SK-CERT Bezpečnostné varovanie V20250416-07
| Dôležitosť | Kritická |
| Klasifikácia | Neutajované/TLP:CLEAR |
| CVSS Skóre |
9.8 |
| Identifikátor |
| Oracle produkty – viacero kritických bezpečnostných zraniteľností |
| Popis |
| Spoločnosť Oracle vydala bezpečnostné aktualizácie na svoje portfólio produktov, ktoré opravujú viacero bezpečnostných zraniteľností, z ktorých je viacero označených ako kritických. Najzávažnejšia kritická bezpečnostná zraniteľnosť s identifikátorom CVE-2025-24813 sa nachádza v produktoch Oracle Communications Unified Assurance, Oracle Commerce Guided Search, Oracle Communications Element Manage, Oracle Communications Policy Management, Oracle Communications Session Report Manager a Oracle SD-WAN Edge, spočíva v nedostatočnej implementácii bezpečnostných mechanizmov komponentu Apache Tomcat a umožňuje vzdialenému, neautentifikovanému útočníkovi prostredníctvom zaslania špeciálne vytvorenej PUT požiadavky vykonať škodlivý kód, získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme a spôsobiť zneprístupnenie služby. Na uvedenú zraniteľnosť je v súčasnosti voľne dostupný Proof-of-Concept kód a je v súčasnosti aktívne zneužívaná útočníkmi. Zneužitím ostatných bezpečnostných zraniteľností možno získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme, spôsobiť zneprístupnenie služby, eskalovať privilégiá a vykonať škodlivý kód. Zneužitie niektorých zraniteľností vyžaduje interakciu používateľa. |
| Dátum prvého zverejnenia varovania |
| 15.4.2025 |
| CVE |
| CVE-2016-1000027,CVE-2020-11996,CVE-2020-13935,CVE-2020-13936,CVE-2020-13943,CVE-2020-1935,CVE-2020-1938,CVE-2020-25649,CVE-2020-36518,CVE-2020-36843,CVE-2020-9484,CVE-2021-23450,CVE-2021-24122,CVE-2021-25122,CVE-2021-25329,CVE-2021-28170,CVE-2021-30640,CVE-2021-31684,CVE-2021-33037,CVE-2021-37714,CVE-2021-41079,CVE-2021-41184,CVE-2021-41973,CVE-2021-42575,CVE-2021-43980,CVE-2021-46877,CVE-2022-25762,CVE-2022-34169,CVE-2022-34381,CVE-2022-36033,CVE-2022-3786,CVE-2022-42003,CVE-2022-42004,CVE-2022-42252,CVE-2022-45047,CVE-2023-1370,CVE-2023-24998,CVE-2023-25399,CVE-2023-26464,CVE-2023-28708,CVE-2023-34053,CVE-2023-35116,CVE-2023-35887,CVE-2023-36479,CVE-2023-37536,CVE-2023-38546,CVE-2023-39410,CVE-2023-40167,CVE-2023-40743,CVE-2023-41080,CVE-2023-42795,CVE-2023-44487,CVE-2023-45648,CVE-2023-46589,CVE-2023-48795,CVE-2023-49582,CVE-2023-51074,CVE-2023-51441,CVE-2023-52428,CVE-2023-5388,CVE-2023-5685,CVE-2024-11053,CVE-2024-11233,CVE-2024-11234,CVE-2024-11236,CVE-2024-1135,CVE-2024-11612,CVE-2024-12797,CVE-2024-12798,CVE-2024-12801,CVE-2024-13176,CVE-2024-21538,CVE-2024-22243,CVE-2024-23672,CVE-2024-23807,CVE-2024-24549,CVE-2024-25638,CVE-2024-25710,CVE-2024-26308,CVE-2024-27856,CVE-2024-28168,CVE-2024-28219,CVE-2024-28834,CVE-2024-28835,CVE-2024-29025,CVE-2024-29131,CVE-2024-29133,CVE-2024-29736,CVE-2024-29857,CVE-2024-30172,CVE-2024-31141,CVE-2024-32007,CVE-2024-34064,CVE-2024-35195,CVE-2024-36114,CVE-2024-37891,CVE-2024-38357,CVE-2024-38474,CVE-2024-38476,CVE-2024-38816,CVE-2024-38819,CVE-2024-38820,CVE-2024-38827,CVE-2024-38828,CVE-2024-38998,CVE-2024-38999,CVE-2024-39338,CVE-2024-39573,CVE-2024-39884,CVE-2024-40725,CVE-2024-40866,CVE-2024-40896,CVE-2024-4227,CVE-2024-42367,CVE-2024-43044,CVE-2024-43045,CVE-2024-43709,CVE-2024-43796,CVE-2024-44185,CVE-2024-44187,CVE-2024-44244,CVE-2024-44296,CVE-2024-44308,CVE-2024-44309,CVE-2024-45337,CVE-2024-45338,CVE-2024-45613,CVE-2024-47072,CVE-2024-47197,CVE-2024-47535,CVE-2024-47544,CVE-2024-47545,CVE-2024-47546,CVE-2024-47554,CVE-2024-47561,CVE-2024-47596,CVE-2024