-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
#####################################################
## N C S C ~ B E V E I L I G I N G S A D V I E S ##
#####################################################
Titel : Kwetsbaarheden verholpen in Oracle Communications
Advisory ID : NCSC-2025-0124
Versie : 1.00
Kans : medium
CVE ID : CVE-2023-5388, CVE-2023-5685, CVE-2023-49582,
CVE-2023-51074, CVE-2024-1135, CVE-2024-4227,
CVE-2024-5535, CVE-2024-6763, CVE-2024-7254,
CVE-2024-11053, CVE-2024-12797, CVE-2024-12798,
CVE-2024-21538, CVE-2024-25638, CVE-2024-28168,
CVE-2024-28219, CVE-2024-28834, CVE-2024-31141,
CVE-2024-34064, CVE-2024-35195, CVE-2024-37891,
CVE-2024-38819, CVE-2024-38827, CVE-2024-40896,
CVE-2024-43044, CVE-2024-43709, CVE-2024-43796,
CVE-2024-47072, CVE-2024-47554, CVE-2024-49767,
CVE-2024-50602, CVE-2024-52046, CVE-2024-52303,
CVE-2024-53122, CVE-2024-56128, CVE-2024-56337,
CVE-2024-57699, CVE-2025-1974, CVE-2025-23084,
CVE-2025-23184, CVE-2025-24813, CVE-2025-24928,
CVE-2025-24970, CVE-2025-27516, CVE-2025-27789,
CVE-2025-30729, CVE-2025-31721
(Details over de kwetsbaarheden kunt u vinden op
de Mitre website: https://cve.mitre.org/cve/)
Schade : high
Files or Directories Accessible to External Parties
Allocation of Resources Without Limits or Throttling
Improper Resource Shutdown or Release
Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
Improper Input Validation
Improper Restriction of XML External Entity Reference
Always-Incorrect Control Flow Implementation
Use of Incorrectly-Resolved Name or Reference
Improper Neutralization of Special Elements Used in a
Template Engine
Insufficient Verification of Data Authenticity
Improper Check for Unusual or Exceptional Conditions
Improper Certificate Validation
Uncontrolled Recursion
Divide By Zero
Time-of-check Time-of-use (TOCTOU) Race Condition
Dependency on Vulnerable Third-Party Component
Uncontrolled Resource Consumption
Excessive Iteration
Improper Neutralization of Special Elements used in an
Expression Language Statement ('Expression Language
Injection')
Improper Isolation or Compartmentalization
Incorrect Implementation of Authentication Algorithm
Inefficient Regular Expression Complexity
Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting')
Use of a Broken or Risky Cryptographic Algorithm
Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition')
Use of Potentially Dangerous Function
Exposure of Sensitive Information to an Unauthorized
Actor
Observable Timing Discrepancy
Integer Overflow to Buffer Overflow
Improper Validation of Syntactic Correctness of Input
Authorization Bypass Through User-Controlled Key
Missing Report of Error Condition
Missing Release of Resource after Effective Lifetime
Buffer Copy without Checking Size of Input ('Classic
Buffer Overflow')
Incorrect Resource Transfer Between Spheres
Improperly Controlled Modification of Object Prototype
Attributes ('Prototype Pollution')
Stack-based Buffer Overflow
Improper Control of Generation of Code ('Code
Injection')
Acceptance of Extraneous Untrusted Data With Trusted
Data
Deserialization of Untrusted Data
Incorrect Permission Assignment for Critical Resource
Missing Authorization
Inconsistent Interpretation of HTTP Requests ('HTTP
Request/Response Smuggling')
Improper Privilege Management
Improper Restriction of Operations within the Bounds
of a Memory Buffer
Path Equivalence: 'file.name' (Internal Dot)
Uitgiftedatum : 20250416
Toepassing : Oracle Communications Cloud Native Core Binding
Support Function
Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Data
Analytics Function
Oracle Communications Cloud Native Core Network
Function Cloud Native Environment
Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge
Protection Proxy
Oracle Communications Cloud Native Core Unified Data
Repository
Oracle Communications Element Manager
Oracle Communications Policy Management
Oracle Communications Session Border Controller
Oracle Communications Session Report Manager
Oracle Communications Unified Assurance
Oracle Corporation Oracle Communications Order and
Service Management
Oracle Enterprise Communications Broker
Oracle Management Cloud Engine
Oracle Oracle Communications Billing and Revenue
Management
Oracle Oracle Communications Cloud Native Core Binding
Support Function
Oracle Oracle Communications Cloud Native Core
Certificate Management
Oracle Oracle Communications Cloud Native Core Console
Oracle Oracle Communications Cloud Native Core DBTier
Oracle Oracle Communications Cloud Native Core Network
Data Analytics Function
Oracle Oracle Communications Cloud Native Core Network
Function Cloud Native Environment
Oracle Oracle Communications Cloud Native Core Network
Repository Function
Oracle Oracle Communications Cloud Native Core Policy
Oracle Oracle Communications Cloud Native Core
Security Edge Protection Proxy
Oracle Oracle Communications Cloud Native Core Service
Communication Proxy
Oracle Oracle Communications Cloud Native Core Unified
Data Repository
Oracle Oracle Communications Diameter Signaling Router
Oracle Oracle Communications EAGLE Element Management
System
Oracle Oracle Communications Element Manager
Oracle Oracle Communications Messaging Server
Oracle Oracle Communications MetaSolv Solution
Oracle Oracle Communications Network Analytics Data
Director
Oracle Oracle Communications Network Charging and
Control
Oracle Oracle Communications Network Integrity
Oracle Oracle Communications Operations Monitor
Oracle Oracle Communications Order and Service
Management
Oracle Oracle Communications Policy Management
Oracle Oracle Communications Pricing Design Center
Oracle Oracle Communications Service Catalog and
Design
Oracle Oracle Communications Session Border Controller
Oracle Oracle Communications Session Report Manager
Oracle Oracle Communications Unified Assurance
Oracle Oracle Communications Unified Inventory
Management
Oracle Oracle Communications User Data Repository
Oracle Oracle Enterprise Communications Broker
Oracle Oracle SD-WAN Edge
Oracle SD-WAN Edge
Versie(s) :
Platform(s) :
Beschrijving
Oracle heeft meerdere kwetsbaarheden verholpen in Oracle
Communications producten, waaronder de Cloud Native Core en Policy
Management.
