The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle WebLogic Server

weakness announce CVE-2016-7055 CVE-2017-3730 CVE-2017-3731

OpenSSL: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 26/01/2017.
Identifiers: 1117414, 2000544, 2000988, 2000990, 2002331, 2004036, 2004940, 2009389, 2010154, 2011567, 2012827, 2014202, 2014651, 2014669, 2015080, BSA-2016-204, BSA-2016-207, BSA-2016-211, BSA-2016-212, BSA-2016-213, BSA-2016-216, BSA-2016-234, bulletinapr2017, bulletinjan2018, bulletinoct2017, CERTFR-2017-AVI-035, CERTFR-2018-AVI-343, cisco-sa-20170130-openssl, cpuapr2017, cpuapr2019, cpujan2018, cpujul2017, cpujul2018, cpuoct2017, CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, DLA-814-1, DSA-3773-1, FEDORA-2017-3451dbec48, FEDORA-2017-e853b4144f, FG-IR-17-019, FreeBSD-SA-17:02.openssl, ibm10732391, ibm10733905, ibm10738249, ibm10738401, JSA10775, K37526132, K43570545, K44512851, K-510805, NTAP-20170127-0001, NTAP-20170310-0002, NTAP-20180201-0001, openSUSE-SU-2017:0481-1, openSUSE-SU-2017:0487-1, openSUSE-SU-2017:0527-1, openSUSE-SU-2017:0941-1, openSUSE-SU-2017:2011-1, openSUSE-SU-2017:2868-1, openSUSE-SU-2018:0458-1, PAN-70674, PAN-73914, PAN-SA-2017-0012, PAN-SA-2017-0014, PAN-SA-2017-0016, RHSA-2017:0286-01, RHSA-2018:2568-01, RHSA-2018:2575-01, SA141, SA40423, SB10188, SSA:2017-041-02, SUSE-SU-2018:0112-1, SUSE-SU-2018:2839-1, SUSE-SU-2018:3082-1, TNS-2017-03, USN-3181-1, VIGILANCE-VUL-21692.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can force a read at an invalid address via Truncated Packet, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-3731]

An attacker can force a NULL pointer to be dereferenced via DHE/ECDHE Parameters, in order to trigger a denial of service. [severity:2/4; CVE-2017-3730]

An attacker can use a carry propagation error via BN_mod_exp(), in order to compute the private key. [severity:1/4; CVE-2017-3732]

An error occurs in the Broadwell-specific Montgomery Multiplication Procedure, but with no apparent impact. [severity:1/4; CVE-2016-7055]
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2016-6814

Apache Groovy: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Apache Groovy, in order to run code.
Severity: 2/4.
Creation date: 23/01/2017.
Identifiers: cpuapr2018, cpujan2018, cpujan2019, cpujul2019, cpuoct2017, CVE-2016-6814, DLA-794-1, FEDORA-2017-1ce2a05ff1, FEDORA-2017-33c8085c5d, FEDORA-2017-661dddc462, FEDORA-2017-cc0e0daf0f, RHSA-2017:0272-01, RHSA-2017:0868-01, RHSA-2017:2486-01, RHSA-2017:2596-01, VIGILANCE-VUL-21640.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability of Apache Groovy, in order to run code.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2016-0635

Oracle Communications Network Intelligence: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Oracle Communications Network Intelligence, in order to run code.
Severity: 3/4.
Creation date: 18/01/2017.
Identifiers: cpuapr2017, cpujan2017, cpujul2017, cpuoct2018, CVE-2016-0635, VIGILANCE-VUL-21603.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability of Oracle Communications Network Intelligence, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2015-7501 CVE-2016-5528 CVE-2016-6303

Oracle Fusion Middleware: vulnerabilities of January 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Fusion Middleware.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 9.
Creation date: 18/01/2017.
Identifiers: cpujan2017, CVE-2015-7501, CVE-2016-5528, CVE-2016-6303, CVE-2017-3239, CVE-2017-3247, CVE-2017-3248, CVE-2017-3249, CVE-2017-3250, CVE-2017-3255, VIGILANCE-VUL-21601, ZDI-17-055.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.

