SK-CERT Bezpečnostné varovanie V20250122-04
| Dôležitosť | Kritická |
| Klasifikácia | Neutajované/TLP:CLEAR |
| CVSS Skóre |
9.9 |
| Identifikátor |
| Oracle produkty – viacero kritických bezpečnostných zraniteľností |
| Popis |
| Spoločnosť Oracle vydala bezpečnostné aktualizácie na svoje portfólio produktov, ktoré opravujú viacero bezpečnostných zraniteľností, z ktorých je viacero označených ako kritických. Najzávažnejšia kritická bezpečnostná zraniteľnosť s identifikátorom CVE-2025-21556 s nachádza v produkte Oracle Agile PLM Framework, spočíva v nedostatočnej implementácii bezpečnostných mechanizmov komponentu Agile Integration Services a umožňuje vzdialenému, autentifikovanému útočníkovi s právomocami používateľa získať neoprávnený prístup do systému s následkom úplného narušenia dôvernosti, integrity a dostupnosti systému. Zneužitím ostatných bezpečnostných zraniteľností možno získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme, spôsobiť zneprístupnenie služby, získať úplnú kontrolu nad systémom, eskalovať privilégiá a vykonať škodlivý kód. Zneužitie niektorých zraniteľností vyžaduje interakciu používateľa. |
| Dátum prvého zverejnenia varovania |
| 21.1.2025 |
| CVE |
| CVE-2025-21571, CVE-2025-21570, CVE-2025-21569, CVE-2025-21568, CVE-2025-21567, CVE-2025-21566, CVE-2025-21565, CVE-2025-21564, CVE-2025-21563, CVE-2025-21562, CVE-2025-21561, CVE-2025-21560, CVE-2025-21559, CVE-2025-21558, CVE-2025-21557, CVE-2025-21556, CVE-2025-21555, CVE-2025-21554, CVE-2025-21553, CVE-2025-21552, CVE-2025-21551, CVE-2025-21550, CVE-2025-21549, CVE-2025-21548, CVE-2025-21547, CVE-2025-21546, CVE-2025-21545, CVE-2025-21544, CVE-2025-21543, CVE-2025-21542, CVE-2025-21541, CVE-2025-21540, CVE-2025-21539, CVE-2025-21538, CVE-2025-21537, CVE-2025-21536, CVE-2025-21535, CVE-2025-21534, CVE-2025-21533, CVE-2025-21532, CVE-2025-21531, CVE-2025-21530, CVE-2025-21529, CVE-2025-21528, CVE-2025-21527, CVE-2025-21526, CVE-2025-21525, CVE-2025-21524, CVE-2025-21523, CVE-2025-21522, CVE-2025-21521, CVE-2025-21520, CVE-2025-21519, CVE-2025-21518, CVE-2025-21517, CVE-2025-21516, CVE-2025-21515, CVE-2025-21514, CVE-2025-21513, CVE-2025-21512, CVE-2025-21511, CVE-2025-21510, CVE-2025-21509, CVE-2025-21508, CVE-2025-21507, CVE-2025-21506, CVE-2025-21505, CVE-2025-21504, CVE-2025-21503, CVE-2025-21502, CVE-2025-21501, CVE-2025-21500, CVE-2025-21499, CVE-2025-21498, CVE-2025-21497, CVE-2025-21495, CVE-2025-21494, CVE-2025-21493, CVE-2025-21492, CVE-2025-21491, CVE-2025-21490, CVE-2025-21489, CVE-2025-0509, CVE-2024-9143, CVE-2024-8927, CVE-2024-8096, CVE-2024-8088, CVE-2024-8006, CVE-2024-7885, CVE-2024-7592, CVE-2024-7254, CVE-2024-6923, CVE-2024-6763, CVE-2024-6232, CVE-2024-6162, CVE-2024-6119, CVE-2024-56337, CVE-2024-5535, CVE-2024-54677, CVE-2024-53677, CVE-2024-52316, CVE-2024-50602, CVE-2024-50379, CVE-2024-49767, CVE-2024-49766, CVE-2024-47804, CVE-2024-47803, CVE-2024-47561, CVE-2024-47554, CVE-2024-47535, CVE-2024-4741, CVE-2024-47072, CVE-2024-4603, CVE-2024-45801, CVE-2024-45772, CVE-2024-45492, CVE-2024-45491, CVE-2024-45490, CVE-2024-43382, CVE-2024-41817, CVE-2024-40898, CVE-2024-4032, CVE-2024-4030, CVE-2024-38999, CVE-2024-38998, CVE-2024-38827, CVE-2024-38820, CVE-2024-38819, CVE-2024-38816, CVE-2024-38809, CVE-2024-38807, CVE-2024-38526, CVE-2024-38475, CVE-2024-38473, CVE-2024-37891, CVE-2024-37372, CVE-2024-37371, CVE-2024-37370, CVE-2024-36138, CVE-2024-36137, CVE-2024-36114, CVE-2024