BDU:2020-03564

Опубликовано: 14 мая 2020

Источник: fstec

CVSS3: 6.3

CVSS2: 5.5

EPSS Низкий

Описание

Уязвимость компонента java.io.tmpdir утилиты автоматизации процесса сборки программного продукта Apache Ant связана с ошибками обработки временных файлов. Эксплуатация уязвимости может позволить нарушителю получить доступ на изменение данных или несанкционированный доступ к защищаемой информации

Вендор

Red Hat Inc.

Oracle Corp.

Fedora Project

Canonical Ltd.

Novell Inc.

Apache Software Foundation

АО "НППКТ"

Наименование ПО

Red Hat Enterprise Linux

Enterprise Repository

Retail Back Office

Retail Central Office

Retail Returns Management

Retail Point-of-Service

Business Process Management Suite

Primavera Unifier

Utilities Framework

Fedora

Ubuntu

Red Hat Descision Manager

Oracle Retail Assortment Planning

Oracle Endeca Information Discovery Studio

Oracle Retail Predictive Application Server

Retail Integration Bus

Oracle Retail Financial Integration

OpenSUSE Leap

Oracle Retail Service Backbone

Rapid Planning

Enterprise Manager Ops Center

CodeReady Studio

Ant

Communications MetaSolv Solution

Oracle Communications Order and Service Management

Financial Services Analytical Applications Infrastructure

Oracle FLEXCUBE Investor Servicing

Oracle FLEXCUBE Private Banking

Oracle Banking Enterprise Collections

Oracle Banking Platform

Category Management Planning & Optimization

Oracle Retail Bulk Data Integration

Oracle Retail Data Extractor for Merchandising

Oracle Retail Item Planning

Oracle Retail Macro Space Optimization

Oracle Retail Merchandise Financial Planning

Oracle Retail Regular Price Optimization

Oracle Retail Replenishment Optimization

Oracle Retail Size Profile Optimization

Retail Store Inventory Management

Oracle TimesTen In-Memory Database

Oracle Communications ASAP

Oracle Real-Time Decision Server

Oracle Retail Extract Transform and Load

Financial Services Applications

ОСОН ОСнова Оnyx

Версия ПО

7 (Red Hat Enterprise Linux)

11.1.1.7.0 (Enterprise Repository)

14.0 (Retail Back Office)

14.1 (Retail Back Office)

14.0 (Retail Central Office)

14.1 (Retail Central Office)

14.0 (Retail Returns Management)

14.1 (Retail Returns Management)

14.0 (Retail Point-of-Service)

14.1 (Retail Point-of-Service)

12.2.1.3.0 (Business Process Management Suite)

16.2 (Primavera Unifier)

16.1 (Primavera Unifier)

8 (Red Hat Enterprise Linux)

4.4.0.0.0 (Utilities Framework)

4.2.0.3.0 (Utilities Framework)

4.2.0.2.0 (Utilities Framework)

31 (Fedora)

18.8 (Primavera Unifier)

19.10 (Ubuntu)

7 (Red Hat Descision Manager)

16.0.3 (Oracle Retail Assortment Planning)

19.12 (Primavera Unifier)

от 17.7 до 17.12 включительно (Primavera Unifier)

3.2.0 (Oracle Endeca Information Discovery Studio)

15.0.3 (Oracle Retail Predictive Application Server)

16.0.3 (Oracle Retail Predictive Application Server)

15.0 (Retail Integration Bus)

16.0 (Retail Integration Bus)

32 (Fedora)

15.0.3 (Oracle Retail Assortment Planning)

15.0 (Oracle Retail Financial Integration)

16.0 (Oracle Retail Financial Integration)

14.1.0 (Retail Integration Bus)

15.2 (OpenSUSE Leap)

14.0.3 (Oracle Retail Predictive Application Server)

14.1.3 (Oracle Retail Predictive Application Server)

15.0 (Oracle Retail Service Backbone)

16.0 (Oracle Retail Service Backbone)

12.1 (Rapid Planning)

12.2 (Rapid Planning)

12.4.0.0 (Enterprise Manager Ops Center)

12 (CodeReady Studio)

от 1.1 до 1.9.14 включительно (Ant)

от 1.10.0 до 1.10.7 включительно (Ant)

6.3.0 (Communications MetaSolv Solution)

7.3 (Oracle Communications Order and Service Management)

7.4 (Oracle Communications Order and Service Management)

от 8.0.6 до 8.1.0 включительно (Financial Services Analytical Applications Infrastructure)

12.1.0 (Oracle FLEXCUBE Investor Servicing)

12.3.0 (Oracle FLEXCUBE Investor Servicing)

12.4.0 (Oracle FLEXCUBE Investor Servicing)

14.0.0 (Oracle FLEXCUBE Investor Servicing)

14.1.0 (Oracle FLEXCUBE Investor Servicing)

12.0.0 (Oracle FLEXCUBE Private Banking)

12.1.0 (Oracle FLEXCUBE Private Banking)

от 2.7.0 до 2.9.0 включительно (Oracle Banking Enterprise Collections)

от 2.4.0 до 2.9.0 включительно (Oracle Banking Platform)

15.0.3 (Category Management Planning & Optimization)

15.0 (Oracle Retail Bulk Data Integration)