De kwetsbaarheden in Oracle Communications producten stellen
ongeauthenticeerde aanvallers in staat om ongeautoriseerde toegang te
verkrijgen tot gevoelige gegevens en kunnen leiden tot Denial-of-
Service (DoS) aanvallen. Specifieke versies van de Cloud Native Core,
zoals de Binding Support Function en Network Repository Function,
zijn getroffen, met CVSS-scores die variƫren van 4.3 tot 9.8, wat
wijst op significante risico's voor de beschikbaarheid en
vertrouwelijkheid van de systemen.
Mogelijke oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen.
Zie bijgevoegde referenties voor meer informatie.
Referenties:
Reference - cveprojectv5; nvd; oracle
https://www.oracle.com/security-alerts/cpuapr2025.html
Vrijwaringsverklaring
Door gebruik van deze security advisory gaat u akkoord met de
navolgende voorwaarden. Ondanks dat het NCSC de grootst mogelijke
zorg heeft betracht bij de samenstelling van dit beveiligingsadvies,
kan het NCSC niet instaan voor de volledigheid, juistheid of
(voortdurende) actualiteit van dit beveiligingsadvies. De informatie
in dit beveiligingsadvies is uitsluitend bedoeld als algemene
informatie voor professionele partijen. Aan de informatie in dit
beveiligingsadvies kunnen geen rechten worden ontleend. Het NCSC
en de Staat zijn niet aansprakelijk voor enige schade ten gevolge
van het gebruik of de onmogelijkheid van het gebruik van dit
beveiligingsadvies, waaronder begrepen schade ten gevolge van de
onjuistheid of onvolledigheid van de informatie in dit
beveiligingsadvies. Op dit beveiligingsadvies is Nederlands recht
van toepassing. Alle geschillen in verband met en/of voortvloeiend
uit dit beveiligingsadvies zullen worden voorgelegd aan de exclusief
bevoegde rechter te Den Haag. Deze rechtskeuze geldt tevens voor de
voorzieningenrechter in kort geding.
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEj9lz1UkzuNhtLOX5ytTOqyR+cF8FAmf/bOEACgkQytTOqyR+
cF+efQwAs00q5ZUs05FtIo5syHzuEjwVt1Dbvrac+RpGrJiLiHVJIgnx7ROuxUk3
Gms8lbMSud+RgZ/4BEV/R4QZ3u8aAqCLHZDBgaFRrPXKBy0KTWC8fhZrOtAYalhU
JrItIP5rzl1z3pFQSsMApUfC/IG8kEP5fai2aU9rOv2xU4xv6kMf3FdM6Xa1HmO4
q3/Im+5BYBxQig7ubyP0JGsscPt3Ldlp8u65AwV4ywP+2ReJDcMwaHWNgGT/jBV5
B5kTOoXBBVffUsEUWloPvsMxPXAm9cMC2R82O03P6WHbwMPg7gORKuJ1Wj8GIRq/
iAfLJfKbXTCCBeqH5Xec0Somgo77HUX2Wg06ChcLZC1h3GlnFRhzNjA/g+UhmP+Z
cOf1M969fPfJGOt98uwQ/Xq907OpWmjBRIG63tvMai7X2dtsEDgl8Dp8JSlxIFRC
r+LqfWnRlgLtSHsoMlEC4n0iUSaDNPXu00shrkrINle06xXgdmpvKZXHYhQ0j41t
APibVsGD
=4j9Q
-----END PGP SIGNATURE-----
