SK-CERT Bezpečnostné varovanie V20250716-02
| Dôležitosť | Kritická |
| Klasifikácia | Neutajované/TLP:CLEAR |
| CVSS Skóre |
9.8 |
| Identifikátor |
| Oracle produkty – viacero kritických bezpečnostných zraniteľností |
| Popis |
| Spoločnosť Oracle vydala bezpečnostné aktualizácie na svoje portfólio produktov, ktoré opravujú viacero bezpečnostných zraniteľností, z ktorých je päť označených ako kritických. Najzávažnejšia kritická bezpečnostná zraniteľnosť s identifikátorom CVE-2025-31651 sa nachádza v produktoch Oracle Managed File Transfer, Oracle Retail Xstore Office, Oracle Agile Engineering Data Management a Oracle Agile PLM, spočíva v nedostatočnej implementácii bezpečnostných mechanizmov externého komponentu Apache Tomcat a umožňuje vzdialenému, neautentifikovanému útočníkovi prostredníctvom zaslania špeciálne vytvorenej požiadavky získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme a spôsobiť zneprístupnenie služby. Zneužitím ostatných bezpečnostných zraniteľností možno získať neoprávnený prístup k citlivým údajom, vykonať neoprávnené zmeny v systéme, spôsobiť zneprístupnenie služby, eskalovať privilégiá a vykonať škodlivý kód. Zneužitie niektorých zraniteľností vyžaduje interakciu používateľa. |
| Dátum prvého zverejnenia varovania |
| 15.7.2025 |
| CVE |
| CVE-2020-13936, CVE-2021-33813, CVE-2021-42575, CVE-2022-34169, CVE-2022-45693, CVE-2023-1436, CVE-2023-27349, CVE-2023-29162, CVE-2023-39017, CVE-2023-42917, CVE-2023-44483, CVE-2023-49582, CVE-2023-51074, CVE-2023-5685, CVE-2023-7256, CVE-2024-1135, CVE-2024-12133, CVE-2024-12797, CVE-2024-12798, CVE-2024-12801, CVE-2024-13176, CVE-2024-21094, CVE-2024-21131, CVE-2024-22201, CVE-2024-23807, CVE-2024-24795, CVE-2024-25638, CVE-2024-25710, CVE-2024-26143, CVE-2024-26308, CVE-2024-27309, CVE-2024-28168, CVE-2024-28182, CVE-2024-31141, CVE-2024-31744, CVE-2024-34064, CVE-2024-34517, CVE-2024-35195, CVE-2024-37891, CVE-2024-38356, CVE-2024-38357, CVE-2024-38472, CVE-2024-38477, CVE-2024-38819, CVE-2024-38820, CVE-2024-38827, CVE-2024-38828, CVE-2024-39884, CVE-2024-40896, CVE-2024-43796, CVE-2024-45336, CVE-2024-45340, CVE-2024-45341, CVE-2024-46956, CVE-2024-47072, CVE-2024-47554, CVE-2024-47561, CVE-2024-47606, CVE-2024-49767, CVE-2024-52012, CVE-2024-52046, CVE-2024-5535, CVE-2024-55549, CVE-2024-56128, CVE-2024-56171, CVE-2024-56201, CVE-2024-56326, CVE-2024-56406, CVE-2024-57699, CVE-2024-6763, CVE-2024-7254, CVE-2024-7264, CVE-2024-7592, CVE-2024-7885, CVE-2024-8006, CVE-2024-8176, CVE-2024-8184, CVE-2024-9143, CVE-2024-9287, CVE-2025-0395, CVE-2025-0624, CVE-2025-0725, CVE-2025-1948, CVE-2025-1974, CVE-2025-22228, CVE-2025-22865, CVE-2025-23016, CVE-2025-23083, CVE-2025-23084, CVE-2025-23085, CVE-2025-23165, CVE-2025-23166, CVE-2025-23167, CVE-2025-23184, CVE-2025-24813, CVE-2025-24814, CVE-2025-24855, CVE-2025-24928, CVE-2025-24970, CVE-2025-25193, CVE-2025-26791, CVE-2025-27113, CVE-2025-27363, CVE-2025-27516, CVE-2025-27533, CVE-2025-27553, CVE-2025-27636, CVE-2025-27817, CVE-2025-27818, CVE-2025-27819, CVE-2025-27820, CVE-2025-29482, CVE-2025-29891, CVE-2025-30065, CVE-2025-30474, CVE-2025-30739, CVE-2025-30743, CVE-2025-30744, CVE-2025-30745, CVE-2025-30746, CVE-2025-30747