Vulnerabilities > CVE-2013-5900 - Remote Security vulnerability in Oracle Identity Manager

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
oracle
nessus

Summary

Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.0, and 11.1.2.1 allows remote attackers to affect integrity via unknown vectors related to End User Self Service.

Nessus

NASL familyMisc.
NASL idORACLE_IM_EUSS_CPU_JAN_2014.NASL
descriptionThe remote host is missing the January 2014 Critical Patch Update for Oracle Identity Manager. It is, therefore, potentially affected by multiple, unspecified vulnerabilities in the End User Self Service sub-component of Oracle Identity Manager.
last seen2020-06-01
modified2020-06-02
plugin id72259
published2014-02-03
reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/72259
titleOracle Identity Manager End User Self Service (January 2014 CPU)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(72259);
  script_version("1.8");
  script_cvs_date("Date: 2018/09/20 11:29:32");

  script_cve_id("CVE-2013-5900", "CVE-2014-0391");
  script_bugtraq_id(64829, 64838);

  script_name(english:"Oracle Identity Manager End User Self Service (January 2014 CPU)");
  script_summary(english:"Checks for January 2014 CPU");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has an identity management application installed that
is affected by multiple, unspecified vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is missing the January 2014 Critical Patch Update for
Oracle Identity Manager.  It is, therefore, potentially affected by
multiple, unspecified vulnerabilities in the End User Self Service
sub-component of Oracle Identity Manager.");
  # http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17c46362");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2014 Critical
Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0391");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/01/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_identity_management_installed.nbin");
  script_require_keys("Oracle/OIM/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("oracle_rdbms_cpu_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("Oracle/OIM/Installed");
installs = get_kb_list_or_exit("Oracle/OIM/*/Version");
mwinstalls = make_array();
component = "oracle.jrf.adfrt";

# For this check, we need Middleware home which should be
# oracle_common one directory up
foreach install (keys(installs))
{
  mwohome = install - 'Oracle/OIM/';
  mwohome = mwohome - '/Version';

  mwohome = ereg_replace(pattern:'^(/.*/).*$', string:mwohome, replace:"\1oracle_common");

  # Make sure the component that is being patched exists in
  # the middleware home
  # Change the version of our installs to the version of the component
  # since the patches correspond to the component version. 
  jrf_ver = find_oracle_component_in_ohome(ohome:mwohome, compid:component);
  if (!isnull(jrf_ver))
    mwinstalls[mwohome] = jrf_ver;
}

patches = make_array();
patches['11.1.2.1'] = make_list('17617673');
patches['11.1.2.0'] = make_list('17617673');
patches['11.1.1.6'] = make_list('17617669');
patches['11.1.1.7'] = make_list('17617649');
patches['11.1.1.5'] = make_list('17617673');


# Report as oracle help technologies under OIM to avoid confusion re: ohome version vs component version. 
if (max_index(keys(mwinstalls)) > 0)
  oracle_product_check_vuln(product:'Oracle Help Technologies installed under Oracle Identity Manager', installs:mwinstalls, patches:patches);
exit(0, 'No Middleware Homes were found with the oracle.jrf.adfrt component.');