Vulnerabilities > CVE-2017-12626 - Infinite Loop vulnerability in Apache POI

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
apache
CWE-835
nessus

Summary

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Nessus

  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_UNIFIER_CPU_OCT_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.15.10, or 17.7.x through 17.12.x prior to 17.12.11.1, or 18.8.x prior to 18.8.13.0. It is, therefore, affected by multiple vulnerabilities: - An unspecified flaw exists in how
    last seen2020-06-01
    modified2020-06-02
    plugin id130070
    published2019-10-21
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130070
    titleOracle Primavera Unifier Multiple Vulnerabilities (Oct 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130070);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/30 13:24:46");
    
      script_cve_id(
        "CVE-2017-12626",
        "CVE-2019-11358",
        "CVE-2019-12086",
        "CVE-2019-14379",
        "CVE-2019-14439"
      );
      script_bugtraq_id(102879, 108023, 109227);
      script_xref(name:"IAVA", value:"2019-A-0380");
    
      script_name(english:"Oracle Primavera Unifier Multiple Vulnerabilities (Oct 2019 CPU)");
      script_summary(english:"Checks the version of Oracle Primavera Unifier.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web
    server is 16.1.x or 16.2.x prior to 16.2.15.10, or 17.7.x through 17.12.x prior to 17.12.11.1, or 18.8.x prior to
    18.8.13.0. It is, therefore, affected by multiple vulnerabilities:
    
        - An unspecified flaw exists in how 'default typing' is handled when 'ehcache' is used in the
          jackson-databind component of Primavera Unifier. An unauthenticated, remote attacker can exploit this
          via the network over HTTP to cause remote code execution. (CVE-2019-14379)
    
        - An information disclosure vulnerability exists in the jackson-databind component of Primavera Unifier.
          An unauthenticated, remote attacker can exploit this via an externally exposed JSON endpoint if the
          service has the mysql-connector-java jar in the classpath, and the attacker can host a crafted MySQL
          server accessible by the victim. An attacker can send a crafted JSON message to read arbitrary local
          files on the server. (CVE-2019-12086)
    
        - An information disclosure vulnerability exists in the jackson-databind component of Primavera Unifier.
          An unauthenticated, remote attacker can exploit this via an externally exposed JSON endpoint if the
          service has the logback jar in the classpath, which can allow information disclosure. (CVE-2019-14439)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle Primavera Unifier version 16.2.15.10 / 17.12.11.1 / 18.8.13.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14379");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/21");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_primavera_unifier.nbin");
      script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic");
      script_require_ports("Services/www", 8002);
    
      exit(0);
    }
    
    include('http.inc');
    include('vcf.inc');
    
    get_install_count(app_name:'Oracle Primavera Unifier', exit_if_zero:TRUE);
    
    port = get_http_port(default:8002);
    get_kb_item_or_exit('www/weblogic/' + port + '/installed');
    
    app_info = vcf::get_app_info(app:'Oracle Primavera Unifier', port:port);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { 'min_version' : '16.1.0.0', 'fixed_version' : '16.2.15.10' },
      { 'min_version' : '17.7.0.0', 'fixed_version' : '17.12.11.1' },
      { 'min_version' : '18.8.0.0', 'fixed_version' : '18.8.13.0' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE); 
    
  • NASL familyMisc.
    NASL idORACLE_OATS_CPU_JAN_2020.NASL
    descriptionThe version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)). Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite. (CVE-2016-4000) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (Jython). An unauthenticated, remote attacker with network access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (Apache POI). An unauthenticated, remote attacker with network access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang or frequently repeatable crash (complete DOS). (CVE-2017-12626) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (Apache POI). An unauthenticated, remote attacker with network access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang or frequently repeatable crash (complete DOS). (CVE-2017-12626) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (AntiSamy). An unauthenticated, remote attacker with network access via HTTP who is able to obtain human interaction can impact additional products and result in an unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data. (CVE-2017-14735) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (Antisamy). An unauthenticated, remote attacker with network access via HTTP who is able to obtain human interaction can impact additional products and result in an unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data. (CVE-2017-14735) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (Application Development Framework). An unauthenticated, remote attacker with network access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder (jQuery). An unauthenticated, remote attacker with network access via HTTP who is able to obtain human interaction can impact additional products and result in an unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data. (CVE-2019-11358) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Load Testing for Web Apps (Apache POI). An authenticated, low priviledged remote attacker with network access to the infrastructure can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415) - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager subcomponent Oracle Flow Builder. An unauthenticated remote attacker with network access via HTTP can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)
    last seen2020-05-08
    modified2020-01-27
    plugin id133260
    published2020-01-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133260
    titleOracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)
  • NASL familyWindows
    NASL idAPACHE_POI_3_17.NASL
    descriptionThe version of Apache POI installed on the remote Windows host is a version prior to 3.17. It is, therefore, affected by multiple DoS vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id106717
    published2018-02-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106717
    titleApache POI < 3.17 Multiple DoS Vulnerabilities
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_GATEWAY_CPU_OCT_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.17, 16.x prior to 16.2.10, 17.x prior to 17.12.5, or 18.x prior to 18.8.7. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in the FasterXML jackson-databind component, which is version 2.x prior to 2.9.9. This vulnerability is due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. An unauthenticated, remote attacker can exploit this by hosting a crafted MySQL server reachable by the victim and sending a crated JSON message that allows them to read arbitrary files and disclose sensitive information. (CVE-2019-12086) - Denial of service (DoS) vulnerabilities exist in the Apache POI component, which is prior to 3.1.7, due to a flaw when parsing crafted WMF, EMF, MSG, macros, DOC, PPT, and XLS. An unauthenticated, remote attacker can exploit this issue, via sending crafted input, to cause the application to stop responding. (CVE-2017-12626) - A remote code execution vulnerability exists in the FasterXML jackson-databind component, which is prior to 2.9.0.2, due to a flaw in how default typing is handled when ehcache is used because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2019-14379) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id130019
    published2019-10-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130019
    titleOracle Primavera Gateway Multiple Vulnerabilities (Oct 2019 CPU)
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_P6_EPPM_CPU_OCT_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 15.x prior to 15.2.18.7, 16.x prior to 16.2.19.1, 17.x prior to 17.12.15.0, or 18.8.x prior to 18.8.14.0. It is, therefore, affected by multiple vulnerabilities: - A authorization vulnerability exists in Primavera P6 Enterprise Project Portfolio Management. An unautheticated remote attacker can exploit this via HTTP to access controlled information on the network and EPPM. (CVE-2019-3020) - A authorization vulnerability exists in Primavera P6 Enterprise Project Portfolio Management. An authenticated remote attacker with low privilages can exploit this via HTTP to access controlled information on the network and EPPM. (CVE-2019-2976) - Denial of service (DDoS) vulnerability exists in Primavera P6 Enterprise Project Portfolio Management due to Out of Memory Exceptions while prasing documents. (CVE-2017-12626) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id130059
    published2019-10-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130059
    titleOracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Oct 2019 CPU)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-4F2C2615B3.NASL
    descriptionUpdate to latest upstream release and security fix for CVE-2017-12626 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120414
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120414
    titleFedora 28 : apache-poi (2018-4f2c2615b3)

Redhat

advisories
rhsa
idRHSA-2018:1322

References