, CVE-2025-30748, CVE-2025-30749, CVE-2025-30750, CVE-2025-30751, CVE-2025-30752, CVE-2025-30753, CVE-2025-30754, CVE-2025-30756, CVE-2025-30758, CVE-2025-30759, CVE-2025-30760, CVE-2025-30761, CVE-2025-30762, CVE-2025-31650, CVE-2025-31651, CVE-2025-31672, CVE-2025-31720, CVE-2025-31721, CVE-2025-32414, CVE-2025-32415, CVE-2025-4598, CVE-2025-46701, CVE-2025-47287, CVE-2025-4802, CVE-2025-48734, CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, CVE-2025-49125, CVE-2025-49146, CVE-2025-50059, CVE-2025-50060, CVE-2025-50061, CVE-2025-50062, CVE-2025-50063, CVE-2025-50064, CVE-2025-50065, CVE-2025-50066, CVE-2025-50067, CVE-2025-50068, CVE-2025-50069, CVE-2025-50070, CVE-2025-50071, CVE-2025-50072, CVE-2025-50073, CVE-2025-50076, CVE-2025-50077, CVE-2025-50078, CVE-2025-50079, CVE-2025-50080, CVE-2025-50081, CVE-2025-50082, CVE-2025-50083, CVE-2025-50084, CVE-2025-50085, CVE-2025-50086, CVE-2025-50087, CVE-2025-50088, CVE-2025-50089, CVE-2025-50090, CVE-2025-50091, CVE-2025-50092, CVE-2025-50093, CVE-2025-50094, CVE-2025-50095, CVE-2025-50096, CVE-2025-50097, CVE-2025-50098, CVE-2025-50099, CVE-2025-50100, CVE-2025-50101, CVE-2025-50102, CVE-2025-50103, CVE-2025-50104, CVE-2025-50105, CVE-2025-50106, CVE-2025-50107, CVE-2025-50108, CVE-2025-53023, CVE-2025-53024, CVE-2025-53025, CVE-2025-53026, CVE-2025-53027, CVE-2025-53028, CVE-2025-53029, CVE-2025-53030, CVE-2025-53031, CVE-2025-53032, CVE-2025-5399 |
| IOC |
| – |
| Zasiahnuté systémy |
| Autonomous Health Framework JD Edwards EnterpriseOne Tools JD Edwards World Security MySQL Client MySQL Cluster MySQL Enterprise Backup MySQL Server MySQL Workbench Oracle Agile Engineering Data Management Oracle Agile PLM Oracle Application Express Oracle Application Testing Suite Oracle AutoVue Oracle Banking Origination Oracle BI Publisher Oracle Blockchain Platform Oracle Business Intelligence Enterprise Edition Oracle Business Process Management Suite Oracle Coherence Oracle Commerce Guided Search Oracle Commerce Guided Search Platform Services Oracle Communications Billing and Revenue Management Oracle Communications BRM – Elastic Charging Engine Oracle Communications Calendar Server Oracle Communications Cloud Native Core Automated Test Suite Oracle Communications Cloud Native Core Binding Support Function Oracle Communications Cloud Native Core Console Oracle Communications Cloud Native Core DBTier Oracle Communications Cloud Native Core Network Data Analytics Function Oracle Communications Cloud Native Core Network Exposure Function Oracle Communications Cloud Native Core Network Function Cloud Native Environment Oracle Communications Cloud Native Core Network Repository Function Oracle Communications Cloud Native Core Network Slice Selection Function Oracle Communications Cloud Native Core Policy Oracle Communications Cloud Native Core Security Edge Protection Proxy Oracle Communications Cloud Native Core Service Communication Proxy Oracle Communications Contacts Server Oracle Communications Convergence Oracle Communications Convergent Charging Controller Oracle Communications Core Session Manager Oracle Communications Element Manager Oracle Communications IP Service Activator Oracle Communications