Vulnerabilities > CVE-2016-5019 - Deserialization of Untrusted Data vulnerability in Apache Myfaces Trinidad

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101900);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id(
    "CVE-2016-5019",
    "CVE-2017-10038",
    "CVE-2017-10046",
    "CVE-2017-10131",
    "CVE-2017-10160"
  );
  script_bugtraq_id(
    93236,
    99751,
    99757,
    99770,
    99793
  );

  script_name(english:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (July 2017 CPU)");
  script_summary(english:"Checks the version of Oracle Primavera P6 EPPM.");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Oracle Primavera
P6 Enterprise Project Portfolio Management (EPPM) installation running
on the remote web server is 8.3.x prior to 8.3.15.4, 8.4.x prior to
8.4.15.2, 15.x prior to 15.2.15.1, or 16.x prior to 16.2.9.0. It is,
therefore, affected by the following vulnerabilities :

  - A flaw exists in the Web Access component, specifically
    in Apache MyFaces Trinidad in CoreResponseStateManager,
    due to using ObjectInputStream and ObjectOutputStream
    strings directly without securely deserializing Java
    input. An unauthenticated, remote attacker can exploit
    this, via a crafted serialized view state string, to
    execute arbitrary code. (CVE-2016-5019)

  - Multiple unspecified flaws exist in the Web Access
    component that allow an authenticated, remote attacker
    to disclose sensitive information. (CVE-2017-10038,
    CVE-2017-10160)

  - An unspecified flaw exists in the Web Access component
    that allows an authenticated, remote attacker to
    impact confidentiality and integrity. (CVE-2017-10046)

  - An unspecified flaw exists in the Web Access component
    that allows an authenticated, remote attacker to
    impact confidentiality, integrity, and availability.
    (CVE-2017-10131)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76f5def7");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle Primavera P6 Enterprise Project Portfolio Management
(EPPM) version 8.3.15.4 / 8.4.15.2 / 15.2.15.1 / 16.2.9.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_p6_eppm");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_primavera_p6_eppm.nbin");
  script_require_keys("installed_sw/Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", "www/weblogic");
  script_require_ports("Services/www", 8004);

  exit(0);
}

include("http.inc");
include("vcf.inc");

get_install_count(app_name:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", exit_if_zero:TRUE);

port = get_http_port(default:8004);
get_kb_item_or_exit("www/weblogic/" + port + "/installed");

app_info = vcf::get_app_info(app:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", port:port);

vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { "min_version" : "8.3.0.0", "max_version" : "8.3.15.4", "fixed_version" : "8.3.15.4" },
  { "min_version" : "8.4.0.0", "max_version" : "8.4.15.2", "fixed_version" : "8.4.15.2" },
  { "min_version" : "15.0.0.0", "max_version" : "15.2.15.1", "fixed_version" : "15.2.15.1" },
  { "min_version" : "16.0.0.0", "max_version" : "16.2.9.0", "fixed_version" : "16.2.9.0" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE); 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93592);
  script_version("1.12");
  script_cvs_date("Date: 2019/02/07 10:19:52");

  script_cve_id("CVE-2016-3504", "CVE-2016-5019");
  script_bugtraq_id(92023, 93236);

  script_name(english:"Oracle JDeveloper Multiple RCE (July 2016 CPU)");
  script_summary(english:"Checks for the patch.");

  script_set_attribute(attribute:"synopsis", value:
"A software development application installed on the remote host is
affected by multiple remote code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle JDeveloper installed on the remote host is
missing a security patch. It is, therefore, affected by multiple
remote code execution vulnerabilities :

  - A remote code execution vulnerability exists in the
    Application Development Framework (ADF) Faces
    subcomponent that allows an unauthenticated, remote
    attacker to execute arbitrary code. (CVE-2016-3504)

  - A remote code execution vulnerability exists in the
    Apache MyFaces Trinidad component in the
    CoreResponseStateManager subcomponent due to improper
    validation of the ObjectInputStream and
    ObjectOutputStream strings prior to deserialization. An
    unauthenticated, remote attacker can exploit this to
    execute arbitrary code. (CVE-2016-5019)");
  # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453b5f8c");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2016 Oracle Critical
Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5019");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdeveloper");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_jdeveloper_installed.nbin");
  script_require_keys("installed_sw/Oracle JDeveloper");

  exit(0);
}

include("global_settings.inc");
include("oracle_rdbms_cpu_func.inc");
include("misc_func.inc");
include("install_func.inc");

app_name = "Oracle JDeveloper";
install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
version = install['version'];
path = install['path'];

patch_info = find_patches_in_ohomes(ohomes:make_list(path, path + "\jdeveloper"));
patches = make_list();

