SK-CERT Bezpečnostné varovanie V20240718-03
Dôležitosť | Kritická |
Klasifikácia | Neutajované/TLP:CLEAR |
CVSS Skóre |
9.8 |
Identifikátor |
Oracle produkty – viacero kritických bezpečnostných zraniteľností |
Popis |
Spoločnosť Oracle vydala bezpečnostné aktualizácie na svoje portfólio produktov, ktoré opravujú viacero bezpečnostných zraniteľností, z ktorých je štrnásť označených ako kritických. Najzávažnejšia kritická bezpečnostná zraniteľnosť s identifikátorom CVE-2024-23897 sa nachádza v produktoch Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy a Oracle Communications Cloud Native Core Security Edge Protection Proxy, spočíva v nedostatočnej implementácii bezpečnostných mechanizmov komponentu Jenkins a umožňuje vzdialenému, neautentifikovanému útočníkovi prostredníctvom zaslania špeciálne vytvorenej HTTP požiadavky získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme a spôsobiť zneprístupnenie služby. Zneužitím ostatných bezpečnostných zraniteľností možno vykonať škodlivý kód, získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme a spôsobiť zneprístupnenie služby. |
Dátum prvého zverejnenia varovania |
16.7.2024 |
CVE |
CVE-2024-6162, CVE-2024-4741, CVE-2024-4603, CVE-2024-34459, CVE-2024-34447, CVE-2024-34069, CVE-2024-34064, CVE-2024-32114, CVE-2024-30172, CVE-2024-30171, CVE-2024-29881, CVE-2024-29857, CVE-2024-2961, CVE-2024-29203, CVE-2024-29133, CVE-2024-29131, CVE-2024-29041, CVE-2024-29025, CVE-2024-28849, CVE-2024-28757, CVE-2024-28752, CVE-2024-28182, CVE-2024-27983, CVE-2024-27982, CVE-2024-27980, CVE-2024-27316, CVE-2024-26308, CVE-2024-26130, CVE-2024-25710, CVE-2024-2511, CVE-2024-25062, CVE-2024-24816, CVE-2024-24815, CVE-2024-24795, CVE-2024-24549, CVE-2024-23944, CVE-2024-23898, CVE-2024-23897, CVE-2024-23807, CVE-2024-23672, CVE-2024-23635, CVE-2024-22262, CVE-2024-22259, CVE-2024-22257, CVE-2024-22243, CVE-2024-22234, CVE-2024-22201, CVE-2024-22025, CVE-2024-22019, CVE-2024-21892, CVE-2024-21742, CVE-2024-21188, CVE-2024-21185, CVE-2024-21184, CVE-2024-21183, CVE-2024-21182, CVE-2024-21181, CVE-2024-21180, CVE-2024-21179, CVE-2024-21178, CVE-2024-21177, CVE-2024-21176, CVE-2024-21175, CVE-2024-21174, CVE-2024-21173, CVE-2024-21171, CVE-2024-21170, CVE-2024-21169, CVE-2024-21168, CVE-2024-21167, CVE-2024-21166, CVE-2024-21165, CVE-2024-21164, CVE-2024-21163, CVE-2024-21162, CVE-2024-21161, CVE-2024-21160, CVE-2024-21159, CVE-2024-21158, CVE-2024-21157, CVE-2024-21155, CVE-2024-21154, CVE-2024-21153, CVE-2024-21152, CVE-2024-21151, CVE-2024-21150, CVE-2024-21149, CVE-2024-21148, CVE-2024-21147, CVE-2024-21146, CVE-2024-21145, CVE-2024-21144, CVE-2024-21143, CVE-2024-21142, CVE-2024-21141, CVE-2024-21140, CVE-2024-21139, CVE-2024-21138, CVE-2024-21137, CVE-2024-21136, CVE-2024-21135, CVE-2024-21134, CVE-2024-21133, CVE-2024-21132, CVE-2024-21131, CVE-2024-21130, CVE-2024-21129, CVE-2024-21128, CVE-2024-21127, CVE-2024-21126, CVE-2024-21125, CVE-2024-21123, CVE-2024-21122, CVE-2024-21098, CVE-2024-20996, CVE-2024-0853, CVE-2024-0727, CVE-2024-0450, CVE-2024-0397, CVE-2024-0232, CVE-2023-6918, CVE-2023-6597, CVE-2023-6129, CVE-2023-6004, CVE-2023-5981, CVE-2023-5764, CVE-2023-5685, CVE-2023-5678, CVE-2023-5363, CVE-2023-52428, CVE-2023-52426, CVE-2023-52425, CVE-2023-51775, CVE-2023-51074, CVE-2023-5072, CVE-2023-50447, CVE-2023-49083, CVE-2023-49082, CVE-2023-49081, CVE-2023-48795, CVE-2023-47627, CVE-2023-4759, CVE-2023-47248, CVE-2023-46750, CVE-2023-46