)
4.2.1 (Oracle Hospitality Guest Access)
13.3.0.1 (Application Testing Suite)
18.8 (Primavera Unifier)
7.1 (Retail Xstore Point of Service)
1.4 (Axis)
10.4.6 (Oracle Policy Automation Connector for Siebel)
13.2.0.1 (Application Testing Suite)
13.3.0.0 (Enterprise Manager Base Platform)
9.2 (PeopleSoft Enterprise HCM Human Resources)
5.5 (Oracle Secure Global Desktop)
16.2.11 (Primavera Gateway)
17.12.6 (Primavera Gateway)
19.12 (Primavera Unifier)
7.3.4.3.0 (Oracle Communications Design Studio)
7.3.5.5.0 (Oracle Communications Design Studio)
7.4.0.4.0 (Oracle Communications Design Studio)
от 17.7 до 17.12 включительно (Primavera Unifier)
от 7.3.3 до 7.3.5 включительно (Financial Services Analytical Applications Infrastructure)
3.2.0 (Oracle Endeca Information Discovery Studio)
7.4.1.1.0 (Oracle Communications Design Studio)
12.1.3.0 (Tuxedo)
9.3.3 (Oracle Agile PLM Framework)
18.0 (Oracle Retail Order Broker)
8.58 (PeopleSoft Enterprise PeopleTools)
8.0.0 (Oracle Communications Element Manager)
8.1.0 (Oracle Communications Element Manager)
8.1.1 (Oracle Communications Element Manager)
8.2.0 (Oracle Communications Element Manager)
8.0.0 (Oracle Communications Session Report Manager)
8.1.0 (Oracle Communications Session Report Manager)
8.1.1 (Oracle Communications Session Report Manager)
8.2.0 (Oracle Communications Session Report Manager)
8.0.0 (Oracle Communications Session Route Manager)
8.1.0 (Oracle Communications Session Route Manager)
8.1.1 (Oracle Communications Session Route Manager)
8.2.0 (Oracle Communications Session Route Manager)
12.0 (Oracle FLEXCUBE Private Banking)
12.1 (Oracle FLEXCUBE Private Banking)
1.6 (Oracle Big Data Discovery)
7.2 (Oracle Communications ASAP Cartridges)
7.3 (Oracle Communications ASAP Cartridges)
от 8.6.0 до 8.6.3 (Oracle Knowledge)
от 8.0.0 до 8.0.8 включительно (Financial Services Analytical Applications Infrastructure)
от 8.0.2 до 8.0.7 включительно (Financial Services Funds Transfer Pricing)
12.1 (Rapid Planning)
12.2 (Rapid Planning)
7.3 (Oracle Communications Order and Service Management)
7.4 (Oracle Communications Order and Service Management)
7.3.5 (Oracle Communications Network Integrity)
7.3.6 (Oracle Communications Network Integrity)
12.1.0.5 (Enterprise Manager for Fusion Middleware)
от 8.0.6 до 8.0.8 включительно (Financial Services Compliance Regulatory Reporting)
3.2.1.0 (Oracle Real-Time Decision Server)
до 16.01.2023 (ОС ОН «Стрелец»)

Тип ПО

Прикладное ПО информационных систем
Сетевое программное средство
Операционная система

Операционные системы и аппаратные платформы

АО «Концерн ВНИИНС» ОС ОН «Стрелец» до 16.01.2023

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,9)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Apache Axis:
Обновление платформы веб-сервисов Apache Axis до версии 1.7.9 или новее
Для Oracle:
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/security-alerts/cpujan2021.html
Для ОС ОН «Стрелец»:
Обновление программного обеспечения axis до версии 1.4-25strelets0

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 100%
0.90738
Критический

7.5 High

CVSS3

7.9 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2019-0227

CVSS3: 7.5
ubuntu
почти 7 лет назад

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

redhat логотип

CVE-2019-0227

CVSS3: 8
redhat
почти 7 лет назад

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

nvd логотип

CVE-2019-0227

CVSS3: 7.5
nvd
почти 7 лет назад

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

debian логотип

CVE-2019-0227

CVSS3: 7.5
debian
почти 7 лет назад

A Server Side Request Forgery (SSRF) vulnerability affected the Apache ...

github логотип

GHSA-h9gj-rqrw-x4fq

CVSS3: 7.5
github
больше 6 лет назад

Server Side Request Forgery in Apache Axis

EPSS

Процентиль: 100%
0.90738
Критический

7.5 High

CVSS3

7.9 High

CVSS2