SB2019071639 - Multiple vulnerabilities in Oracle Communications Diameter Signaling Router (DSR)
Published: July 16, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-5715)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in Intel CPU hardware due to improper implementation of the speculative execution of instructions. A local attacker can utilize branch target injection, execute arbitrary code, perform a side-channel attack and read sensitive memory information.
2) Improper input validation (CVE-ID: CVE-2018-0732)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper handling of large prime values by the affected software during key agreement operations in a Transport Layer Security (TLS) handshake using an Ephemeral Diffie-Hellman (DHE) based cipher suite. A remote attacker can send a large prime value from a malicious OpenSSL server to a targeted OpenSSL client and cause the client to stop responding while generating a key for the prime value.
3) Man-in-the-middle attack (CVE-ID: CVE-2018-8039)
The vulnerability allows a remote authenticated attacker to conduct man-in-the-middle attack on the target system.The weakness exists due to improper verification of TLS hostnames when used with the 'com.sun.net.ssl' implementation. A remote attacker can conduct a man-in-the-middle attack and bypass the hostname verification.
Remediation
Install update from vendor's website.