Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_RDBMS_CPU_JUL_2022.NASL
HistoryJul 22, 2022 - 12:00 a.m.

Oracle Oracle Database Server (Jul 2022 CPU)

2022-07-2200:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
51

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

80.4%

JSON

The 12.1.0.2, 19c, 21c, All Supported Versions, and None versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.

  • Vulnerability in the Oracle Database - Enterprise Edition Sharding component of Oracle Database Server.
    For supported versions that are affected see note. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Oracle Database - Enterprise Edition Sharding executes to compromise Oracle Database - Enterprise Edition Sharding. While the vulnerability is in Oracle Database - Enterprise Edition Sharding, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Database - Enterprise Edition Sharding. (CVE-2022-21510)

  • Vulnerability in the Oracle Database - Enterprise Edition Recovery component of Oracle Database Server. For supported versions that are affected see note. Easily exploitable vulnerability allows high privileged attacker having EXECUTE ON DBMS_IR.EXECUTESQLSCRIPT privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition Recovery. Successful attacks of this vulnerability can result in takeover of Oracle Database - Enterprise Edition Recovery. Note: None of the supported versions are affected. (CVE-2022-21511)

  • Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. (CVE-2022-21565)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(163408);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/17");

  script_cve_id(
    "CVE-2020-29505",
    "CVE-2020-29506",
    "CVE-2020-29507",
    "CVE-2020-35167",
    "CVE-2020-35169",
    "CVE-2021-41184",
    "CVE-2021-45943",
    "CVE-2022-0839",
    "CVE-2022-21432",
    "CVE-2022-21510",
    "CVE-2022-21511",
    "CVE-2022-21565",
    "CVE-2022-24729",
    "CVE-2022-24891"
  );
  script_xref(name:"IAVA", value:"2022-A-0283");

  script_name(english:"Oracle Oracle Database Server (Jul 2022 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The 12.1.0.2, 19c, 21c, All Supported Versions, and None versions of Oracle Database Server installed on the remote host
are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.

  - Vulnerability in the Oracle Database - Enterprise Edition Sharding component of Oracle Database Server.
    For supported versions that are affected see note. Easily exploitable vulnerability allows low privileged
    attacker having Local Logon privilege with logon to the infrastructure where Oracle Database - Enterprise
    Edition Sharding executes to compromise Oracle Database - Enterprise Edition Sharding. While the
    vulnerability is in Oracle Database - Enterprise Edition Sharding, attacks may significantly impact
    additional products (scope change). Successful attacks of this vulnerability can result in takeover of
    Oracle Database - Enterprise Edition Sharding. (CVE-2022-21510)

  - Vulnerability in the Oracle Database - Enterprise Edition Recovery component of Oracle Database Server. For
    supported versions that are affected see note. Easily exploitable vulnerability allows high privileged
    attacker having EXECUTE ON DBMS_IR.EXECUTESQLSCRIPT privilege with network access via Oracle Net to compromise Oracle
    Database - Enterprise Edition Recovery. Successful attacks of this vulnerability can result in takeover of
    Oracle Database - Enterprise Edition Recovery. Note: None of the supported versions are affected. (CVE-2022-21511)

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are
    12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure
    privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability
    can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible
    data. (CVE-2022-21565)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujul2022cvrf.xml");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2022.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2022 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-0839");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/07/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin");

  exit(0);
}

include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_rdbms::get_app_info();

var constraints = [
  # RDBMS:
  {'min_version': '21.0', 'fixed_version': '21.7.0.0.220719', 'missing_patch':'34160444', 'os':'unix', 'component':'db'},
  {'min_version': '21.0', 'fixed_version': '21.7.0.0.220719', 'missing_patch':'34110698', 'os':'win', 'component':'db'},

  {'min_version': '19.0', 'fixed_version': '19.14.2.0.220719', 'missing_patch':'34110559', 'os':'unix', 'component':'db'},
  {'min_version': '19.0', 'fixed_version': '19.16.0.0.220719', 'missing_patch':'34110685', 'os':'win', 'component':'db'},
  {'min_version': '19.15', 'fixed_version': '19.15.1.0.220719', 'missing_patch':'34119532', 'os':'unix', 'component':'db'},
  {'min_version': '19.16', 'fixed_version': '19.16.0.0.220719', 'missing_patch':'34133642', 'os':'unix', 'component':'db'},

  {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.220719', 'missing_patch':'34057742, 34057733', 'os':'unix', 'component':'db'},
  {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.220719', 'missing_patch':'33883271', 'os':'win', 'component':'db'},

  # OJVM:
  {'min_version': '19.0',  'fixed_version': '19.16.0.0.220719', 'missing_patch':'34086870', 'os':'unix', 'component':'ojvm'},
  {'min_version': '19.0',  'fixed_version': '19.16.0.0.220719', 'missing_patch':'34086870', 'os':'win', 'component':'ojvm'},

  {'min_version': '12.1.0.2.0',  'fixed_version': '12.1.0.2.220719', 'missing_patch':'34086863', 'os':'unix', 'component':'ojvm'},
  {'min_version': '12.1.0.2.0',  'fixed_version': '12.1.0.2.220719', 'missing_patch':'34185253', 'os':'win', 'component':'ojvm'}
];

vcf::oracle_rdbms::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);
VendorProductVersionCPE
oracledatabase_servercpe:/a:oracle:database_server

