SB20200114134 - Multiple vulnerabilities in Siebel UI Framework

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2020-2560)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the SWSE Server component in Siebel UI Framework. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

2) Improper input validation (CVE-ID: CVE-2020-2559)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the UIF Open UI component in Siebel UI Framework. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

3) Improper input validation (CVE-ID: CVE-2020-2564)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the EAI component in Siebel UI Framework. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-14379)

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujan2020.html?87559