589, CVE-2023-46219, CVE-2023-46218, CVE-2023-45853, CVE-2023-44487, CVE-2023-44483, CVE-2023-42503, CVE-2023-41900, CVE-2023-41105, CVE-2023-40743, CVE-2023-4043, CVE-2023-40167, CVE-2023-39332, CVE-2023-39331, CVE-2023-38709, CVE-2023-38552, CVE-2023-3817, CVE-2023-37920, CVE-2023-37536, CVE-2023-36479, CVE-2023-36478, CVE-2023-35887, CVE-2023-35116, CVE-2023-3446, CVE-2023-34055, CVE-2023-34040, CVE-2023-34034, CVE-2023-33202, CVE-2023-33201, CVE-2023-2976, CVE-2023-2975, CVE-2023-29081, CVE-2023-28756, CVE-2023-28755, CVE-2023-26031, CVE-2023-24998, CVE-2023-22081, CVE-2023-21036, CVE-2023-20861, CVE-2023-1436, CVE-2023-1370, CVE-2022-48174, CVE-2022-46337, CVE-2022-45693, CVE-2022-45685, CVE-2022-45378, CVE-2022-42890, CVE-2022-42003, CVE-2022-41915, CVE-2022-41881, CVE-2022-41704, CVE-2022-40152, CVE-2022-40150, CVE-2022-40149, CVE-2022-40146, CVE-2022-38648, CVE-2022-38398, CVE-2022-3786, CVE-2022-37434, CVE-2022-36944, CVE-2022-36033, CVE-2022-34381, CVE-2022-34169, CVE-2022-33879, CVE-2022-31160, CVE-2022-25987, CVE-2022-22970, CVE-2022-22968, CVE-2022-22965, CVE-2022-22950, CVE-2022-21797, CVE-2022-1292, CVE-2022-0239, CVE-2021-44550, CVE-2021-41184, CVE-2021-41183, CVE-2021-41182, CVE-2021-37533, CVE-2021-36374, CVE-2021-36373, CVE-2021-36090, CVE-2021-29489, CVE-2021-29425, CVE-2021-27568, CVE-2021-24112, CVE-2021-23926, CVE-2020-1945, CVE-2020-13956, CVE-2020-11987, CVE-2019-17267, CVE-2019-13990, CVE-2019-10086 |
IOC |
– |
Zasiahnuté systémy |
JD Edwards EnterpriseOne Orchestrator JD Edwards EnterpriseOne Tools JD Edwards World Security Management Pack for Oracle GoldenGate MySQL Cluster MySQL Connectors MySQL Enterprise Monitor MySQL Server MySQL Workbench Oracle Access Manager Oracle Agile Engineering Data Management Oracle Analytics Desktop Oracle Application Express Oracle Application Testing Suite Oracle Autovue for Agile Product Lifecycle Management Oracle Banking Branch Oracle Banking Cash Management Oracle Banking Corporate Lending Process Management Oracle Banking Credit Facilities Process Management Oracle Banking Deposits and Lines of Credit Servicing Oracle Banking Liquidity Management Oracle Banking Origination Oracle Banking Party Management Oracle Banking Platform Oracle Banking Virtual Account Management Oracle Big Data Spatial and Graph Oracle Business Activity Monitoring Oracle Business Intelligence Enterprise Edition Oracle Coherence Oracle Commerce Guided Search Oracle Commerce Platform Oracle Communications ASAP Oracle Communications Billing and Revenue Management Oracle Communications BRM – Elastic Charging Engine Oracle Communications Cloud Native Core Automated Test Suite Oracle Communications Cloud Native Core Binding Support Function Oracle Communications Cloud Native Core Console Oracle Communications Cloud Native Core Network Data Analytics Function Oracle Communications Cloud Native Core Network Exposure Function Oracle Communications Cloud Native Core Network Function Cloud Native Environment Oracle Communications Cloud Native Core Network Repository Function Oracle Communications Cloud Native Core Policy Oracle Communications Cloud Native Core Security Edge Protection Proxy Oracle Communications Cloud Native Core Service Communication Proxy Oracle Communications Cloud Native Core Unified Data Repository Oracle Communications Converged Charging System Oracle Communications Convergent Charging Controller Oracle Communications Diameter Signaling Router