SB2022020144 - Multiple vulnerabilities in Oracle Agile PLM Framework
Published: February 1, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-33037)
The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests, related to processing of transfer encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
2) Resource exhaustion (CVE-ID: CVE-2021-36374)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Improper input validation (CVE-ID: CVE-2021-35043)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Security (AntiSamy) component in Oracle Agile PLM. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
4) Improper input validation (CVE-ID: CVE-2021-2351)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Advanced Networking Option in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Remediation
Install update from vendor's website.