9VSA24-00960-01 CSIRT comparte vulnerabilidades parchadas en el Oracle CPU de enero 2024
El CSIRT de Gobierno comparte información de vulnerabilidades parchadas por Oracle como parte de su Critical Patch Update (CPU) de enero de 2024.
Resumen
El CSIRT de Gobierno comparte información de vulnerabilidades parchadas por Oracle como parte de su Critical Patch Update (CPU) de enero de 2024.
Vulnerabilidades
Impacto
Vulnerabilidades de riesgo crítico:
CVE-2023-38545: Vulnerabilidad en el componente Essbase Web Platform (curl) de Oracle Essbase. CVSS: 9.8.
CVE-2022-36944: Vulnerabilidad de deserialización de Java en Scala 2.13.x anteriores al 2.13.9, que permite ejecución de código. CVSS: 9.8.
CVE-2022-42920: Vulnerabilidad por un error de escritura fuera de límites de la memoria en API de Apache Commons BCEL anterior a 6.6.0. CVSS: 9.8.
CVE-2022-1471: Vulnerabilidad en la clase Constructor de SnakeYaml que no restringe los tipos que pueden ser instanciados durante la deserialización. CVSS: 9.8.
CVE-2023-34034: Vulnerabilidad en la configuración Spring Security para WebFlux, que posibilita una evasión de seguridad. CVSS: 9.8.
CVE-2023-44981: Bypass de autorización dada una vulnerabilidad en Apache ZooKeeper. CVSS: 9.1.
CVE-2022-48174: Vulnerabilidad de stack overflow en ash.c:6030 en busybox anterior a 1.35. CVSS: 9.8.
CVE-2023-46604: Vulnerabilidad debida a un protocolo vulnerable a ejecución remota de código en Java OpenWire. CVSS: 9.8.
CVE-2023-50164: Vulnerabilidad en Struts anterior a 2.5.33 o 6.3.0.2 que permite cargar un archivo malicioso que puede ser usado para ejecución remota de código. CVSS: 9.8.
CVE-2021-46848: GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. CVSS: 9.1
CVE-2022-31692: Vulnerabilidad en Spring Security 5.7 anteriores a 5.7.5 y 5.6 anteriores a 5.6.9, susceptibles a bypass de las reglas de autenticación. CVSS: 9.8.
CVE-2023-38545: Vulnerabilidad de heap buffer overflow en el handshake proxy SOCKS5. CVSS: 9.8.
CVE-2022-23221: Vulnerabilidad en la H2 Console anteriores del 2.1.210 permite a atacantes remotos ejecutar código arbitrario. CVSS: 9.8.
CVE-2022-37434: Vulnerabilidad en zlib hasta el 1.2.12. CVSS: 9.8.
CVE-2021-42575: Vulnerabilidad en OWASP Java HTML, no hay aplicación correcta de las políticas de los elementos SELECT, STYLE y OPTION. CVSS: 9.8.
CVE-2023-32002: Vulnerabilidad en Node.js en productos NetApp. CVSS: 9.8.
CVE-2023-50164: Vulnerabilidad en Struts anteriores a 2.5.33 y 6.3.0.2 que permite manipular parámetros de carga de archivos que permite paths traversal y ejecución remota de código. CVSS: 9.8.
CVE-2022-29155: Vulnerabilidad de inyección SQL en QpenLDAP 2.x anteriores a 2.5.12 y 2.6.x anterior a 2.6.2. CVSS: 9.8
CVE-2021-43527: Versiones anteriores a 3.63 o 3.68.1 de NSS ESR son vulnerables a un heap overflow al manipular firmas DSA encodeadas con DER, o RSA-PSS. CVSS: 9.8.
