Rewterz

Rewterz Threat Advisory – Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities

April 17, 2019
Rewterz

Rewterz Threat Advisory – Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities

April 17, 2019

Rewterz Threat Advisory – Oracle Primavera P6 Enterprise Project Portfolio Management Multiple Vulnerabilities

Severity

High

Analysis Summary

Multiple vulnerabilities have been reported in Oracle Primavera P6 Enterprise Project Portfolio Management, which may lead to disclosure of sensitive information and security bypass, if exploited.
 

CVE-2018-0734
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. Variations in the signing algorithm can be used by an attacker to recover the private key. 
 

CVE-2016-1000031
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

CVE-2018-0735
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.

Impact

  • Exposure of sensitive information
  • Security Bypass
  • Other Unknown impact

Affected Vendors

Oracle

Affected Products

Oracle Primavera P6 Enterprise Project Portfolio Management 8.4

Remediation

Apply update.

https://support.oracle.com/rs?type=doc&id=2512516.1

Additional Information:

CVE-2018-0734

Fixed in OpenSSL 1.1.1a (Affected 1.1.1)

Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)

Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)

CVE-2018-0735

Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)

Fixed in OpenSSL 1.1.1a (Affected 1.1.1)

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.