An attacker can use a vulnerability via Oracle Tuxedo, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-6303]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2017-3248, ZDI-17-055]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-5528]

An attacker can use a vulnerability via JRF Components, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2015-7501]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3250]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3249]

An attacker can use a vulnerability via Oracle JDeveloper, in order to obtain or alter information. [severity:2/4; CVE-2017-3255]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to alter information. [severity:2/4; CVE-2017-3247]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information. [severity:1/4; CVE-2017-3239]
Full Vigil@nce bulletin... (Free trial)

cybersecurity note CVE-2016-8745

Apache Tomcat: information disclosure via sendfile

Synthesis of the vulnerability

An attacker can use a vulnerability via sendfile() of Apache Tomcat, in order to obtain sensitive information or to hijack a session.
Severity: 3/4.
Creation date: 12/12/2016.
Revision date: 05/01/2017.
Identifiers: bulletinjan2017, cpuapr2018, cpuoct2017, CVE-2016-8745, DLA-779-1, DSA-3754-1, DSA-3755-1, FEDORA-2017-19c5440abe, FEDORA-2017-376ae2b92c, NTAP-20180605-0001, NTAP-20180607-0001, NTAP-20180607-0002, NTAP-20180614-0001, openSUSE-SU-2017:1292-1, RHSA-2017:0455-01, RHSA-2017:0456-01, RHSA-2017:0457-01, RHSA-2017:0527-01, RHSA-2017:0935-01, SUSE-SU-2017:1229-1, SUSE-SU-2017:1382-1, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, USN-3177-1, USN-3177-2, VIGILANCE-VUL-21355.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Apache Tomcat product includes an HTTP server.

It may use the sendfile() function from the operating system to send the content of a file without reading it itself. However, an attacker can trigger an error in the response processing, in such a a way that the client receive the respond of another client, including response headers and notably the session identifier.

An attacker can therefore use a vulnerability via sendfile() of Apache Tomcat, in order to obtain sensitive information or to hijack a session.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2015-9251

jQuery: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of jQuery, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 29/12/2016.
Identifiers: bulletinjul2018, cpuapr2019, cpujan2019, cpujul2019, cpuoct2018, cpuoct2019, CVE-2015-9251, FEDORA-2016-06e8a3f776, FEDORA-2016-3368a38282, FEDORA-2016-8516b7d6fb, FEDORA-2016-b6cb3e83fa, VIGILANCE-VUL-21468.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The jQuery product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of jQuery, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2016-7053 CVE-2016-7054 CVE-2016-7055

OpenSSL 1.1: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL 1.1.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/11/2016.
Revision date: 13/12/2016.
Identifiers: 2004036, 2004940, 2011567, 492284, 492616, bulletinapr2017, CERTFR-2018-AVI-343, cisco-sa-20161114-openssl, cpuapr2019, cpujan2018, cpujul2017, CVE-2016-7053, CVE-2016-7054, CVE-2016-7055, ESA-2016-148, ESA-2016-149, FG-IR-17-019, JSA10775, NTAP-20170127-0001, NTAP-20170310-0002, NTAP-20180201-0001, openSUSE-SU-2017:0527-1, openSUSE-SU-2017:0941-1, openSUSE-SU-2018:0458-1, SA40423, VIGILANCE-VUL-21093.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL 1.1.

An attacker can generate a buffer overflow via ChaCha20/Poly1305, in order to trigger a denial of service. [severity:2/4; CVE-2016-7054]

An attacker can force a NULL pointer to be dereferenced via CMS Structures, in order to trigger a denial of service. [severity:2/4; CVE-2016-7053]

An error occurs in the Broadwell-specific Montgomery Multiplication Procedure, but with no apparent impact. [severity:1/4; CVE-2016-7055]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-8735

Apache Tomcat: code execution via JmxRemoteLifecycleListener Deserialization

Synthesis of the vulnerability

An attacker can use a vulnerability via JmxRemoteLifecycleListener Deserialization of Apache Tomcat, in order to run code.
Severity: 3/4.
Creation date: 22/11/2016.
Identifiers: 1999671, cpuapr2019, cpujul2019, cpuoct2017, CVE-2016-8735, DLA-728-1, DLA-729-1, DSA-3738-1, DSA-3739-1, FEDORA-2016-98cca07999, FEDORA-2016-9c33466fbb, FEDORA-2016-a98c560116, NTAP-20180605-0001, NTAP-20180607-0001, NTAP-20180607-0002, NTAP-20180614-0001, openSUSE-SU-2016:3129-1, openSUSE-SU-2016:3144-1, RHSA-2017:0455-01, RHSA-2017:0456-01, RHSA-2017:0457-01, SUSE-SU-2016:3079-1, SUSE-SU-2016:3081-1, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, USN-3177-1, USN-3177-2, VIGILANCE-VUL-21175.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via JmxRemoteLifecycleListener Deserialization of Apache Tomcat, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2016-8610