References

Related

cve 14
prion 14
nvd 14
cvelist 14
cnvd 7
mageia 1
debian 4
osv 18
openvas 26
debiancve 4
fedora 13
gentoo 1
gitlab 1
nessus 30
ubuntucve 4
github 3
veracode 4
redhatcve 2
drupal 2
checkpoint_advisories 1
ibm 17
huntr 1
ubuntu 2
f5 1
redhat 1
cve
cve
CVE-2022-21510
2022-07-19 22:15:10
CVE-2020-29507
2022-07-11 20:15:08
CVE-2020-35169
2022-07-11 20:15:08
prion
prion
Buffer overflow
2022-07-19 22:15:00
Design/Logic Flaw
2022-07-19 22:15:00
Design/Logic Flaw
2022-07-11 20:15:00
nvd
nvd
CVE-2022-21510
2022-07-19 22:15:10
CVE-2020-29506
2022-07-11 20:15:08
CVE-2020-29507
2022-07-11 20:15:08
cvelist
cvelist
CVE-2022-21511
2022-07-19 21:06:45
CVE-2022-21565
2022-07-19 21:08:08
CVE-2022-21510
2022-07-19 21:06:43
cnvd
cnvd
Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Input Validation Error Vulnerability (CNVD-2022-84612)
2022-07-13 00:00:00
Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite Input Validation Error Vulnerability (CNVD-2022-84619)
2022-07-13 00:00:00
Unspecified vulnerability in Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite (CNVD-2022-84613)
2022-07-13 00:00:00
mageia
mageia
Updated gdal packages fix security vulnerability
2022-04-10 00:20:39
debian
debian
[SECURITY] [DSA 5239-1] gdal security update
2022-09-27 20:57:35
[SECURITY] [DLA 2877-1] gdal security update
2022-01-12 12:17:15
[SECURITY] [DLA 3129-1] gdal security update
2022-09-30 23:03:47
osv
osv
BIT-gdal-2021-45943
2024-03-06 10:52:03
gdal - security update
2022-09-27 00:00:00
CVE-2021-45943
2022-01-01 01:15:09
openvas
openvas
Mageia: Security Advisory (MGASA-2022-0137)
2022-04-11 00:00:00
Fedora: Security Advisory for gdal (FEDORA-2022-e85e37206b)
2022-04-06 00:00:00
Fedora: Security Advisory for gdal (FEDORA-2022-cffca5dbf4)
2022-04-07 00:00:00
debiancve
debiancve
CVE-2021-45943
2022-01-01 01:15:09
CVE-2022-24729
2022-03-16 17:15:07
CVE-2022-24891
2022-04-27 21:15:08
fedora
fedora
[SECURITY] Fedora 35 Update: mingw-python3-3.10.4-1.fc35
2022-04-05 15:44:05
[SECURITY] Fedora 34 Update: mingw-gdal-3.2.2-3.fc34
2022-04-06 18:45:21
[SECURITY] Fedora 34 Update: gdal-3.2.2-3.fc34
2022-04-06 18:45:21
gentoo
gentoo
GDAL: Heap Buffer Overflow
2022-10-31 00:00:00
gitlab
gitlab
Out-of-bounds Write
2022-01-01 00:00:00
nessus
nessus
GLSA-202210-15 : GDAL: Heap Buffer Overflow
2022-10-31 00:00:00
Debian DSA-5239-1 : gdal - security update
2022-09-28 00:00:00
Debian DLA-3129-1 : gdal - LTS security update
2022-09-30 00:00:00
ubuntucve
ubuntucve
CVE-2021-45943
2022-01-01 00:00:00
CVE-2022-24729
2022-03-16 00:00:00
CVE-2022-24891
2022-04-27 00:00:00
github
github
Cross-site Scripting in org.owasp.esapi:esapi
2022-04-27 21:09:46
XSS in the `of` option of the `.position()` util in jquery-ui
2021-10-26 14:55:12
Improper Restriction of XML External Entity Reference in Liquibase
2022-03-05 00:00:45
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2022-03-17 08:30:53
Cross-site Scripting (XSS)
2022-04-28 03:28:18
Cross-site Scripting (XSS)
2021-10-27 05:33:22
redhatcve
redhatcve
CVE-2021-41184
2021-11-01 17:41:18
CVE-2022-0839
2022-05-03 21:34:35
drupal
drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001
2022-01-19 00:00:00
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005
2022-03-16 00:00:00
checkpoint_advisories
checkpoint_advisories
jQuery UI Cross-site Scripting (CVE-2021-41184)
2022-10-19 00:00:00
ibm
ibm
Security Bulletin: IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184)
2022-07-19 03:08:00
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Liquibase
2023-05-02 22:55:11
Security Bulletin: Improper Restriction of XML External Entity Reference in liquibase prior to 4.8.0 Affects IBM Partner Engagement Manager (CVE-2022-0839)
2022-09-22 19:13:43
huntr
huntr
in liquibase/liquibase
2022-01-16 05:54:09
ubuntu
ubuntu
jQuery UI vulnerability
2022-09-09 00:00:00
jQuery UI vulnerabilities
2023-10-05 00:00:00
f5
f5
K50455702 : jQuery vulnerabilities CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184
2022-03-28 00:00:00
redhat
redhat
(RHSA-2022:4711) Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update
2022-05-26 16:04:07

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

80.4%

JSON
Related for ORACLE_RDBMS_CPU_JUL_2022.NASL
cve14prion14nvd14cvelist14cnvd7mageia1debian4osv18openvas26debiancve4fedora13gentoo1gitlab1nessus30ubuntucve4github3veracode4redhatcve2drupal2checkpoint_advisories1ibm17huntr1ubuntu2f51redhat1