-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
#####################################################
## N C S C ~ B E V E I L I G I N G S A D V I E S ##
#####################################################
Titel : Kwetsbaarheden verholpen in Oracle Database producten
Advisory ID : NCSC-2024-0411
Versie : 1.00
Kans : medium
CVE ID : CVE-2022-1471, CVE-2022-34169, CVE-2022-36033,
CVE-2022-37454, CVE-2022-38136, CVE-2022-40196,
CVE-2022-41342, CVE-2022-42919, CVE-2022-45061,
CVE-2022-46337, CVE-2023-2976, CVE-2023-4043,
CVE-2023-4759, CVE-2023-4863, CVE-2023-5072,
CVE-2023-26031, CVE-2023-26551, CVE-2023-26552,
CVE-2023-26553, CVE-2023-26554, CVE-2023-26555,
CVE-2023-28484, CVE-2023-29469, CVE-2023-33201,
CVE-2023-37920, CVE-2023-39410, CVE-2023-44487,
CVE-2023-44981, CVE-2023-45288, CVE-2023-48795,
CVE-2023-49083, CVE-2023-51384, CVE-2023-51385,
CVE-2023-52425, CVE-2023-52426, CVE-2024-1874,
CVE-2024-2408, CVE-2024-2511, CVE-2024-4577,
CVE-2024-4603, CVE-2024-4741, CVE-2024-5458,
CVE-2024-5535, CVE-2024-5585, CVE-2024-6119,
CVE-2024-6232, CVE-2024-7264, CVE-2024-7592,
CVE-2024-21131, CVE-2024-21138, CVE-2024-21140,
CVE-2024-21144, CVE-2024-21145, CVE-2024-21147,
CVE-2024-21233, CVE-2024-21242, CVE-2024-21251,
CVE-2024-21261, CVE-2024-22018, CVE-2024-22020,
CVE-2024-22201, CVE-2024-23807, CVE-2024-23944,
CVE-2024-24989, CVE-2024-24990, CVE-2024-25710,
CVE-2024-26130, CVE-2024-26308, CVE-2024-27983,
CVE-2024-28182, CVE-2024-28849, CVE-2024-28887,
CVE-2024-29025, CVE-2024-29131, CVE-2024-29133,
CVE-2024-31079, CVE-2024-32760, CVE-2024-34161,
CVE-2024-34750, CVE-2024-35200, CVE-2024-36137,
CVE-2024-36138, CVE-2024-36387, CVE-2024-37370,
CVE-2024-37371, CVE-2024-37372, CVE-2024-38356,
CVE-2024-38357, CVE-2024-38472, CVE-2024-38473,
CVE-2024-38474, CVE-2024-38475, CVE-2024-38476,
CVE-2024-38477, CVE-2024-38998, CVE-2024-38999,
CVE-2024-39573, CVE-2024-39884, CVE-2024-40725,
CVE-2024-40898, CVE-2024-45490, CVE-2024-45491,
CVE-2024-45492, CVE-2024-45801
(Details over de kwetsbaarheden kunt u vinden op
de Mitre website: https://cve.mitre.org/cve/)
Schade : high
Improper Restriction of Operations within the Bounds
of a Memory Buffer
Incorrect Permission Assignment for Critical Resource
Improper Certificate Validation
Missing Critical Step in Authentication
Improper Handling of Exceptional Conditions
CWE-18
Improper Encoding or Escaping of Output
Loop with Unreachable Exit Condition ('Infinite Loop')
Unchecked Input for Loop Condition
Authorization Bypass Through User-Controlled Key
NULL Pointer Dereference
Allocation of Resources Without Limits or Throttling
Exposure of Sensitive Information to an Unauthorized
Actor
Improperly Controlled Sequential Memory Allocation
Improper Neutralization of Argument Delimiters in a
Command ('Argument Injection')
Use After Free
Use of a Broken or Risky Cryptographic Algorithm
Double Free
Stack-based Buffer Overflow
Incorrect Calculation of Buffer Size
Inefficient Regular Expression Complexity
Uncontrolled Search Path Element
Incorrect Conversion between Numeric Types
Improper Neutralization of Special Elements used in a
Command ('Command Injection')
Server-Side Request Forgery (SSRF)
Observable Timing Discrepancy
Encoding Error
Improper Privilege Management
Integer Overflow to Buffer Overflow
Improper Input Validation
Improper Handling of Case Sensitivity
Improper Link Resolution Before File Access ('Link
Following')
Improper Restriction of Recursive Entity References in
DTDs ('XML Entity Expansion')
Untrusted Search Path
CWE-275
Improperly Controlled Modification of Object Prototype
Attributes ('Prototype Pollution')
Out-of-bounds Read
Deserialization of Untrusted Data
Out-of-bounds Write
Observable Discrepancy
Missing Encryption of Sensitive Data
Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting')
Uncontrolled Resource Consumption
Inefficient Algorithmic Complexity
Truncation of Security-relevant Information
Improper Resource Shutdown or Release
Integer Overflow or Wraparound
Improper Access Control
Improper Neutralization of Special Elements used in an
OS Command ('OS Command Injection')
Inclusion of Functionality from Untrusted Control
Sphere
Integer Coercion Error
Heap-based Buffer Overflow
Covert Timing Channel
Detection of Error Condition Without Action
Missing Release of Memory after Effective Lifetime
Access of Resource Using Incompatible Type ('Type
Confusion')
Improper Handling of Length Parameter Inconsistency
Files or Directories Accessible to External Parties
Exposure of Resource to Wrong Sphere
Insufficient Verification of Data Authenticity
Excessive Iteration
Improper Neutralization of Alternate XSS Syntax
Uitgiftedatum : 20241017
Toepassing : oracle application_express
oracle application_express_administration
oracle application_express_customers_plugin
oracle application_express_team_calendar_plugin
oracle autonomous_health_framework
oracle blockchain_platform
oracle database_-_core
oracle database_-_grid
oracle database_-_java_vm
oracle database_-_security
oracle database_-_xml_database
oracle essbase
oracle fleet_patching_and_provisioning
oracle fleet_patching_and_provisioning_-_micronaut
oracle goldengate
oracle goldengate_big_data
oracle goldengate_big_data_and_application_adapters
oracle goldengate_stream_analytics
oracle goldengate_studio
oracle goldengate_veridata
oracle graalvm_for_jdk
oracle management_pack_for__goldengate
oracle nosql_database
oracle oracle_essbase
oracle oracle_goldengate
oracle oracle_goldengate_stream_analytics
oracle oracle_goldengate_studio
oracle oracle_nosql_database
oracle oracle_secure_backup
oracle oracle_sql_developer
oracle secure_backup
oracle spatial_and_graph
oracle spatial_and_graph_mapviewer
oracle sql_developer
oracle sqlcl
oracle_corporation oracle_application_express
Versie(s) :
Platform(s) :
Beschrijving
Oracle heeft kwetsbaarheden verholpen in diverse Database producten
en subsystemen, zoals de Core database, Application Express,
Autonomous Health Framework, Essbase, GoldenGate, SQL Developer en
Secure Backup.
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit
te voeren die kunnen leiden tot de volgende categorieën schade:
- Denial-of-Service (DoS)
- Manipuleren van data
- Toegang tot gevoelige gegevens
Mogelijke oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen.
Zie bijgevoegde referenties voor meer informatie.
Referenties:
Reference - cveprojectv5; hkcert; nvd; oracle; redhat
https://www.oracle.com/security-alerts/cpuoct2024.html
Vrijwaringsverklaring
Door gebruik van deze security advisory gaat u akkoord met de
navolgende voorwaarden. Ondanks dat het NCSC de grootst mogelijke
zorg heeft betracht bij de samenstelling van dit beveiligingsadvies,
kan het NCSC niet instaan voor de volledigheid, juistheid of
(voortdurende) actualiteit van dit beveiligingsadvies. De informatie
in dit beveiligingsadvies is uitsluitend bedoeld als algemene
informatie voor professionele partijen. Aan de informatie in dit
beveiligingsadvies kunnen geen rechten worden ontleend. Het NCSC
en de Staat zijn niet aansprakelijk voor enige schade ten gevolge
van het gebruik of de onmogelijkheid van het gebruik van dit
beveiligingsadvies, waaronder begrepen schade ten gevolge van de
onjuistheid of onvolledigheid van de informatie in dit
beveiligingsadvies. Op dit beveiligingsadvies is Nederlands recht
van toepassing. Alle geschillen in verband met en/of voortvloeiend
uit dit beveiligingsadvies zullen worden voorgelegd aan de exclusief
bevoegde rechter te Den Haag. Deze rechtskeuze geldt tevens voor de
voorzieningenrechter in kort geding.
-----BEGIN PGP SIGNATURE-----
wsDzBAEBCgAdBQJnEQ3uFiEEbfBszMuom42mJgp8sECQZ3v2JPIACgkQsECQZ3v2
JPJxrAwArnEPCx45pByJnTWCOS9wM5o8LxXdT+hC+hB7j1HD05yIXX4irA0++/3o
Q8HwCxgC3Joti6Z3tEfm6AKKNv4K799cxvQ7um4aCtbDPxel1VrLKABobd+qRuQS
RaN1UFfc6iVrtzvuaOAwzR7TKPhTCR/OFGQdZsO7Cy1sr9Z9QYVlZ4BtHWWDBtsR
2kMJo0EzXgejn6rUk2uiPgilI7QMCD/P4ECmiIScWqoaKx0jMVbXsSOpCN5F6LWD
d9Piy3ep6lmxdm4E6KByaJeSThA/dnNTccfhUIKqJvWBytUQOYGKcafwVhWAfdpC
ulbi8/YcwmwrbC2EQr5B0cmF21FVjqXLt/xuXzXgmxOWMbS4t9P/MJ2J+OVbhWw5
Xyvwaq/c6FpMl0//b2O00Qeh2E6WYLl3eJHKgOXo0W10LCHfsLo4zyT6WdC9TXpz
J1XmwPtjg9ZV9vFxpfuVFtBqqETDNurtZeXzTqTBfUkPsi5AKrNgHipZUfKhzgYR
JZbJ2lQx
=R4Xa
-----END PGP SIGNATURE-----
