Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Multiple vulnerabilities were discovered in libspring-java, a modular Java/J2EE application framework. An attacker may execute code, perform XST attack, issue unauthorized cross-domain requests or cause a DoS (denial of service) in specific configurations.

CVE-2018-1270

Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVE-2018-11039

Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVE-2018-11040

Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the 'jsonp' and 'callback' JSONP parameters, enabling cross-domain requests.

CVE-2018-15756

Spring Framework provides support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.

For Debian 9 stretch, these problems have been fixed in version 4.3.5-1+deb9u1.

We recommend that you upgrade your libspring-java packages.

For the detailed security status of libspring-java please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libspring-java

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A denial of service (DoS) vulnerability exists in MySQL Enterprise Monitor due the use of a vulnerable Spring Framework version. Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, to cause a DoS. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is missing the April 2020 Critical Patch Update for Oracle Identity Manager Connector. It is, therefore, affected by multiple vulnerabilities:

 - Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware  (component: General (Apache ActiveMQ)). The supported version that is affected is 9.0. Easily exploitable  vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager Connector.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable  crash (complete DOS) of Identity Manager Connector. (CVE-2019-0222)

 - Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: LDAP Gateway  (Spring Framework)). The supported version that is affected is 9.0. Easily exploitable vulnerability allows  unauthenticated attacker with network access via HTTP to compromise Identity Manager Connector. Successful attacks of  this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of  Identity Manager Connector. (CVE-2018-15756)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities :

  - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware     (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An     unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host.
    (CVE-2016-6814)

  - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion     Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An     unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
    (CVE-2016-1000031)

  - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion     Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An     unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop     functioning properly. (CVE-2018-8013)

  - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion     Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with     a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can     exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Oracle GoldenGate for Big Data application located on the remote host is 12.3.1.1.x less than 12.3.1.1.6 or 12.3.2.1.x less than 12.3.2.1.5. It is, therefore, affected by a denial of service (DoS) vulnerability. This vulnerability is due to its use of Spring Framework, which provides support for range requests when serving static resources through the ResourceHttpRequestHandler or when an annotated controller returns an org.springframework.core.io.Resource. An unauthenticated, remote attacker can exploit this issue by adding a range header with a high number of ranges, or with wide ranges that overlap, or both to cause the application to stop responding.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities:

  - An unspecified vulnerability allows a remote unauthenticated     attacker with network access to compromise and takeover the     StorageTek Tape Analytics SW Tool. (CVE-2019-2725) (CVE-2019-2729)

  - An unspecified vulnerability allows a remote unauthenticated     attacker with network access to compromise and takeover the     Tape Virtual Storage Manager GUI. (CVE-2019-2725)

  - An unspecified vulnerability in the WLS Core Component allows an     authenticated low privileged attacker with network     access via HTTP to compromise Oracle WebLogic Server, resulting     in unauthorized update, insert or delete access to Oracle     WebLogic Server accessible data. (CVE-2019-2824) (CVE-2019-2827)

  - An unspecified vulnerability in the jQuery Component allows an     authenticated low privileged attacker with network     access via HTTP to compromise Oracle WebLogic Server, resulting     in unauthorized update, insert or delete access to Oracle     WebLogic Server accessible data. Successful attacks require     human interaction from actions from another Weblogic user.
    (CVE-2016-71030)

  - An unspecified vulnerability in the Application Container - JavaEE     Component of Oracle WebLogic Server allows an unauthenticated     attacker with network access via T3 to compromise Oracle WebLogic     Server. A successful attack of this vulnerability could result in     takeover of Oracle WebLogic Server. (CVE-2019-2856)     
  - An unspecified vulnerability in the Sample apps (Spring Framework)     Component of Oracle WebLogic Server allows an unauthenticated     attacker with network access via HTTP to compromise Oracle WebLogic     Server. A successful attack of this vulnerability could result in     unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle WebLogic Server. (CVE-2018-15756)

