The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle Identity Manager

vulnerability announce CVE-2017-17485 CVE-2017-7525 CVE-2018-5968

Apache Struts: code execution via com.fasterxml.jackson

Synthesis of the vulnerability

An attacker can use a vulnerability (VIGILANCE-VUL-23406) of com.fasterxml.jackson of Apache Struts, in order to run code.
Impacted products: Struts, Debian, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Puppet, JBoss EAP by Red Hat.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 12/12/2017.
Identifiers: CERTFR-2017-AVI-470, cpuapr2018, cpuapr2019, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, DSA-4037-1, DSA-4114-1, ibm10715641, ibm10738249, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:0294-01, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, RHSA-2018:2930-01, S2-055, VIGILANCE-VUL-24732.

Description of the vulnerability

An attacker can use a vulnerability (VIGILANCE-VUL-23406) of com.fasterxml.jackson of Apache Struts, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-3738

OpenSSL: information disclosure via rsaz_1024_mul_avx2

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via rsaz_1024_mul_avx2() of OpenSSL, in order to obtain sensitive information.
Impacted products: ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, hMailServer, DB2 UDB, QRadar SIEM, Tivoli Storage Manager, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Solaris, Tuxedo, Oracle Virtual Directory, VirtualBox, WebLogic, Percona Server, pfSense, RHEL, Slackware, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Ubuntu, WinSCP, X2GoClient.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 07/12/2017.
Identifiers: 2014324, bulletinapr2018, bulletinjan2018, CERTFR-2017-AVI-452, CERTFR-2018-AVI-155, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-3738, DSA-4065-1, DSA-4157-1, FEDORA-2017-e6be32cb7a, FreeBSD-SA-17:12.openssl, ibm10716907, ibm10717405, ibm10717409, ibm10719113, JSA10851, openSUSE-SU-2017:3345-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:0998-01, SA159, SSA:2017-342-01, swg21647054, USN-3512-1, VIGILANCE-VUL-24698.

Description of the vulnerability

An attacker can bypass access restrictions to data via rsaz_1024_mul_avx2() of OpenSSL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-15095 CVE-2017-17485

Jackson: code execution via Black List

Synthesis of the vulnerability

An attacker can use a vulnerability via Black List of Jackson, in order to run code.
Impacted products: Debian, Avamar, Fedora, Oracle Communications, Oracle DB, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Tuxedo, Oracle Virtual Directory, WebLogic, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/11/2017.
Identifiers: 519493, cpuapr2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-15095, CVE-2017-17485, DSA-2018-048, DSA-4037-1, DSA-4114-1, FEDORA-2017-4a071ecbc7, FEDORA-2017-e16ed3f7a1, FEDORA-2018-bbf8c38b51, FEDORA-2018-e4b025841e, ibm10715641, ibm10738249, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, RHSA-2018:0576-01, RHSA-2018:0577-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, RHSA-2018:2930-01, VIGILANCE-VUL-24456.

Description of the vulnerability

An attacker can use a vulnerability via Black List of Jackson, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-10151

Oracle Identity Manager: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Oracle Identity Manager, in order to run code.
Impacted products: Oracle Fusion Middleware, Oracle Identity Management.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 30/10/2017.
Identifiers: CVE-2017-10151, VIGILANCE-VUL-24265.

Description of the vulnerability

An attacker can use a vulnerability of Oracle Identity Manager, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-7805

Mozilla NSS: use after free via Verifying Client Authentication

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via Verifying Client Authentication of Mozilla NSS, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, Firefox, NSS, SeaMonkey, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 4/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 29/09/2017.
Identifiers: bulletinoct2017, cpuapr2018, cpuoct2018, CVE-2017-7805, DLA-1118-1, DLA-1138-1, DSA-3987-1, DSA-3998-1, FEDORA-2017-2e7badfe67, FEDORA-2017-6e2071419d, MFSA-2017-21, MFSA-2017-22, openSUSE-SU-2017:2615-1, openSUSE-SU-2017:2707-1, openSUSE-SU-2017:2710-1, RHSA-2017:2831-01, RHSA-2017:2832-01, SSA:2017-271-01, SUSE-SU-2017:2688-1, SUSE-SU-2017:2872-1, SUSE-SU-2017:2872-2, USN-3431-1, USN-3435-1, USN-3435-2, USN-3436-1, VIGILANCE-VUL-23976.

