Vulnerabilities > CVE-2018-11039

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
vmware
oracle
debian
nessus

Summary

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Vulnerable Configurations

Part Description Count
Application
Vmware
1
Application
Oracle
136
OS
Debian
1

Nessus

  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_APR_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756) - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407)
    last seen2020-06-01
    modified2020-06-02
    plugin id124157
    published2019-04-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124157
    titleOracle Enterprise Manager Cloud Control (Apr 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124157);
      script_version("1.3");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2018-0734",
        "CVE-2018-0735",
        "CVE-2018-11039",
        "CVE-2018-11040",
        "CVE-2018-12539",
        "CVE-2018-1257",
        "CVE-2018-1258",
        "CVE-2018-15756",
        "CVE-2018-1656",
        "CVE-2018-5407"
      );
      script_bugtraq_id(
        104222,
        104260,
        105118,
        105126,
        105703,
        105750,
        105758,
        105897
      );
      script_xref(name:"IAVA", value:"2019-A-0130");
    
      script_name(english:"Oracle Enterprise Manager Cloud Control (Apr 2019 CPU)");
      script_summary(english:"Checks for the patch ID.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An enterprise management application installed on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Enterprise Manager Cloud Control installed on
    the remote host is affected by multiple vulnerabilities in
    Enterprise Manager Base Platform component:
    
      - Networking component of Enterprise Manager Base Platform (Spring Framework)
      is easily exploited and may allow an unauthenticated, remote attacker to takeover
      the Enterprise Manager Base Platform.
      (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756)
    
      - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker
      unauthorized access to critical data or complete access to all Enterprise Manager
      Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539)
    
      - An information disclosure vulnerability exists in OpenSSL due to the potential
      for a side-channel timing attack. An unauthenticated attacker can exploit
      this to disclose potentially sensitive information. 
      (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407)
    ");
      # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9166970d");
      # https://support.oracle.com/rs?type=doc&id=2498664.1
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ba7181fa");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the April 2019
    Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1258");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_enterprise_manager_installed.nbin");
      script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control");
    
      exit(0);
    }
    
    include('global_settings.inc');
    include('misc_func.inc');
    include('oracle_rdbms_cpu_func.inc');
    include('install_func.inc');
    
    product = 'Oracle Enterprise Manager Cloud Control';
    install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE);
    version = install['version'];
    emchome = install['path'];
    
    patchid = NULL;
    missing = NULL;
    patched = FALSE;
    fix = NULL;
    
    if (version =~ '^13\\.3\\.0\\.0(\\.[0-9]+)?$')
    {
      patchid = '29433931';
      fix = '13.3.0.0.190416';
    }
    else if (version =~ '^13\\.2\\.0\\.0(\\.[0-9]+)?$')
    {
      patchid = '29433916';
      fix = '13.2.0.0.190416';
    }
    else if (version =~ '^12\\.1\\.0\\.5(\\.[0-9]+)?$')
    {
      patchid = '29433895';
      fix = '12.1.0.5.190416';
    }
    
    if (isnull(patchid))
      audit(AUDIT_HOST_NOT, 'affected');
    
    # compare version to check if we've already adjusted for patch level during detection
    if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
      audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome);
    
    # Now look for the affected components
    patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome));
    if (isnull(patchesinstalled))
      missing = patchid;
    else
    {
      foreach applied (keys(patchesinstalled[emchome]))
      {
        if (applied == patchid)
        {
          patched = TRUE;
          break;
        }
        else
        {
          foreach bugid (patchesinstalled[emchome][applied]['bugs'])
          {
            if (bugid == patchid)
            {
              patched = TRUE;
              break;
            }
          }
          if (patched) break;
        }
      }
      if (!patched)
        missing = patchid;
    }
    
    if (empty_or_null(missing))
      audit(AUDIT_HOST_NOT, 'affected');
    
    order = make_list('Product', 'Version', 'Missing patch');
    report = make_array(
      order[0], product,
      order[1], version,
      order[2], patchid
    );
    report = report_items_str(report_items:report, ordered_fields:order);
    
    security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
    
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258)
    last seen2020-06-01
    modified2020-06-02
    plugin id125147
    published2019-05-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125147
    titleOracle Enterprise Manager Ops Center (Apr 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125147);
      script_version("1.2");
      script_cvs_date("Date: 2019/05/17  9:44:17");
    
      script_cve_id(
        "CVE-2016-1000031",
        "CVE-2018-0161",
        "CVE-2018-0734",
        "CVE-2018-0735",
        "CVE-2018-5407",
        "CVE-2018-11763",
        "CVE-2017-9798",
        "CVE-2018-1258",
        "CVE-2018-11039",
        "CVE-2018-11040",
        "CVE-2018-1257",
        "CVE-2018-15756"
      );
    
      script_bugtraq_id(
        93604,
        100872,
        103573,
        104222,
        104260,
        105414,
        105703,
        105750,
        105758,
        105897,
        107984,
        107986
      );
      script_xref(name:"IAVA", value:"2019-A-0130");
    
      script_name(english:"Oracle Enterprise Manager Ops Center (Apr 2019 CPU)");
      script_summary(english:"Checks for the patch ID.");
      script_set_attribute(attribute:"synopsis", value:
    "An enterprise management application installed on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Enterprise Manager Cloud Control installed on
    the remote host is affected by multiple vulnerabilities in
    Enterprise Manager Base Platform component:
    
