Vulnerabilities > CVE-2018-15756
Summary
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Vulnerable Configurations
Nessus
NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_JUL_2019.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the StorageTek Tape Analytics SW Tool. (CVE-2019-2725) (CVE-2019-2729) - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the Tape Virtual Storage Manager GUI. (CVE-2019-2725) - An unspecified vulnerability in the WLS Core Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. (CVE-2019-2824) (CVE-2019-2827) - An unspecified vulnerability in the jQuery Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. Successful attacks require human interaction from actions from another Weblogic user. (CVE-2016-71030) - An unspecified vulnerability in the Application Container - JavaEE Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in takeover of Oracle WebLogic Server. (CVE-2019-2856) - An unspecified vulnerability in the Sample apps (Spring Framework) Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2018-15756) last seen 2020-06-01 modified 2020-06-02 plugin id 126915 published 2019-07-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126915 title Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(126915); script_version("1.10"); script_cvs_date("Date: 2019/11/20"); script_cve_id( "CVE-2016-7103", "CVE-2018-15756", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2824", "CVE-2019-2827", "CVE-2019-2856" ); script_bugtraq_id(107944); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU)"); script_summary(english:"Checks the version of Oracle WebLogic to ensure the July 2019 CPU is applied."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the StorageTek Tape Analytics SW Tool. (CVE-2019-2725) (CVE-2019-2729) - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the Tape Virtual Storage Manager GUI. (CVE-2019-2725) - An unspecified vulnerability in the WLS Core Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. (CVE-2019-2824) (CVE-2019-2827) - An unspecified vulnerability in the jQuery Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. Successful attacks require human interaction from actions from another Weblogic user. (CVE-2016-71030) - An unspecified vulnerability in the Application Container - JavaEE Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in takeover of Oracle WebLogic Server. (CVE-2019-2856) - An unspecified vulnerability in the Sample apps (Spring Framework) Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2018-15756)"); # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9aa2b901"); # https://www.oracle.com/technetwork/security-advisory/cpujul2019verbose-5072838.html#FMW script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?09b101ce"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2019 Oracle Critical Patch Update advisory. Refer to Oracle for any additional patch instructions or mitigation options."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2729"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('install_func.inc'); include('obj.inc'); include('spad_log_func.inc'); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; spad_log(message:"checking version [" + version + "]"); # individual security patches if (version =~ "^12\.2\.1\.3($|[^0-9])") { fix_ver = "12.2.1.3.190522"; fix = make_list("29814665"); } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.190716"; fix = make_list("29633448"); } else if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.190716"; fix = make_list("MXLE"); # patchid is obtained from the readme and 10.3.6.x assets are different } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); spad_log(message:"checking fix [" + obj_rep(fix) + "]"); PATCHED=FALSE; # Iterate over the list of patches and check the install for the patchID foreach id (fix) { spad_log(message:"Checking fix id: [" + id +"]"); if (install[id]) { PATCHED=TRUE; break; } } VULN=FALSE; if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) VULN=TRUE; if (PATCHED || !VULN) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); os = get_kb_item_or_exit("Host/OS"); if ('windows' >< tolower(os)) { port = get_kb_item("SMB/transport"); if (!port) port = 445; } else port = 0; report = '\n Oracle Home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Fixes : ' + join(sep:", ", fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);
NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_APR_2019_CPU.NASL description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756) - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407) last seen 2020-06-01 modified 2020-06-02 plugin id 124157 published 2019-04-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124157 title Oracle Enterprise Manager Cloud Control (Apr 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124157); script_version("1.3"); script_cvs_date("Date: 2019/04/30 14:30:16"); script_cve_id( "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-12539", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-15756", "CVE-2018-1656", "CVE-2018-5407" ); script_bugtraq_id( 104222, 104260, 105118, 105126, 105703, 105750, 105758, 105897 ); script_xref(name:"IAVA", value:"2019-A-0130"); script_name(english:"Oracle Enterprise