MetaSolv Solution Oracle Communications Network Analytics Data Director Oracle Communications Network Charging and Control Oracle Communications Network Integrity Oracle Communications Offline Mediation Controller Oracle Communications Operations Monitor Oracle Communications Order and Service Management Oracle Communications Policy Management Oracle Communications Session Border Controller Oracle Communications Session Report Manager Oracle Communications Unified Assurance Oracle Communications Unified Inventory Management Oracle Communications User Data Repository Oracle Data Integrator Oracle Database Server Oracle E-Business Suite Oracle Enterprise Communications Broker Oracle Enterprise Data Quality Oracle Essbase Oracle Financial Services Analytical Applications Infrastructure Oracle Financial Services Behavior Detection Platform Oracle Financial Services Model Management and Governance Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Oracle Fusion Middleware Oracle GoldenGate Big Data and Application Adapters Oracle GoldenGate Stream Analytics Oracle GoldenGate Studio Oracle GoldenGate Veridata Oracle GraalVM Enterprise Edition Oracle GraalVM for JDK Oracle Graph Server and Client Oracle Healthcare Master Person Index Oracle Hospitality Cruise Shipboard Property Management System Oracle HTTP Server Oracle Hyperion Financial Reporting Oracle Hyperion Infrastructure Technology Oracle Identity Manager Oracle Insurance Policy Administration J2EE Oracle Java SE Oracle JDeveloper Oracle Managed File Transfer Oracle Middleware Common Libraries and Tools Oracle NoSQL Database Oracle Outside In Technology Oracle Product Lifecycle Analytics Oracle REST Data Services Oracle Retail EFTLink Oracle Retail Extract Tranform and Load Oracle Retail Integration Bus Oracle Retail Predictive Application Server Oracle Retail Service Backbone Oracle Retail Xstore Office Oracle Retail Xstore Point of Service Oracle Service Bus Oracle Spatial Studio Oracle TimesTen In-Memory Database Oracle Utilities Application Framework Oracle Utilities Network Management System Oracle Utilities Testing Accelerator Oracle VM VirtualBox Oracle WebCenter Enterprise Capture Oracle WebCenter Portal Oracle WebLogic Server PeopleSoft Enterprise HCM Global Payroll Core PeopleSoft Enterprise HCM Human Resources PeopleSoft Enterprise PeopleTools Primavera P6 Enterprise Project Portfolio Management Primavera Unifier Siebel Applications Presnú špecifikáciu jednotlivých zasiahnutých produktov nájdete na odkazoch v sekcii ZDROJE |
| Následky |
| Vykonanie škodlivého kódu Eskalácia privilégií Neoprávnený prístup k citlivým údajom Neoprávnená zmena v systéme Zneprístupnenie služby |
| Odporúčania |
| Administrátorom a používateľom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov. Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. Taktiež odporúčame poučiť používateľov, aby neotvárali neoverené e-mailové správy, prílohy z neznámych zdrojov a nenavštevovali nedôveryhodné webové stránky. |
| Zdroje |
|
https://www.oracle.com/security-alerts/cpujul2025.html https://nvd.nist.gov/vuln/detail/cve-2025-31651 https://www.oracle.com/security-alerts/cpujul2025verbose.html |
« Späť na zoznam