      - A deserialization vulnerability in Apache Commons
        FileUpload allows for remote code execution.
        (CVE-2016-1000031)
    
      - An information disclosure vulnerability exists in OpenSSL
        due to the potential for a side-channel timing attack.
        An unauthenticated attacker can exploit this to disclose
        potentially sensitive information. (CVE-2018-0734)
    
      - A denial of service (DoS) vulnerability exists in Apache
        HTTP Server 2.4.17 to 2.4.34, due to a design error. An
        unauthenticated, remote attacker can exploit this issue
        by sending continuous, large SETTINGS frames to cause a
        client to occupy a connection, server thread and CPU
        time without any connection timeout coming to effect.
        This affects only HTTP/2 connections. A possible
        mitigation is to not enable the h2 protocol.
        (CVE-2018-11763).
    
      - Networking component of Enterprise Manager Base Platform
        (Spring Framework) is easily exploited and may allow an
        unauthenticated, remote attacker to takeover the
        Enterprise Manager Base Platform. (CVE-2018-1258)
    
    ");
      # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9166970d");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the April 2019
    Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_ops_center");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_enterprise_manager_ops_center_installed.nbin");
      script_require_keys("installed_sw/Oracle Enterprise Manager Ops Center");
    
      exit(0);
    }
    
    include('global_settings.inc');
    include('misc_func.inc');
    include('install_func.inc');
    
    get_kb_item_or_exit('Host/local_checks_enabled');
    app_name = 'Oracle Enterprise Manager Ops Center';
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    version_full = install['Full Patch Version'];
    path = install['path'];
    patch_version = install['Patch Version'];
    
    
    patchid = NULL;
    fix = NULL;
    
    if (version_full =~ "^12\.3\.3\.")
    {
      patchid = '29623885';
      fix = '1819';
    } 
    
    if (isnull(patchid))
      audit(AUDIT_HOST_NOT, 'affected');
    
    if (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1)
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path);
    
    report = 
      '\n Path                : ' + path + 
      '\n Version             : ' + version + 
      '\n Ops Agent Version   : ' + version_full + 
      '\n Current Patch       : ' + patch_version + 
      '\n Fixed Patch Version : ' + fix +
      '\n Fix                 : ' + patchid;
    
    security_report_v4(extra:report, severity:SECURITY_HOLE, port:0);
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_P6_EPPM_CPU_OCT_2018.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.4 prior to 8.4.15.7, 15.x prior to 15.2.18.2, 16.x prior to 16.2.16.1, 17.x prior to 17.12.9.0, or 18.x prior to 18.8.2.1. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-04-30
    modified2018-10-18
    plugin id118202
    published2018-10-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118202
    titleOracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (October 2018 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118202);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id("CVE-2018-3241", "CVE-2018-3281", "CVE-2018-11039");
      script_bugtraq_id(105621);
    
      script_name(english:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (October 2018 CPU)");
      script_summary(english:"Checks the version of Oracle Primavera P6 EPPM.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote web server is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Oracle Primavera
    P6 Enterprise Project Portfolio Management (EPPM) installation running
    on the remote web server is 8.4 prior to 8.4.15.7, 15.x prior to
    15.2.18.2, 16.x prior to 16.2.16.1, 17.x prior to 17.12.9.0, or 18.x
    prior to 18.8.2.1. It is, therefore, affected by multiple
    vulnerabilities. 
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixPVA
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d864b63");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle Primavera P6 Enterprise Project Portfolio Management
    (EPPM) version 8.4.15.7 / 15.2.18.2 / 16.2.16.1 / 17.12.9.0 / 18.8.2.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3241");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/18");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_p6_eppm");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_primavera_p6_eppm.nbin");
      script_require_keys("installed_sw/Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", "www/weblogic");
      script_require_ports("Services/www", 8004);
    
      exit(0);
    }
    
    include("http.inc");
    include("vcf.inc");
    
    get_install_count(app_name:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", exit_if_zero:TRUE);
    
    port = get_http_port(default:8004);
    get_kb_item_or_exit("www/weblogic/" + port + "/installed");
    
    app_info = vcf::get_app_info(app:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", port:port);
    
    constraints = [
      { "min_version" : "8.4.0.0", "fixed_version" : "8.4.15.7" },
      { "min_version" : "15.0.0.0", "fixed_version" : "15.2.18.2" },
      { "min_version" : "16.0.0.0", "fixed_version" : "16.2.16.1" },
      { "min_version" : "17.0.0.0", "fixed_version" : "17.12.9.0" },
      { "min_version" : "18.0.0.0", "fixed_version" : "18.8.2.1" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);