Manager Cloud Control (Apr 2019 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "An enterprise management application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756) - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407) "); # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9166970d"); # https://support.oracle.com/rs?type=doc&id=2498664.1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ba7181fa"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1258"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_enterprise_manager_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control"); exit(0); } include('global_settings.inc'); include('misc_func.inc'); include('oracle_rdbms_cpu_func.inc'); include('install_func.inc'); product = 'Oracle Enterprise Manager Cloud Control'; install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE); version = install['version']; emchome = install['path']; patchid = NULL; missing = NULL; patched = FALSE; fix = NULL; if (version =~ '^13\\.3\\.0\\.0(\\.[0-9]+)?$') { patchid = '29433931'; fix = '13.3.0.0.190416'; } else if (version =~ '^13\\.2\\.0\\.0(\\.[0-9]+)?$') { patchid = '29433916'; fix = '13.2.0.0.190416'; } else if (version =~ '^12\\.1\\.0\\.5(\\.[0-9]+)?$') { patchid = '29433895'; fix = '12.1.0.5.190416'; } if (isnull(patchid)) audit(AUDIT_HOST_NOT, 'affected'); # compare version to check if we've already adjusted for patch level during detection if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome); # Now look for the affected components patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome)); if (isnull(patchesinstalled)) missing = patchid; else { foreach applied (keys(patchesinstalled[emchome])) { if (applied == patchid) { patched = TRUE; break; } else { foreach bugid (patchesinstalled[emchome][applied]['bugs']) { if (bugid == patchid) { patched = TRUE; break; } } if (patched) break; } } if (!patched) missing = patchid; } if (empty_or_null(missing)) audit(AUDIT_HOST_NOT, 'affected'); order = make_list('Product', 'Version', 'Missing patch'); report = make_array( order[0], product, order[1], version, order[2], patchid ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
NASL family Misc. NASL id ORACLE_GOLDENGATE_FOR_BIG_DATA_CPU_OCT_2019.NASL description According to its self-reported version number, the Oracle GoldenGate for Big Data application located on the remote host is 12.3.1.1.x less than 12.3.1.1.6 or 12.3.2.1.x less than 12.3.2.1.5. It is, therefore, affected by a denial of service (DoS) vulnerability. This vulnerability is due to its use of Spring Framework, which provides support for range requests when serving static resources through the ResourceHttpRequestHandler or when an annotated controller returns an org.springframework.core.io.Resource. An unauthenticated, remote attacker can exploit this issue by adding a range header with a high number of ranges, or with wide ranges that overlap, or both to cause the application to stop responding. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 129973 published 2019-10-16 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129973 title Oracle GoldenGate for Big Data 12.3.1.1.x < 12.3.1.1.6 / 12.3.2.1.x < 12.3.2.1.5 Spring Framework DoS (Oct 2019 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(129973); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2018-15756"); script_bugtraq_id(105703); script_name(english:"Oracle GoldenGate for Big Data 12.3.1.1.x < 12.3.1.1.6 / 12.3.2.1.x < 12.3.2.1.5 Spring Framework DoS (Oct 2019 CPU)"); script_set_attribute(attribute:"synopsis", value: "The Oracle GoldenGate for Big Data application on the remote host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle GoldenGate for Big Data application located on the remote host is 12.3.1.1.x less than 12.3.1.1.6 or 12.3.2.1.x less than 12.3.2.1.5. It is, therefore, affected by a denial of service (DoS) vulnerability. This vulnerability is due to its use of Spring Framework, which provides support for range requests when serving static resources through the ResourceHttpRequestHandler or when an annotated controller returns an org.springframework.core.io.Resource. An unauthenticated, remote attacker can exploit this issue by adding a range header with a high number of ranges, or with wide ranges that overlap, or both to cause the application to stop responding. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patches according to the October 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15756"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/18"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/16"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:goldengate_application_adapters:"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_goldengate_for_big_data_installed.nbin"); script_require_keys("Settings/ParanoidReport", "installed_sw/Oracle GoldenGate for Big Data"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('vcf.inc'); // Paranoid because the detection is looking for the presence of JAR files. It's possible that the customer has JAR // files from outdated versions on their system, but is not currently using them. if (report_paranoia < 2) audit(AUDIT_PARANOID); app_name = 'Oracle GoldenGate for Big Data'; app_info = vcf::get_app_info(app:app_name); constraints = [ { 'min_version':'12.3.1.1', 'fixed_version':'12.3.1.1.6' }, { 'min_version':'12.3.2.1', 'fixed_version':'12.3.2.1.5' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258) last seen 2020-06-01 modified 2020-06-02 plugin id 125147 published 2019-05-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125147 title Oracle Enterprise Manager Ops Center (Apr 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125147); script_version("1.2"); script_cvs_date("Date: 2019/05/17 9:44:17"); script_cve_id( "CVE-2016-1000031", "CVE-2018-0161", "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-5407", "CVE-2018-11763", "CVE-2017-9798", "CVE-2018-1258", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-1257", "CVE-2018-15756" ); script_bugtraq_id( 93604, 100872, 103573, 104222, 104260, 105414, 105703, 105750, 105758, 105897, 107984, 107986 ); script_xref(name:"IAVA", value:"2019-A-0130"); script_name(english:"Oracle Enterprise Manager Ops Center (Apr 2019 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "An enterprise management application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258) "); # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9166970d"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"agent", value:"unix"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_ops_center"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_enterprise_manager_ops_center_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Ops Center"); exit(0); } include('global_settings.inc'); include('misc_func.inc'); include('install_func.inc'); get_kb_item_or_exit('Host/local_checks_enabled'); app_name = 'Oracle Enterprise Manager Ops Center'; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; version_full = install['Full Patch Version']; path = install['path']; patch_version = install['Patch Version']; patchid = NULL; fix = NULL; if (version_full =~ "^12\.3\.3\.") { patchid = '29623885'; fix = '1819'; } if (isnull(patchid)) audit(AUDIT_HOST_NOT, 'affected'); if (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path); report = '\n Path : ' + path + '\n Version : ' + version + '\n Ops Agent Version : ' + version_full + '\n Current Patch : ' + patch_version + '\n Fixed Patch Version : ' + fix + '\n Fix : ' + patchid; security_report_v4(extra:report, severity:SECURITY_HOLE, port:0);
NASL family Windows NASL id ORACLE_WEBCENTER_SITES_JUL_2019_CPU.NASL description Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities : - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host. (CVE-2016-6814) - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop functioning properly. (CVE-2018-8013) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-05-03 modified 2020-04-29 plugin id 136091 published 2020-04-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136091 title Oracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136091); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/27"); script_cve_id( "CVE-2016-6814", "CVE-2016-1000031", "CVE-2018-8013", "CVE-2018-15756" ); script_xref(name:"IAVA", value:"2019-A-0256"); script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities : - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host. (CVE-2016-6814) - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop functioning properly. (CVE-2018-8013) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2019.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_webcenter_sites_installed.nbin"); script_require_keys("SMB/WebCenter_Sites/Installed"); exit(0); } get_kb_item_or_exit('SMB/WebCenter_Sites/Installed'); port = get_kb_item('SMB/transport'); if (isnull(port)) port = 445; versions = get_kb_list('SMB/WebCenter_Sites/*/Version'); if (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.'); report = ''; # vulnerable versions: # - 12.2.1.3.0 - Revision 185862, Patch 29957990 # Note that the revision does not match up with the version suffix shown in the readme foreach key (keys(versions)) { fix = ''; version = versions[key]; revision = get_kb_item(key - '/Version' + '/Revision'); path = get_kb_item(key - '/Version' + '/Path'); if (isnull(version) || isnull(revision)) continue; # Patch 29957990 - 12.2.1.3.0 < Revision 185862 if (version =~ "^12\.2\.1\.3\.0$" && revision < 185862) { fix = '\n Fixed revision : 185862' + '\n Required patch : 29957990'; } if (fix != '') { if (!isnull(path)) report += '\n Path : ' + path; report += '\n Version : ' + version + '\n Revision : ' + revision + fix + '\n'; } } if (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); else audit(AUDIT_INST_VER_NOT_VULN, "Oracle WebCenter Sites");