16.0 (Oracle Retail Bulk Data Integration)

1.9 (Oracle Retail Data Extractor for Merchandising)

1.10 (Oracle Retail Data Extractor for Merchandising)

15.0.3 (Oracle Retail Item Planning)

15.0.3 (Oracle Retail Macro Space Optimization)

15.0.3 (Oracle Retail Merchandise Financial Planning)

15.0.3 (Oracle Retail Regular Price Optimization)

16.0.3 (Oracle Retail Regular Price Optimization)

15.0.3 (Oracle Retail Replenishment Optimization)

15.0.3 (Oracle Retail Size Profile Optimization)

14.0.4 (Retail Store Inventory Management)

14.1.3 (Retail Store Inventory Management)

15.0.3 (Retail Store Inventory Management)

16.0.3 (Retail Store Inventory Management)

12.2.1.4.0 (Business Process Management Suite)

2.2.0.0.0 (Utilities Framework)

от 4.3.0.1.0 до 4.3.0.6.0 включительно (Utilities Framework)

4.4.0.2.0 (Utilities Framework)

до 11.2.2.8.49 включительно (Oracle TimesTen In-Memory Database)

7.3 (Oracle Communications ASAP)

3.2.1.0 (Oracle Real-Time Decision Server)

13.2.5 (Oracle Retail Extract Transform and Load)

13.2.8 (Oracle Retail Extract Transform and Load)

14.3.0 (Financial Services Applications)

14.4.0 (Financial Services Applications)

14.1.0 (Financial Services Applications)

14.2.0 (Financial Services Applications)

до 2.5 (ОСОН ОСнова Оnyx)

Тип ПО

Операционная система

Прикладное ПО информационных систем

Сетевое программное средство

СУБД

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 7

Red Hat Inc. Red Hat Enterprise Linux 8

Fedora Project Fedora 31

Canonical Ltd. Ubuntu 19.10

Fedora Project Fedora 32

Novell Inc. OpenSUSE Leap 15.2

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5,5)

Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,3)

Возможные меры по устранению уязвимости

Использование рекомендаций:

Для программных продуктов Apache Software Foundation:

https://lists.apache.org/thread.html/r0d08a96ba9de8aa435f32944e8b2867c368a518d4ff57782e3637335@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r1863b9ce4c3e4b1e5b0c671ad05545ba3eb8399616aa746af5dfe1b1@%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/r1b32c76afffcf676e13ed635a3332f3e46e6aaa7722eb3fc7a28f58e@%3Cdev.hive.apache.org%3E

https://lists.apache.org/thread.html/r2704fb14ce068c64759a986f81d5b5e42ab434fa13d0f444ad52816b@%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/r4b2904d64affd4266cd72ccb2fc3927c1c2f22009f183095aa46bf90@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r6e295d792032ec02b32be3846c21a58857fba4a077d22c5842d69ba2@%3Ctorque-dev.db.apache.org%3E

https://lists.apache.org/thread.html/r6edd3e2cb79ee635630d891b54a4f1a9cd8c7f639d6ee34e75fbe830@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r8e24abb7dd77cda14c6df90a377c94f0a413bbfcec90a29540ff8adf@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E

https://lists.apache.org/thread.html/r95dc943e47a211d29df605e14f86c280fc9fa8d828b2b53bd07673c9@%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/rd7dda48ff835f4d0293949837d55541bfde3683bd35bd8431e324538@%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/rda80ac59119558eaec452e58ddfac2ccc9211da1c65f7927682c78b1@%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/rdaa9c51d5dc6560c9d2b3f3d742c768ad0705e154041e574a0fae45c@%3Cnotifications.groovy.apache.org%3E

https://lists.apache.org/thread.html/re1ce84518d773a94a613d988771daf9252c9cf7375a9a477009f9735@%3Ccommits.creadur.apache.org%3E

https://lists.apache.org/thread.html/rfd346609527a79662c48b1da3ac500ec30f29f7ddaa3575051e81890@%3Ccommits.creadur.apache.org%3E

Для программных продуктов Novell Inc.:

https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.html

Для программных продуктов Red Hat Inc.:

https://access.redhat.com/security/cve/cve-2020-1945

Для Fedora:

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRVAWTCVXJMRYKQKEXYSNBF7NLSR6OEI/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQBR65TINSJRN7PTPIVNYS33P535WM74/

Для программных продуктов Oracle Corp.:

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

Для ОСОН Основа:

Обновление программного обеспечения ant до версии 1.10.11-1

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1945
CVE

EPSS

Процентиль: 5%

0.00021

Низкий

6.3 Medium

CVSS3

5.5 Medium

CVSS2

Связанные уязвимости

CVE-2020-1945

CVSS3: 6.3

ubuntu

больше 5 лет назад

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

CVE-2020-1945

CVSS3: 6.3

redhat

больше 5 лет назад

CVE-2020-1945

CVSS3: 6.3

nvd

больше 5 лет назад

CVE-2020-1945

CVSS3: 6.3

debian

больше 5 лет назад

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default tempora ...

openSUSE-SU-2020:1022-1

suse-cvrf

больше 5 лет назад

Security update for ant

EPSS

Процентиль: 5%

0.00021

Низкий

6.3 Medium

CVSS3

5.5 Medium

CVSS2