SB2025041698 - Multiple vulnerabilities in Oracle Communications Cloud Native Core DBTier

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025041698

SB2025041698 - Multiple vulnerabilities in Oracle Communications Cloud Native Core DBTier

Published: April 16, 2025

Security Bulletin ID SB2025041698
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper authentication (CVE-ID: CVE-2024-12797)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when using RFC7250 Raw Public Keys (RPKs) to authenticate a server. TLS and DTLS connections using raw public keys are vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.

Note, the vulnerability can be exploited only when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.


2) Stack-based buffer overflow (CVE-ID: CVE-2025-24928)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the xmlSnprintfElements() function in valid.c. A remote attacker can pass specially crafted XML data to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References