-47597,CVE-2024-47606,CVE-2024-47775,CVE-2024-47776,CVE-2024-47777,CVE-2024-47778,CVE-2024-49767,CVE-2024-49771,CVE-2024-50379,CVE-2024-50602,CVE-2024-52046,CVE-2024-5206,CVE-2024-52303,CVE-2024-52316,CVE-2024-52317,CVE-2024-53122,CVE-2024-53382,CVE-2024-54479,CVE-2024-54502,CVE-2024-54505,CVE-2024-54508,CVE-2024-54534,CVE-2024-54543,CVE-2024-54677,CVE-2024-5535,CVE-2024-56128,CVE-2024-56171,CVE-2024-56201,CVE-2024-56326,CVE-2024-56337,CVE-2024-57699,CVE-2024-6119,CVE-2024-6763,CVE-2024-7254,CVE-2024-7264,CVE-2024-8176,CVE-2024-8184,CVE-2024-8775,CVE-2024-9143,CVE-2024-9681,CVE-2024-9902,CVE-2025-1974,CVE-2025-21502,CVE-2025-21573,CVE-2025-21574,CVE-2025-21575,CVE-2025-21576,CVE-2025-21577,CVE-2025-21578,CVE-2025-21579,CVE-2025-21580,CVE-2025-21581,CVE-2025-21582,CVE-2025-21583,CVE-2025-21584,CVE-2025-21585,CVE-2025-21586,CVE-2025-21587,CVE-2025-21588,CVE-2025-22228,CVE-2025-23022,CVE-2025-23083,CVE-2025-23084,CVE-2025-23085,CVE-2025-23184,CVE-2025-24143,CVE-2025-24150,CVE-2025-24158,CVE-2025-24162,CVE-2025-24813,CVE-2025-24928,CVE-2025-24970,CVE-2025-25193,CVE-2025-26465,CVE-2025-26466,CVE-2025-26791,CVE-2025-27113,CVE-2025-27363,CVE-2025-27516,CVE-2025-27789,CVE-2025-30681,CVE-2025-30682,CVE-2025-30683,CVE-2025-30684,CVE-2025-30685,CVE-2025-30686,CVE-2025-30687,CVE-2025-30688,CVE-2025-30689,CVE-2025-30690,CVE-2025-30691,CVE-2025-30692,CVE-2025-30693,CVE-2025-30694,CVE-2025-30695,CVE-2025-30696,CVE-2025-30697,CVE-2025-30698,CVE-2025-30699,CVE-2025-30700,CVE-2025-30701,CVE-2025-30702,CVE-2025-30703,CVE-2025-30704,CVE-2025-30705,CVE-2025-30706,CVE-2025-30707,CVE-2025-30708,CVE-2025-30709,CVE-2025-30710,CVE-2025-30711,CVE-2025-30712,CVE-2025-30713,CVE-2025-30714,CVE-2025-30715,CVE-2025-30716,CVE-2025-30717,CVE-2025-30718,CVE-2025-30719,CVE-2025-30720,CVE-2025-30721,CVE-2025-30722,CVE-2025-30723,CVE-2025-30724,CVE-2025-30725,CVE-2025-30726,CVE-2025-30727,CVE-2025-30728,CVE-2025-30729,CVE-2025-30730,CVE-2025-30731,CVE-2025-30732,CVE-2025-30733,CVE-2025-30735,CVE-2025-30736,CVE-2025-30737,CVE-2025-30740,CVE-2025-31720,CVE-2025-31721 |
| IOC |
| – |
| Zasiahnuté systémy |
| Oracle Access Manager Oracle Agile Engineering Data Management Oracle Application Express Oracle Application Testing Suite Oracle Autonomous Health Framework Oracle Banking APIs Oracle Banking Corporate Lending Process Management Oracle Banking Digital Experience Oracle Banking Liquidity Management Oracle Banking Origination Oracle BI Publisher Oracle Business Activity Monitoring Oracle Business Intelligence Enterprise Edition Oracle Business Process Management Suite Oracle Coherence Oracle Commerce Guided Search Oracle Commerce Merchandising Oracle Commerce Platform Oracle Communications Billing and Revenue Management Oracle Communications Cloud Native Core Binding Support Function Oracle Communications Cloud Native Core Certificate Management Oracle Communications Cloud Native Core Console Oracle Communications Cloud Native Core DBTier Oracle Communications Cloud Native Core Network Data Analytics Function Oracle Communications Cloud Native Core Network Function Cloud Native Environment Oracle Communications Cloud Native Core Network Repository Function Oracle Communications Cloud Native Core Policy Oracle Communications Cloud Native Core Security Edge Protection Proxy Oracle Communications Cloud Native Core Service Communication Proxy Oracle Communications Cloud Native Core Unified Data Repository Oracle Communications Diameter Signaling Router Oracle Communications EAGLE Element Management System Oracle Communications