OpenSSL: denial of service via SSL3_AL_WARNING

Synthesis of the vulnerability

An attacker can send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 24/10/2016.
Identifiers: 1996096, 2000095, 2003480, 2003620, 2003673, 2004940, 2009389, bulletinoct2016, cpujul2019, CVE-2016-8610, DLA-814-1, DSA-3773-1, FEDORA-2017-3451dbec48, FEDORA-2017-e853b4144f, FreeBSD-SA-16:35.openssl, HPESBHF03897, JSA10808, JSA10809, JSA10810, JSA10811, JSA10813, JSA10814, JSA10816, JSA10817, JSA10818, JSA10820, JSA10821, JSA10822, JSA10825, openSUSE-SU-2017:0386-1, openSUSE-SU-2017:0487-1, openSUSE-SU-2018:4104-1, PAN-SA-2017-0017, pfSense-SA-17_03.webgui, RHSA-2017:0286-01, RHSA-2017:0574-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA40886, SP-CAAAPUE, SPL-129207, SUSE-SU-2017:0304-1, SUSE-SU-2017:0348-1, SUSE-SU-2018:0112-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2018:3964-1, SUSE-SU-2018:3994-1, SUSE-SU-2018:4068-1, SUSE-SU-2018:4274-1, SUSE-SU-2019:1553-1, USN-3181-1, USN-3183-1, USN-3183-2, VIGILANCE-VUL-20941.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL product implements the SSL version 3 protocol.

The SSL3_AL_WARNING message is used to send an alert of level Warning. However, when these packets are received during the handshake, the library consumes 100% of CPU.

An attacker can therefore send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2016-3473 CVE-2016-3505 CVE-2016-3551

Oracle Fusion Middleware: vulnerabilities of October 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Fusion Middleware.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 17.
Creation date: 19/10/2016.
Identifiers: cpuoct2016, CVE-2016-3473, CVE-2016-3505, CVE-2016-3551, CVE-2016-5488, CVE-2016-5495, CVE-2016-5500, CVE-2016-5506, CVE-2016-5511, CVE-2016-5519, CVE-2016-5531, CVE-2016-5535, CVE-2016-5536, CVE-2016-5537, CVE-2016-5601, CVE-2016-5602, CVE-2016-5618, CVE-2016-8281, VIGILANCE-VUL-20908, ZDI-16-572.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.

An attacker can use a vulnerability via JAXWS Web Services Stack, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-3551]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-5535, ZDI-16-572]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-5531]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5519]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3505]

An attacker can use a vulnerability via BI Publisher (formerly XML Publisher), in order to obtain information. [severity:3/4; CVE-2016-3473]

An attacker can use a vulnerability via Oracle Platform Security for Java, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-8281]

An attacker can use a vulnerability via Oracle Platform Security for Java, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5536]

An attacker can use a vulnerability via Oracle Platform Security for Java, in order to obtain information. [severity:3/4; CVE-2016-5495]

An attacker can use a vulnerability via Oracle Discoverer, in order to obtain information. [severity:3/4; CVE-2016-5500]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain or alter information. [severity:2/4; CVE-2016-5601]

An attacker can use a vulnerability via NetBeans, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-5537]

An attacker can use a vulnerability via Oracle Data Integrator, in order to obtain information. [severity:2/4; CVE-2016-5602]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2016-5488]

An attacker can use a vulnerability via Oracle WebCenter Sites, in order to alter information. [severity:2/4; CVE-2016-5511]

An attacker can use a vulnerability via Oracle Data Integrator, in order to obtain information. [severity:1/4; CVE-2016-5618]

An attacker can use a vulnerability via Oracle Identity Manager, in order to obtain or alter information. [severity:1/4; CVE-2016-5506]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle WebLogic Server: