SB20241015202 - Multiple vulnerabilities in Oracle Retail Customer Management and Segmentation Foundation

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20241015202

SB20241015202 - Multiple vulnerabilities in Oracle Retail Customer Management and Segmentation Foundation

Published: October 15, 2024

Security Bulletin ID SB20241015202
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2024-38808)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when evaluating user-supplied SpEL expression. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Inadequate Encryption Strength (CVE-ID: CVE-2024-41909)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features and perform "Terrapin attack".


Remediation

Install update from vendor's website.

References