Element Manager Oracle Communications Messaging Server Oracle Communications MetaSolv Solution Oracle Communications Network Analytics Data Director Oracle Communications Network Charging and Control Oracle Communications Network Integrity Oracle Communications Operations Monitor Oracle Communications Order and Service Management Oracle Communications Policy Management Oracle Communications Pricing Design Center Oracle Communications Service Catalog and Design Oracle Communications Session Border Controller Oracle Communications Session Report Manager Oracle Communications Unified Assurance Oracle Communications Unified Inventory Management Oracle Communications User Data Repository Oracle Data Integrator Oracle Database Server Oracle Demantra Demand Management Oracle Documaker Oracle E-Business Suite Oracle Enterprise Communications Broker Oracle Enterprise Manager Base Platform Oracle Essbase Oracle Financial Services Analytical Applications Infrastructure Oracle Financial Services Behavior Detection Platform Oracle Financial Services Compliance Studio Oracle Financial Services Model Management and Governance Oracle Financial Services Revenue Management and Billing Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Oracle Fusion Middleware MapViewer Oracle GoldenGate Oracle GoldenGate Stream Analytics Oracle GoldenGate Veridata Oracle GraalVM Enterprise Edition Oracle GraalVM for JDK Oracle Graph Server and Client Oracle Hospitality Cruise Shipboard Property Management System Oracle Hospitality Reporting and Analytics Oracle Hospitality Simphony Oracle HTTP Server Oracle Hyperion Financial Reporting Oracle Hyperion Infrastructure Technology Oracle Java SE Oracle JD Edwards EnterpriseOne Tools Oracle JDeveloper Oracle Managed File Transfer Oracle Management Cloud Engine Oracle MySQL Client Oracle MySQL Cluster Oracle MySQL Connectors Oracle MySQL Enterprise Backup Oracle MySQL Server Oracle MySQL Shell Oracle MySQL Workbench Oracle NoSQL Database Oracle OSS Support Tools Oracle Outside In Technology Oracle PeopleSoft Enterprise CC Common Application Objects Oracle PeopleSoft Enterprise HCM Talent Acquisition Manager Oracle PeopleSoft Enterprise PeopleTools Oracle Policy Automation Oracle Policy Modeling Oracle Primavera Gateway Oracle Primavera P6 Enterprise Project Portfolio Management Oracle Primavera Unifier Oracle REST Data Services Oracle Retail Order Broker Oracle Retail Store Inventory Management Oracle Retail Xstore Point of Service Oracle SD-WAN Aware Oracle SD-WAN Edge Oracle Secure Backup Oracle Service Bus Oracle Siebel Applications Oracle Smart View for Office Oracle SOA Suite Oracle Solaris Oracle SQL Developer Oracle TimesTen In-Memory Database Oracle Utilities Application Framework Oracle VM VirtualBox Oracle WebCenter Forms Recognition Oracle WebCenter Portal Oracle WebLogic Server Presnú špecifikáciu jednotlivých zasiahnutých produktov nájdete na odkazoch v sekcii ZDROJE |
| Následky |
| Vykonanie škodlivého kódu Eskalácia privilégií Neoprávnený prístup k citlivým údajom Neoprávnená zmena v systéme Zneprístupnenie služby |
| Odporúčania |
| Administrátorom a používateľom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov. Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. Taktiež odporúčame poučiť používateľov, aby neotvárali neoverené e-mailové správy, prílohy z neznámych zdrojov a nenavštevovali nedôveryhodné webové stránky. |
| Zdroje |
|
https://www.oracle.com/security-alerts/cpuapr2025.html https://nvd.nist.gov/vuln/detail/CVE-2025-24813 |
« Späť na zoznam
