My Oracle Support Banner

April 2021 CPU 32720399 Not Fixing The vulnerabilities (Doc ID 2774633.1)

Last updated on SEPTEMBER 24, 2023

Applies to:

Oracle SOA Suite - Version 12.2.1.3.0 and later
SOA Suite Cloud Service - Version 12.1.3.0 and later
Oracle Service Bus - Version 12.2.1.4.0 to 12.2.1.4.0
Information in this document applies to any platform.

Goal

Customer has applied the patch 32720399. The supersedes the January Patch 32720399. Our security scan is still showing vulnerabilities.

[May 2, 2021 6:43:00 PM] [INFO] Patch 32720399 : applied on Fri Apr 30 18:46:55 EDT 2021
  Unique Patch ID: 24158242
  Patch description: "SOA Bundle Patch 12.2.1.3.210402"
  Created on 3 Apr 2021, 04:19:42 hrs PST8PDT

Security Scan report
- An XML External Entity (XXE) vulnerability exists in the dom4j library which allows DTDs and external entities by default. An unauthenticated, remote attacker can exploit this issue, to compromise the server.
Successful attacks of this vulnerability can result in takeover of Oracle Business Process Management Suite. (CVE-2020-10683)
- A deserialization flaw exists in the Oracle BAM (Business Activity Monitoring) product of Oracle Fusion Middleware (component: General (Xstream)) due to the introduction of a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. (CVE-2019-10173)
- A denial of service (DoS) vulnerability exists in the Oracle Managed File Transfer product of Oracle Fusion Middleware (component: MFT Runtime Server (Apache Tomcat)) due to improper validation of the payload length in a WebSocket frame. An unauthenticated, remote attacker can exploit this issue to trigger an infinite loop and cause a hang or frequently repeatable crash of Oracle Managed File Transfer.
(CVE-2020-13935)
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.