Mitigación
Implementar el CPU de enero 2024. Más información para clientes Oracle: https://support.oracle.com/rs?type=doc&id=2980981.1
Productos afectados
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers
Graph Server and Client
Integrated Lights Out Manager (ILOM)
JD Edwards EnterpriseOne Orchestrator
JD Edwards EnterpriseOne Tools
MySQL Cluster
MySQL Connectors
MySQL Enterprise Monitor
MySQL Server
MySQL Workbench
Oracle Access Manager
Oracle Agile PLM
Oracle Agile Product Lifecycle Management for Process
Oracle Analytics Desktop
Oracle Application Object Library
Oracle Application Testing Suite
Oracle Audit Vault and Database Firewall
Oracle Banking APIs
Oracle Banking Branch
Oracle Banking Cash Management
Oracle Banking Collections and Recovery
Oracle Banking Corporate Lending Process Management
Oracle Banking Credit Facilities Process Management
Oracle Banking Digital Experience
Oracle Banking Electronic Data Exchange for Corporates
Oracle Banking Enterprise Default Management
Oracle Banking Extensibility Workbench
Oracle Banking Liquidity Management
Oracle Banking Origination
Oracle Banking Party Management
Oracle Banking Supply Chain Finance
Oracle Banking Trade Finance Process Management
Oracle Banking Virtual Account Management
Oracle BI Publisher
Oracle Big Data Spatial and Graph
Oracle Business Intelligence Enterprise Edition
Oracle Business Process Management Suite
Oracle Coherence
Oracle Commerce Guided Search
Oracle Commerce Platform
Oracle Common Applications
Oracle Communications ASAP
Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Data Analytics Function
Oracle Communications Cloud Native Core Network Exposure Function
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Network Slice Selection Function
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Convergence
Oracle Communications Convergent Charging Controller
Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager
Oracle Communications Fraud Monitor
Oracle Communications Instant Messaging Server
Oracle Communications IP Service Activator
Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution
Oracle Communications Network Analytics Data Director
Oracle Communications Network Charging and Control
Oracle Communications Order and Service Management
Oracle Communications Policy Management
Oracle Communications Pricing Design Center
Oracle Communications Service Catalog and Design
Oracle Communications Session Report Manager
Oracle Communications Unified Assurance
Oracle Communications Unified Inventory Management
Oracle Complex Maintenance, Repair, and Overhaul
Oracle CRM Technical Foundation
Oracle Customer Interaction History
Oracle Enterprise Data Quality
Oracle Enterprise Manager Base Platform
Oracle Enterprise Manager for Fusion Middleware
Oracle Enterprise Manager for Oracle Database
Oracle Enterprise Manager for Oracle Virtual Infrastructure
Oracle Enterprise Manager for Virtualization
Oracle Enterprise Manager Ops Center
Oracle Essbase
Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Compliance Studio
Oracle Financial Services Enterprise Case Management
Oracle Financial Services Lending and Leasing
Oracle Financial Services Revenue Management and Billing
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle FLEXCUBE Enterprise Limits and Collateral Management
Oracle FLEXCUBE Investor Servicing
Oracle FLEXCUBE Private Banking
Oracle Fusion Middleware
Oracle GoldenGate
Oracle GraalVM for JDK
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition
Oracle HTTP Server
Oracle Hyperion Calculation Manager
Oracle Hyperion Financial Data Quality Management, Enterprise Edition
Oracle Hyperion Financial Management
Oracle Hyperion Financial Reporting
Oracle Hyperion Infrastructure Technology
Oracle Hyperion Planning
Oracle Identity Manager
Oracle Installed Base
Oracle iStore
Oracle iSupport
Oracle Java SE, Oracle GraalVM Enterprise Edition
Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition
Oracle JDeveloper
Oracle Knowledge Management
Oracle Managed File Transfer
Oracle Middleware Common Libraries and Tools
Oracle NoSQL Database
Oracle One-to-One Fulfillment
Oracle Outside In Technology
Oracle Retail Advanced Inventory Planning
Oracle Retail Customer Management and Segmentation Foundation
Oracle Retail EFTLink
Oracle Service Bus
Oracle SOA Suite
Oracle Solaris
Oracle Utilities Network Management System
Oracle Utilties Application Framework
Oracle Web Applications Desktop Integrator
Oracle WebCenter Content
Oracle WebCenter Portal
Oracle WebCenter Sites
Oracle WebLogic Server
Oracle ZFS Storage Appliance Kit
PeopleSoft Enterprise PeopleTools
Primavera P6 Enterprise Project Portfolio Management
Primavera Unifier
Product
Siebel CRM
Enlaces
https://www.oracle.com/security-alerts/cpujan2024.html
Informe
El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA24-00960-01.