Lucene search

HistoryApr 19, 2024 - 12:00 a.m.

Oracle Application Testing Suite (April 2024 CPU)

2024-04-1900:00:00

www.tenable.com

oracle application testing suite

april 2024

cpu

vulnerabilities

oracle enterprise manager

load testing for web apps

bsafe crypto-j

apache commons bcel

apache derby

cve-2022-34381

cve-2022-42920

cve-2022-46337

nessus scanner

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.019 Low

EPSS

Percentile

88.8%

JSON

The versions of Oracle Application Testing Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory:

Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (BSAFE Crypto-J)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite. (CVE-2022-34381)
Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (Apache Commons BCEL)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
(CVE-2022-42920)
Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (Apache Derby)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
(CVE-2022-46337)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193571);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/22");

  script_cve_id(
    "CVE-2022-34381",
    "CVE-2022-42920",
    "CVE-2022-46337",
    "CVE-2023-1370"
  );

  script_name(english:"Oracle Application Testing Suite (April 2024 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The versions of Oracle Application Testing Suite installed on the remote host are affected by multiple vulnerabilities
as referenced in the April 2024 CPU advisory:

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load 
    Testing for Web Apps (BSAFE Crypto-J)). The supported version that is affected is 13.3.0.1. Easily exploitable 
    vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application 
    Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing 
    Suite. (CVE-2022-34381)

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing 
    for Web Apps (Apache Commons BCEL)). The supported version that is affected is 13.3.0.1. Easily exploitable 
    vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing 
    Suite. Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
    (CVE-2022-42920)

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing 
    for Web Apps (Apache Derby)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability 
    allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. 
    Successful attacks of this vulnerability can result in takeover of Oracle Application Testing Suite.
    (CVE-2022-46337)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2024csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2024.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2024 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-46337");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_testing_suite");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_application_testing_suite_installed.nbin");
  script_require_keys("installed_sw/Oracle Application Testing Suite");

  exit(0);
}

include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_oats::get_app_info();

var patches_to_report;
var patches_to_check;
if (get_kb_item('SMB/Registry/Enumerated'))
{
  patches_to_report = make_list('36496061');
}
else
{
  patches_to_report = make_list('36496061', '34395275');
  patches_to_check = make_list('34395275');
}


var constraints = [
  { 'min_version' : '13.3.0.1', 'fixed_version' : '13.3.0.1.593' }
];

vcf::oracle_oats::check_version_and_report(
  app_info:app_info,
  severity:SECURITY_HOLE,
  constraints:constraints,
  patches_to_report:patches_to_report,
  patches_to_check:patches_to_check
);

VendorProductVersionCPE
oracleapplication_testing_suitecpe:/a:oracle:application_testing_suite

Vendor	Product	Version	CPE
oracle	application_testing_suite		cpe:/a:oracle:application_testing_suite

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34381

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42920

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46337

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1370

www.oracle.com/docs/tech/security-alerts/cpuapr2024csaf.json

www.oracle.com/security-alerts/cpuapr2024.html

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.019 Low

EPSS

Percentile

88.8%

JSON

Related for ORACLE_OATS_CPU_APR_2024.NASL