Description of the vulnerability

An attacker can force the usage of a freed memory area via Verifying Client Authentication of Mozilla NSS, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-12617

Apache Tomcat: code execution via Read-write Default/WebDAV Servlet

Synthesis of the vulnerability

An attacker can use a vulnerability via Read-write Default/WebDAV Servlet of Apache Tomcat, in order to run code.
Impacted products: Tomcat, Debian, NetWorker, Fedora, MariaDB ~ precise, ePO, MySQL Community, MySQL Enterprise, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, WebLogic, Oracle Web Tier, Percona Server, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 20/09/2017.
Identifiers: 504539, 61542, CERTFR-2017-AVI-332, cpuapr2018, cpuapr2019, cpujan2018, cpujul2018, CVE-2017-12617, DLA-1166-1, DLA-1166-2, ESA-2017-097, FEDORA-2017-ef7c118dbc, FEDORA-2017-f499ee7b12, openSUSE-SU-2017:3069-1, RHSA-2017:3080-01, RHSA-2017:3081-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2018:0465-01, RHSA-2018:0466-01, SB10218, SUSE-SU-2017:3039-1, SUSE-SU-2017:3059-1, SUSE-SU-2017:3279-1, USN-3665-1, VIGILANCE-VUL-23883.

Description of the vulnerability

An attacker can use a vulnerability via Read-write Default/WebDAV Servlet of Apache Tomcat, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-9798

Apache httpd: information disclosure via htaccess Limit Optionsbleed

Synthesis of the vulnerability

When Apache httpd hosts an .htaccess file with the Limit option, an OPTIONS query can retrieve an extract of the service memory.
Impacted products: Apache httpd, Mac OS X, Debian, Fedora, WebSphere AS Traditional, Junos Space, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, Slackware, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 19/09/2017.
Identifiers: 2009782, bulletinjan2018, CERTFR-2017-AVI-336, cpujan2018, cpujan2019, CVE-2017-9798, DLA-1102-1, DSA-3980-1, FEDORA-2017-a52f252521, HT208331, HT208394, JSA10838, openSUSE-SU-2017:2549-1, openSUSE-SU-2018:1057-1, RHSA-2017:2882-01, RHSA-2017:2972-01, RHSA-2017:3018-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, SSA:2017-261-01, Synology-SA-17:56, USN-3425-1, USN-3425-2, VIGILANCE-VUL-23863.

Description of the vulnerability

When Apache httpd hosts an .htaccess file with the Limit option, an OPTIONS query can retrieve an extract of the service memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-7525

jackson-databind: code execution via ObjectMapper readValue

Synthesis of the vulnerability

An attacker can use a vulnerability via ObjectMapper readValue() of jackson-databind, in order to run code.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Puppet, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 01/08/2017.
Identifiers: cpuapr2018, cpuapr2019, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-7525, DSA-4004-1, FEDORA-2017-6a75c816fa, FEDORA-2017-8df9efed5f, FEDORA-2017-f452765e1e, FEDORA-2018-bbf8c38b51, FEDORA-2018-e4b025841e, ibm10715641, ibm10738249, RHSA-2017:1834-01, RHSA-2017:1835-01, RHSA-2017:1836-01, RHSA-2017:1837-01, RHSA-2017:1839-01, RHSA-2017:1840-01, RHSA-2017:2477-01, RHSA-2017:2546-01, RHSA-2017:2547-01, RHSA-2017:2633-01, RHSA-2017:2635-01, RHSA-2017:2636-01, RHSA-2017:2637-01, RHSA-2017:2638-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:0294-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, VIGILANCE-VUL-23406.

Description of the vulnerability

An attacker can use a vulnerability via ObjectMapper readValue() of jackson-databind, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-2730 CVE-2013-2027 CVE-2017-10024

Oracle Fusion Middleware: vulnerabilities of July 2017

Synthesis of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.
Impacted products: Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Tuxedo, WebLogic.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 25.
Creation date: 19/07/2017.
Identifiers: cpujul2017, CVE-2011-2730, CVE-2013-2027, CVE-2017-10024, CVE-2017-10025, CVE-2017-10028, CVE-2017-10029, CVE-2017-10030, CVE-2017-10035, CVE-2017-10040, CVE-2017-10041, CVE-2017-10043, CVE-2017-10048, CVE-2017-10058, CVE-2017-10059, CVE-2017-10063, CVE-2017-10075, CVE-2017-10119, CVE-2017-10123, CVE-2017-10137, CVE-2017-10141, CVE-2017-10147, CVE-2017-10148, CVE-2017-10156, CVE-2017-10157, CVE-2017-10178, VIGILANCE-VUL-23287.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-5662

Apache Batik: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Apache Batik, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Ubuntu.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 02/05/2017.
Identifiers: cpuapr2018, cpujul2018, cpuoct2017, CVE-2017-5662, DLA-926-1, DSA-4215-1, FEDORA-2017-43b46cd2da, FEDORA-2017-aff3dd3101, RHSA-2017:2546-01, RHSA-2017:2547-01, RHSA-2018:0319-01, USN-3280-1, VIGILANCE-VUL-22591.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Apache Batik parser allows external entities.

An attacker can therefore transmit malicious XML data to Apache Batik, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle Identity Manager: