SK-CERT Bezpečnostné varovanie V20240718-03

Dôležitosť Kritická
Klasifikácia Neutajované/TLP:CLEAR
CVSS Skóre
9.8
Identifikátor
Oracle produkty – viacero kritických bezpečnostných zraniteľností
Popis
Spoločnosť Oracle vydala bezpečnostné aktualizácie na svoje portfólio produktov, ktoré opravujú viacero bezpečnostných zraniteľností, z ktorých je štrnásť označených ako kritických.
Najzávažnejšia kritická bezpečnostná zraniteľnosť s identifikátorom CVE-2024-23897 sa nachádza v produktoch Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy a Oracle Communications Cloud Native Core Security Edge Protection Proxy, spočíva v nedostatočnej implementácii bezpečnostných mechanizmov komponentu Jenkins a umožňuje vzdialenému, neautentifikovanému útočníkovi prostredníctvom zaslania špeciálne vytvorenej HTTP požiadavky získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme a spôsobiť zneprístupnenie služby.
Zneužitím ostatných bezpečnostných zraniteľností možno vykonať škodlivý kód, získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme a spôsobiť zneprístupnenie služby.
Dátum prvého zverejnenia varovania
16.7.2024
CVE
CVE-2024-6162, CVE-2024-4741, CVE-2024-4603, CVE-2024-34459, CVE-2024-34447, CVE-2024-34069, CVE-2024-34064, CVE-2024-32114, CVE-2024-30172, CVE-2024-30171, CVE-2024-29881, CVE-2024-29857, CVE-2024-2961, CVE-2024-29203, CVE-2024-29133, CVE-2024-29131, CVE-2024-29041, CVE-2024-29025, CVE-2024-28849, CVE-2024-28757, CVE-2024-28752, CVE-2024-28182, CVE-2024-27983, CVE-2024-27982, CVE-2024-27980, CVE-2024-27316, CVE-2024-26308, CVE-2024-26130, CVE-2024-25710, CVE-2024-2511, CVE-2024-25062, CVE-2024-24816, CVE-2024-24815, CVE-2024-24795, CVE-2024-24549, CVE-2024-23944, CVE-2024-23898, CVE-2024-23897, CVE-2024-23807, CVE-2024-23672, CVE-2024-23635, CVE-2024-22262, CVE-2024-22259, CVE-2024-22257, CVE-2024-22243, CVE-2024-22234, CVE-2024-22201, CVE-2024-22025, CVE-2024-22019, CVE-2024-21892, CVE-2024-21742, CVE-2024-21188, CVE-2024-21185, CVE-2024-21184, CVE-2024-21183, CVE-2024-21182, CVE-2024-21181, CVE-2024-21180, CVE-2024-21179, CVE-2024-21178, CVE-2024-21177, CVE-2024-21176, CVE-2024-21175, CVE-2024-21174, CVE-2024-21173, CVE-2024-21171, CVE-2024-21170, CVE-2024-21169, CVE-2024-21168, CVE-2024-21167, CVE-2024-21166, CVE-2024-21165, CVE-2024-21164, CVE-2024-21163, CVE-2024-21162, CVE-2024-21161, CVE-2024-21160, CVE-2024-21159, CVE-2024-21158, CVE-2024-21157, CVE-2024-21155, CVE-2024-21154, CVE-2024-21153, CVE-2024-21152, CVE-2024-21151, CVE-2024-21150, CVE-2024-21149, CVE-2024-21148, CVE-2024-21147, CVE-2024-21146, CVE-2024-21145, CVE-2024-21144, CVE-2024-21143, CVE-2024-21142, CVE-2024-21141, CVE-2024-21140, CVE-2024-21139, CVE-2024-21138, CVE-2024-21137, CVE-2024-21136, CVE-2024-21135, CVE-2024-21134, CVE-2024-21133, CVE-2024-21132, CVE-2024-21131, CVE-2024-21130, CVE-2024-21129, CVE-2024-21128, CVE-2024-21127, CVE-2024-21126, CVE-2024-21125, CVE-2024-21123, CVE-2024-21122, CVE-2024-21098, CVE-2024-20996, CVE-2024-0853, CVE-2024-0727, CVE-2024-0450, CVE-2024-0397, CVE-2024-0232, CVE-2023-6918, CVE-2023-6597, CVE-2023-6129, CVE-2023-6004, CVE-2023-5981, CVE-2023-5764, CVE-2023-5685, CVE-2023-5678, CVE-2023-5363, CVE-2023-52428, CVE-2023-52426, CVE-2023-52425, CVE-2023-51775, CVE-2023-51074, CVE-2023-5072, CVE-2023-50447, CVE-2023-49083, CVE-2023-49082, CVE-2023-49081, CVE-2023-48795, CVE-2023-47627, CVE-2023-4759, CVE-2023-47248, CVE-2023-46750, CVE-2023-46589, CVE-2023-46219, CVE-2023-46218, CVE-2023-45853, CVE-2023-44487, CVE-2023-44483, CVE-2023-42503, CVE-2023-41900, CVE-2023-41105, CVE-2023-40743, CVE-2023-4043, CVE-2023-40167, CVE-2023-39332, CVE-2023-39331, CVE-2023-38709, CVE-2023-38552, CVE-2023-3817, CVE-2023-37920, CVE-2023-37536, CVE-2023-36479, CVE-2023-36478, CVE-2023-35887, CVE-2023-35116, CVE-2023-3446, CVE-2023-34055, CVE-2023-34040, CVE-2023-34034, CVE-2023-33202, CVE-2023-33201, CVE-2023-2976, CVE-2023-2975, CVE-2023-29081, CVE-2023-28756, CVE-2023-28755, CVE-2023-26031, CVE-2023-24998, CVE-2023-22081, CVE-2023-21036, CVE-2023-20861, CVE-2023-1436, CVE-2023-1370, CVE-2022-48174, CVE-2022-46337, CVE-2022-45693, CVE-2022-45685, CVE-2022-45378, CVE-2022-42890, CVE-2022-42003, CVE-2022-41915, CVE-2022-41881, CVE-2022-41704, CVE-2022-40152, CVE-2022-40150, CVE-2022-40149, CVE-2022-40146, CVE-2022-38648, CVE-2022-38398, CVE-2022-3786, CVE-2022-37434, CVE-2022-36944, CVE-2022-36033, CVE-2022-34381, CVE-2022-34169, CVE-2022-33879, CVE-2022-31160, CVE-2022-25987, CVE-2022-22970, CVE-2022-22968, CVE-2022-22965, CVE-2022-22950, CVE-2022-21797, CVE-2022-1292, CVE-2022-0239, CVE-2021-44550, CVE-2021-41184, CVE-2021-41183, CVE-2021-41182, CVE-2021-37533, CVE-2021-36374, CVE-2021-36373, CVE-2021-36090, CVE-2021-29489, CVE-2021-29425, CVE-2021-27568, CVE-2021-24112, CVE-2021-23926, CVE-2020-1945, CVE-2020-13956, CVE-2020-11987, CVE-2019-17267, CVE-2019-13990, CVE-2019-10086
IOC
Zasiahnuté systémy
JD Edwards EnterpriseOne Orchestrator
JD Edwards EnterpriseOne Tools
JD Edwards World Security
Management Pack for Oracle GoldenGate
MySQL Cluster
MySQL Connectors
MySQL Enterprise Monitor
MySQL Server
MySQL Workbench
Oracle Access Manager
Oracle Agile Engineering Data Management
Oracle Analytics Desktop
Oracle Application Express
Oracle Application Testing Suite
Oracle Autovue for Agile Product Lifecycle Management
Oracle Banking Branch
Oracle Banking Cash Management
Oracle Banking Corporate Lending Process Management
Oracle Banking Credit Facilities Process Management
Oracle Banking Deposits and Lines of Credit Servicing
Oracle Banking Liquidity Management
Oracle Banking Origination
Oracle Banking Party Management
Oracle Banking Platform
Oracle Banking Virtual Account Management
Oracle Big Data Spatial and Graph
Oracle Business Activity Monitoring
Oracle Business Intelligence Enterprise Edition
Oracle Coherence
Oracle Commerce Guided Search
Oracle Commerce Platform
Oracle Communications ASAP
Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Data Analytics Function
Oracle Communications Cloud Native Core Network Exposure Function
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Converged Charging System
Oracle Communications Convergent Charging Controller
Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Element Management System
Oracle Communications Element Manager
Oracle Communications Network Analytics Data Director
Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor
Oracle Communications Performance Intelligence
Oracle Communications Policy Management
Oracle Communications Pricing Design Center
Oracle Communications Service Catalog and Design
Oracle Communications Session Border Controller
Oracle Communications Session Report Manager
Oracle Communications Unified Assurance
Oracle Communications Unified Inventory Management
Oracle Communications User Data Repository
Oracle Data Integrator
Oracle Database Server
Oracle Documaker
Oracle E-Business Suite
Oracle Enterprise Data Quality
Oracle Enterprise Manager Base Platform
Oracle Essbase
Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Compliance Studio
Oracle Financial Services Enterprise Case Management
Oracle Financial Services Model Management and Governance
Oracle Financial Services Revenue Management and Billing
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle FLEXCUBE Investor Servicing
Oracle FLEXCUBE Universal Banking
Oracle Fusion Middleware
Oracle Global Lifecycle Management NextGen OUI Framework
Oracle GoldenGate
Oracle GoldenGate Big Data and Application Adapters
Oracle GoldenGate Studio
Oracle GraalVM Enterprise Edition
Oracle GraalVM for JDK
Oracle Graph Server and Client
Oracle Healthcare Data Repository
Oracle Healthcare Foundation
Oracle Healthcare Master Person Index
Oracle HTTP Server
Oracle Hyperion Data Relationship Management
Oracle Hyperion Financial Close Management
Oracle Hyperion Infrastructure Technology
Oracle Identity Manager
Oracle Insurance Policy Administration J2EE
Oracle Java SE
Oracle JDeveloper
Oracle Middleware Common Libraries and Tools
Oracle NoSQL Database
Oracle Outside In Technology
Oracle Reports Developer
Oracle REST Data Services
Oracle Retail Assortment Planning
Oracle Retail Financial Integration
Oracle Retail Integration Bus
Oracle Retail Predictive Application Server
Oracle Retail Xstore Office
Oracle Service Bus
Oracle Solaris
Oracle TimesTen In-Memory Database
Oracle Unified Directory
Oracle Utilities Application Framework
Oracle VM VirtualBox
Oracle WebCenter Content
Oracle WebCenter Portal
Oracle WebCenter Sites
Oracle WebLogic Server
Oracle ZFS Storage Appliance Kit
PeopleSoft Enterprise HCM Human Resources
PeopleSoft Enterprise HCM Shared Components
PeopleSoft Enterprise PeopleTools
Primavera Gateway
Primavera Unifier
Siebel Applications

Presnú špecifikáciu jednotlivých zasiahnutých produktov nájdete na odkaze v sekcii ZDROJE

Následky
Vykonanie škodlivého kódu
Neoprávnený prístup k citlivým údajom
Neoprávnená zmena v systéme
Zneprístupnenie služby
Odporúčania
Administrátorom a používateľom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov.
Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč.
Taktiež odporúčame poučiť používateľov, aby neotvárali neoverené e-mailové správy, prílohy z neznámych zdrojov a nenavštevovali nedôveryhodné webové stránky.
Zdroje
https://www.oracle.com/security-alerts/cpujul2024.html
https://www.oracle.com/security-alerts/cpujul2024verbose.html

« Späť na zoznam