-3596, CVE-2024-35195, CVE-2024-34750, CVE-2024-34447, CVE-2024-34064, CVE-2024-33602, CVE-2024-33601, CVE-2024-33600, CVE-2024-33599, CVE-2024-30172, CVE-2024-30171, CVE-2024-29857, CVE-2024-2961, CVE-2024-29133, CVE-2024-29131, CVE-2024-29041, CVE-2024-29025, CVE-2024-28849, CVE-2024-28835, CVE-2024-28834, CVE-2024-28757, CVE-2024-28219, CVE-2024-27983, CVE-2024-27309, CVE-2024-27282, CVE-2024-27281, CVE-2024-27280, CVE-2024-26308, CVE-2024-26130, CVE-2024-25710, CVE-2024-25638, CVE-2024-2511, CVE-2024-24791, CVE-2024-24790, CVE-2024-24789, CVE-2024-24786, CVE-2024-24549, CVE-2024-23807, CVE-2024-23672, CVE-2024-23635, CVE-2024-22262, CVE-2024-22195, CVE-2024-22020, CVE-2024-22019, CVE-2024-22018, CVE-2024-21287, CVE-2024-21245, CVE-2024-21211, CVE-2024-1442, CVE-2024-1135, CVE-2024-11053, CVE-2024-0727, CVE-2024-0450, CVE-2024-0397, CVE-2024-0232, CVE-2023-7272, CVE-2023-7256, CVE-2023-6597, CVE-2023-6129, CVE-2023-5981, CVE-2023-5678, CVE-2023-52428, CVE-2023-52070, CVE-2023-51775, CVE-2023-51074, CVE-2023-50868, CVE-2023-50782, CVE-2023-49582, CVE-2023-48795, CVE-2023-4785, CVE-2023-4782, CVE-2023-46604, CVE-2023-46219, CVE-2023-46218, CVE-2023-45803, CVE-2023-44487, CVE-2023-44483, CVE-2023-44387, CVE-2023-4408, CVE-2023-43804, CVE-2023-42669, CVE-2023-42445, CVE-2023-4091, CVE-2023-40577, CVE-2023-3961, CVE-2023-39410, CVE-2023-39017, CVE-2023-38709, CVE-2023-38552, CVE-2023-36785, CVE-2023-36730, CVE-2023-35947, CVE-2023-35946, CVE-2023-33953, CVE-2023-33202, CVE-2023-33201, CVE-2023-32732, CVE-2023-29824, CVE-2023-2976, CVE-2023-29408, CVE-2023-29407, CVE-2023-27043, CVE-2023-26031, CVE-2023-25399, CVE-2023-24998, CVE-2022-41727, CVE-2022-40150, CVE-2022-34169, CVE-2022-26345, CVE-2021-37519, CVE-2021-33813, CVE-2021-32751, CVE-2021-29429, CVE-2021-29428, CVE-2021-23926, CVE-2020-7760, CVE-2020-28975, CVE-2020-2849, CVE-2020-22218, CVE-2020-13956, CVE-2020-11979, CVE-2019-16370, CVE-2019-15052, CVE-2019-12415, CVE-2019-11065, CVE-2016-1000027 |
| IOC |
| – |
| Zasiahnuté systémy |
| Oracle Agile Engineering Data Management Oracle Agile PLM Framework Oracle Analytics Desktop Oracle Application Express Oracle Application Testing Suite Oracle Banking Corporate Lending Process Management Oracle Banking Liquidity Management Oracle Banking Origination Oracle BI Publisher Oracle Big Data Spatial and Graph Oracle Blockchain Platform Oracle Business Activity Monitoring Oracle Business Intelligence Enterprise Edition Oracle Business Process Management Suite Oracle Coherence Oracle Commerce Guided Search Oracle Communications Billing and Revenue Management Oracle Communications BRM – Elastic Charging Engine Oracle Communications Cloud Native Core Automated Test Suite Oracle Communications Cloud Native Core Binding Support Function Oracle Communications Cloud Native Core Certificate Management Oracle Communications Cloud Native Core Console Oracle Communications Cloud Native Core DBTier Oracle Communications Cloud Native Core Network Function Cloud Native Environment Oracle Communications Cloud Native Core Network Repository Function Oracle Communications Cloud Native Core Policy Oracle Communications Cloud Native Core Security Edge Protection Proxy Oracle Communications Cloud Native Core Service Communication Proxy Oracle Communications Cloud Native Core Unified Data Repository Oracle Communications Converged Application Server Oracle Communications Convergence Oracle Communications