April 2021 CPU 32720399 Not Fixing The vulnerabilities
(Doc ID 2774633.1)
Last updated on SEPTEMBER 24, 2023
Applies to:
Oracle SOA Suite - Version 12.2.1.3.0 and laterSOA Suite Cloud Service - Version 12.1.3.0 and later
Oracle Service Bus - Version 12.2.1.4.0 to 12.2.1.4.0
Information in this document applies to any platform.
Goal
Customer has applied the patch 32720399. The supersedes the January Patch 32720399. Our security scan is still showing vulnerabilities.
[May 2, 2021 6:43:00 PM] [INFO] Patch 32720399 : applied on Fri Apr 30 18:46:55 EDT 2021
Unique Patch ID: 24158242
Patch description: "SOA Bundle Patch 12.2.1.3.210402"
Created on 3 Apr 2021, 04:19:42 hrs PST8PDT
Security Scan report
- An XML External Entity (XXE) vulnerability exists in the dom4j library which allows DTDs and external entities by default. An unauthenticated, remote attacker can exploit this issue, to compromise the server.
Successful attacks of this vulnerability can result in takeover of Oracle Business Process Management Suite. (CVE-2020-10683)
- A deserialization flaw exists in the Oracle BAM (Business Activity Monitoring) product of Oracle Fusion Middleware (component: General (Xstream)) due to the introduction of a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. (CVE-2019-10173)
- A denial of service (DoS) vulnerability exists in the Oracle Managed File Transfer product of Oracle Fusion Middleware (component: MFT Runtime Server (Apache Tomcat)) due to improper validation of the payload length in a WebSocket frame. An unauthenticated, remote attacker can exploit this issue to trigger an infinite loop and cause a hang or frequently repeatable crash of Oracle Managed File Transfer.
(CVE-2020-13935)
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |