SB2020011484 - Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020011484

SB2020011484 - Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition

Published: January 14, 2020 Updated: June 24, 2022

Security Bulletin ID SB2020011484
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2020-2531)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the BI Platform Security component in Oracle Business Intelligence Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


2) Improper input validation (CVE-ID: CVE-2020-2535)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Analytics Server component in Oracle Business Intelligence Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


3) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-1559)

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to the way an application behaves, when it receives a 0-byte record with invalid padding compared to the record with an invalid MAC, which results in padding oracle. A remote attacker can decrypt data.

Successful exploitation of the vulnerability requires that the application is using "non-stitched" ciphersuites and calls SSL_shutdown() twice (first, via a BAD_RECORD_MAC and again via a CLOSE_NOTIFY). 



4) Improper input validation (CVE-ID: CVE-2020-2537)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Analytics Actions component in Oracle Business Intelligence Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


Remediation

Install update from vendor's website.

References