# this is the resulting list of ohomes
foreach ohome (keys(patch_info))
{
  # these are the patches enumerated from each ohome
  foreach info (keys(patch_info[ohome]))
  {
    # build a list of all patches in all ohomes to test against
    patches = make_list(patches, info);
  }
}

fixes = NULL;

# If any are present, the host should be considered patched.
if (version =~ "^11\.1\.1\.7($|\.[01]$)")
  fixes = make_list('23622763', '25252636', '25264940', '27251436');
else if (version =~ "^11\.1\.1\.9($|\.0$)")
  fixes = make_list('23622640', '25245227', '27120730');
else if (version =~ "^11\.1\.2\.4($|\.0$)")
  fixes = make_list('23754328', '25372028', '24730407', '27213077');
else if (version =~ "^12\.1\.3\.0($|\.0$)")
  fixes = make_list('23754311', '25324374', '25635721', '26826138', '27131743', '27800100');
else if (version =~ "^12\.2\.1\.0($|\.0$)")
  fixes = make_list('23622699', '25335432', '25637372');
else
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);

vuln = TRUE;
foreach patch (patches)
{
  foreach fix (fixes)
  {
    if (patch == fix)
    {
      vuln = FALSE;
      break;
    }
  }
  if (!vuln) break;
}

if (vuln)
{
  items = make_array("Path", path,
                     "Version", version,
                     "Required patch", join(fixes, sep:", ")
                    );
  order = make_list("Path", "Version", "Required patch");
  report = report_items_str(report_items:items, ordered_fields:order);

  security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
  exit(0);
}
else
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
  

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96777);
  script_version("1.9");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id("CVE-2015-7940", "CVE-2016-5019");
  script_bugtraq_id(79091, 93236);

  script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)");
  script_summary(english:"Checks for the patch ID.");

  script_set_attribute(attribute:"synopsis", value:
"An enterprise management application installed on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Enterprise Manager Cloud Control installed on
the remote host is affected by multiple vulnerabilities in the
Enterprise Manager Base Platform component :

  - A flaw exists in the Bouncy Castle Java library due to
    improper validation of a point within the elliptic
    curve. An unauthenticated, remote attacker can exploit
    this to obtain private keys by using a series of
    specially crafted elliptic curve Diffie-Hellman (ECDH)
    key exchanges, also known as an 'invalid curve attack.'
    (CVE-2015-7940)

  - A flaw exists in Apache MyFaces Trinidad, specifically
    in the CoreResponseStateManager component, due to the
    ObjectInputStream and ObjectOutputStream strings being
    used directly without securely deserializing Java input.
    An unauthenticated, remote attacker can exploit this,
    via a deserialization attack using a crafted serialized
    view state string, to have an unspecified impact that
    may include the execution of arbitrary code.
    (CVE-2016-5019)

Note that the product was formerly known as Enterprise Manager Grid
Control.");
  # https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixEM
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7143085e");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2017 Oracle
Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("oracle_enterprise_manager_installed.nbin");
  script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("oracle_rdbms_cpu_func.inc");
include("install_func.inc");

product = "Oracle Enterprise Manager Cloud Control";
install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE);
version = install['version'];
emchome = install['path'];

patchid = NULL;
missing = NULL;
patched = FALSE;

if (version =~ "^13\.1\.0\.0(\.[0-9]+)?$")
{
  patchid = "24897689";
  fix = "13.1.0.0.170117";
}
else if (version =~ "^12\.1\.0\.5(\.[0-9]+)?$")
{
  patchid = "24897692";
  fix = "12.1.0.5.170117";
}

if (isnull(patchid))
  audit(AUDIT_HOST_NOT, 'affected');

# compare version to check if we've already adjusted for patch level during detection
if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
  audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome);

# Now look for the affected components
patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome));
if (isnull(patchesinstalled))
  missing = patchid;
else
{
  foreach applied (keys(patchesinstalled[emchome]))
  {
    if (applied == patchid)
    {
      patched = TRUE;
      break;
    }
    else
    {
      foreach bugid (patchesinstalled[emchome][applied]['bugs'])
      {
        if (bugid == patchid)
        {
          patched = TRUE;
          break;
        }
      }
      if (patched) break;
    }
  }
  if (!patched)
    missing = patchid;
}

if (empty_or_null(missing))
  audit(AUDIT_HOST_NOT, 'affected');

order = make_list('Product', 'Version', "Missing patch");
report = make_array(
  order[0], product,
  order[1], version,
  order[2], patchid
);
report = report_items_str(report_items:report, ordered_fields:order);

security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);