NASL family CGI abuses NASL id ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2019.NASL description According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.16, 16.x prior to 16.2.9, 17.x prior to 17.12.4, or 18.x prior to 18.8.6. It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch allows an a malicious user to add a range header with a high number of ranges, or with wide ranges that overlap, or both, to cause a denial of service. (CVE-2018-15756) - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. (CVE-2018-19360) - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. (CVE-2018-19361) - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. (CVE-2018-19362) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 126828 published 2019-07-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126828 title Oracle Primavera Gateway Multiple Vulnerabilities (Jul 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(126828); script_version("1.2"); script_cvs_date("Date: 2019/10/18 23:14:14"); script_cve_id( "CVE-2018-15756", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362" ); script_bugtraq_id(105703, 107985); script_name(english:"Oracle Primavera Gateway Multiple Vulnerabilities (Jul 2019 CPU)"); script_summary(english:"Checks the version of Oracle Primavera Gateway."); script_set_attribute(attribute:"synopsis", value: "An application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.16, 16.x prior to 16.2.9, 17.x prior to 17.12.4, or 18.x prior to 18.8.6. It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch allows an a malicious user to add a range header with a high number of ranges, or with wide ranges that overlap, or both, to cause a denial of service. (CVE-2018-15756) - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. (CVE-2018-19360) - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. (CVE-2018-19361) - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. (CVE-2018-19362) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixPVA script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25a1b782"); # https://support.oracle.com/rs?type=doc&id=2555549.1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b5f18b61"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle Primavera Gateway version 15.2.16 / 16.2.9 / 17.12.4 / 18.8.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-19362"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_gateway"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_gateway.nbin"); script_require_keys("installed_sw/Oracle Primavera Gateway"); script_require_ports("Services/www", 8006); exit(0); } include('http.inc'); include('vcf.inc'); get_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE); port = get_http_port(default:8006); app_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { 'min_version' : '15.0.0', 'fixed_version' : '15.2.16' }, { 'min_version' : '16.0.0', 'fixed_version' : '16.2.9' }, { 'min_version' : '17.0.0', 'fixed_version' : '17.12.4' }, { 'min_version' : '18.0.0', 'fixed_version' : '18.8.6' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Misc. NASL id ORACLE_IDENTITY_MANAGEMENT_CPU_APR_2020.NASL description The remote host is missing the April 2020 Critical Patch Update for Oracle Identity Manager Connector. It is, therefore, affected by multiple vulnerabilities: - Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: General (Apache ActiveMQ)). The supported version that is affected is 9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Identity Manager Connector. (CVE-2019-0222) - Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: LDAP Gateway (Spring Framework)). The supported version that is affected is 9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Identity Manager Connector. (CVE-2018-15756) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-05-06 modified 2020-05-01 plugin id 136284 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136284 title Oracle Identity Manager Connector Multiple Vulnerabilities (April 2020 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136284); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id("CVE-2018-15756", "CVE-2019-0222"); script_name(english:"Oracle Identity Manager Connector Multiple Vulnerabilities (April 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by a remote security vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is missing the April 2020 Critical Patch Update for Oracle Identity Manager Connector. It is, therefore, affected by multiple vulnerabilities: - Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: General (Apache ActiveMQ)). The supported version that is affected is 9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Identity Manager Connector. (CVE-2019-0222) - Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: LDAP Gateway (Spring Framework)). The supported version that is affected is 9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Identity Manager Connector. (CVE-2018-15756) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0222"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(94); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:identity_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_identity_management_installed.nbin"); script_require_keys("installed_sw/Oracle Identity Manager"); exit(0); } include('vcf.inc'); appname = 'Oracle Identity Manager'; app_info = vcf::get_app_info(app:appname); constraints = [ {'min_version': '9.0', 'fixed_version': '9.1'} ]; vcf::check_version_and_report(app_info: app_info, constraints: constraints, severity: SECURITY_WARNING);
References
- http://www.securityfocus.com/bid/105703
- http://www.securityfocus.com/bid/105703
- https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
- https://pivotal.io/security/cve-2018-15756
- https://pivotal.io/security/cve-2018-15756
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html