Diameter Signaling Router Oracle Communications EAGLE Element Management System Oracle Communications Messaging Server Oracle Communications Network Analytics Data Director Oracle Communications Offline Mediation Controller Oracle Communications Operations Monitor Oracle Communications Order and Service Management Oracle Communications Policy Management Oracle Communications Service Catalog and Design Oracle Communications Session Border Controller Oracle Communications Unified Assurance Oracle Communications Unified Inventory Management Oracle Communications User Data Repository Oracle Database Server Oracle Documaker Oracle E-Business Suite Oracle Enterprise Communications Broker Oracle Enterprise Manager Base Platform Oracle Enterprise Manager for MySQL Database Oracle Enterprise Session Border Controller Oracle Essbase Oracle Financial Services Analytical Applications Infrastructure Oracle Financial Services Behavior Detection Platform Oracle Financial Services Compliance Studio Oracle Financial Services Enterprise Case Management Oracle Financial Services Model Management and Governance Oracle Financial Services Regulatory Reporting Oracle Financial Services Revenue Management and Billing Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Oracle Fusion Middleware MapViewer Oracle GoldenGate Oracle GoldenGate Big Data and Application Adapters Oracle GoldenGate Studio Oracle GoldenGate Veridata Oracle GraalVM Enterprise Edition Oracle GraalVM for JDK Oracle Graph Server and Client Oracle Hospitality OPERA 5 Oracle HTTP Server Oracle Hyperion Data Relationship Management Oracle Identity Manager Oracle Java SE Oracle JD Edwards EnterpriseOne Orchestrator Oracle JD Edwards EnterpriseOne Tools Oracle Life Sciences Argus Safety Oracle Life Sciences Empirica Signal Oracle Managed File Transfer Oracle Middleware Common Libraries and Tools Oracle MySQL Cluster Oracle MySQL Connectors Oracle MySQL Enterprise Backup Oracle MySQL Enterprise Firewall Oracle MySQL Server Oracle MySQL Shell Oracle Outside In Technology Oracle PeopleSoft Enterprise CC Common Application Objects Oracle PeopleSoft Enterprise FIN Cash Management Oracle PeopleSoft Enterprise FIN eSettlements Oracle PeopleSoft Enterprise PeopleTools Oracle PeopleSoft Enterprise SCM Purchasing Oracle Policy Automation Oracle Primavera Gateway Oracle Primavera P6 Enterprise Project Portfolio Management Oracle Primavera Unifier Oracle REST Data Services Oracle Retail Financial Integration Oracle Retail Integration Bus Oracle SD-WAN Edge Oracle Secure Backup Oracle Security Service Oracle Siebel Applications Oracle Solaris Oracle TimesTen In-Memory Database Oracle Utilities Application Framework Oracle Utilities Network Management System Oracle Utilities Testing Accelerator Oracle VM VirtualBox Oracle WebCenter Portal Oracle WebLogic Server Presnú špecifikáciu jednotlivých zasiahnutých produktov nájdete na odkazoch v sekcii ZDROJE |
| Následky |
| Vykonanie škodlivého kódu Eskalácia privilégií Neoprávnený prístup k citlivým údajom Neoprávnená zmena v systéme Zneprístupnenie služby Neoprávnený prístup do systému |
| Odporúčania |
| Administrátorom a používateľom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov. Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. Taktiež odporúčame poučiť používateľov, aby neotvárali neoverené e-mailové správy, prílohy z neznámych zdrojov a nenavštevovali nedôveryhodné webové stránky. |
« Späť na zoznam