According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.16, 16.x prior to 16.2.9, 17.x prior to 17.12.4, or 18.x prior to 18.8.6. It is, therefore, affected by multiple vulnerabilities:

  - An unspecified vulnerability in the Spring Framework,     version 5.1, versions 5.0.x prior to 5.0.10, versions     4.3.x prior to 4.3.20, and older unsupported versions     on the 4.2.x branch allows an a malicious user to add     a range header with a high number of ranges, or with     wide ranges that overlap, or both, to cause a denial     of service. (CVE-2018-15756)

  - FasterXML jackson-databind 2.x before 2.9.8 might allow     attackers to have unspecified impact by leveraging     failure to block the axis2-transport-jms class from     polymorphic deserialization. (CVE-2018-19360)

  - FasterXML jackson-databind 2.x before 2.9.8 might allow     attackers to have unspecified impact by leveraging     failure to block the openjpa class from polymorphic     deserialization. (CVE-2018-19361)

  - FasterXML jackson-databind 2.x before 2.9.8 might allow     attackers to have unspecified impact by leveraging     failure to block the jboss-common-core class from     polymorphic deserialization. (CVE-2018-19362)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - A deserialization vulnerability in Apache Commons     FileUpload allows for remote code execution.
    (CVE-2016-1000031)

  - An information disclosure vulnerability exists in OpenSSL     due to the potential for a side-channel timing attack.
    An unauthenticated attacker can exploit this to disclose     potentially sensitive information. (CVE-2018-0734)

  - A denial of service (DoS) vulnerability exists in Apache     HTTP Server 2.4.17 to 2.4.34, due to a design error. An     unauthenticated, remote attacker can exploit this issue     by sending continuous, large SETTINGS frames to cause a     client to occupy a connection, server thread and CPU     time without any connection timeout coming to effect.
    This affects only HTTP/2 connections. A possible     mitigation is to not enable the h2 protocol.
    (CVE-2018-11763).

  - Networking component of Enterprise Manager Base Platform     (Spring Framework) is easily exploited and may allow an     unauthenticated, remote attacker to takeover the     Enterprise Manager Base Platform. (CVE-2018-1258)

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - Networking component of Enterprise Manager Base Platform (Spring Framework)   is easily exploited and may allow an unauthenticated, remote attacker to takeover   the Enterprise Manager Base Platform.
  (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756)

  - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker   unauthorized access to critical data or complete access to all Enterprise Manager   Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539)

  - An information disclosure vulnerability exists in OpenSSL due to the potential   for a side-channel timing attack. An unauthenticated attacker can exploit   this to disclose potentially sensitive information.   (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407)

ID	Name	Product	Family	Severity
149004	Debian DLA-2635-1 : libspring-java security update	Nessus	Debian Local Security Checks	critical
138904	MySQL Enterprise Monitor 4.x < 4.0.10 / 8.x < 8.0.15 DoS (Jul 2019 CPU)	Nessus	CGI abuses	high
136284	Oracle Identity Manager Connector Multiple Vulnerabilities (April 2020 CPU)	Nessus	Misc.	high
136091	Oracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU)	Nessus	Windows	critical
129973	Oracle GoldenGate for Big Data 12.3.1.1.x < 12.3.1.1.6 / 12.3.2.1.x < 12.3.2.1.5 Spring Framework DoS (Oct 2019 CPU)	Nessus	Misc.	high
126915	Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU)	Nessus	Misc.	critical
126828	Oracle Primavera Gateway Multiple Vulnerabilities (Jul 2019 CPU)	Nessus	CGI abuses	critical
125147	Oracle Enterprise Manager Ops Center (Apr 2019 CPU)	Nessus	Misc.	critical
124157	Oracle Enterprise Manager Cloud Control (Apr 2019 CPU)	Nessus	Misc.	high

Detections

Analytics

CVE-2018-15756

high

Tenable Plugins

critical

high

high

critical

high

critical

critical

critical

high