Oracle Communications EAGLE Element Management System Oracle Communications Element Manager Oracle Communications Network Analytics Data Director Oracle Communications Network Charging and Control Oracle Communications Operations Monitor Oracle Communications Performance Intelligence Oracle Communications Policy Management Oracle Communications Pricing Design Center Oracle Communications Service Catalog and Design Oracle Communications Session Border Controller Oracle Communications Session Report Manager Oracle Communications Unified Assurance Oracle Communications Unified Inventory Management Oracle Communications User Data Repository Oracle Data Integrator Oracle Database Server Oracle Documaker Oracle E-Business Suite Oracle Enterprise Data Quality Oracle Enterprise Manager Base Platform Oracle Essbase Oracle Financial Services Analytical Applications Infrastructure Oracle Financial Services Basel Regulatory Capital Basic Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Oracle Financial Services Behavior Detection Platform Oracle Financial Services Compliance Studio Oracle Financial Services Enterprise Case Management Oracle Financial Services Model Management and Governance Oracle Financial Services Revenue Management and Billing Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Oracle FLEXCUBE Investor Servicing Oracle FLEXCUBE Universal Banking Oracle Fusion Middleware Oracle Global Lifecycle Management NextGen OUI Framework Oracle GoldenGate Oracle GoldenGate Big Data and Application Adapters Oracle GoldenGate Studio Oracle GraalVM Enterprise Edition Oracle GraalVM for JDK Oracle Graph Server and Client Oracle Healthcare Data Repository Oracle Healthcare Foundation Oracle Healthcare Master Person Index Oracle HTTP Server Oracle Hyperion Data Relationship Management Oracle Hyperion Financial Close Management Oracle Hyperion Infrastructure Technology Oracle Identity Manager Oracle Insurance Policy Administration J2EE Oracle Java SE Oracle JDeveloper Oracle Middleware Common Libraries and Tools Oracle NoSQL Database Oracle Outside In Technology Oracle Reports Developer Oracle REST Data Services Oracle Retail Assortment Planning Oracle Retail Financial Integration Oracle Retail Integration Bus Oracle Retail Predictive Application Server Oracle Retail Xstore Office Oracle Service Bus Oracle Solaris Oracle TimesTen In-Memory Database Oracle Unified Directory Oracle Utilities Application Framework Oracle VM VirtualBox Oracle WebCenter Content Oracle WebCenter Portal Oracle WebCenter Sites Oracle WebLogic Server Oracle ZFS Storage Appliance Kit PeopleSoft Enterprise HCM Human Resources PeopleSoft Enterprise HCM Shared Components PeopleSoft Enterprise PeopleTools Primavera Gateway Primavera Unifier Siebel Applications Presnú špecifikáciu jednotlivých zasiahnutých produktov nájdete na odkaze v sekcii ZDROJE |
Následky |
Vykonanie škodlivého kódu Neoprávnený prístup k citlivým údajom Neoprávnená zmena v systéme Zneprístupnenie služby |
Odporúčania |
Administrátorom a používateľom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov. Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. Taktiež odporúčame poučiť používateľov, aby neotvárali neoverené e-mailové správy, prílohy z neznámych zdrojov a nenavštevovali nedôveryhodné webové stránky. |
Zdroje |
https://www.oracle.com/security-alerts/cpujul2024.html https://www.oracle.com/security-alerts/cpujul2024verbose.html |
« Späť na zoznam