Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote host is affected by the vulnerability described in GLSA-202402-16 (Apache Log4j: Multiple Vulnerabilities)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)

  - A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious     code execution. (CVE-2020-9493)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.20.3.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.20.3.5 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311,     11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible     data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21248)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle     GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21277, CVE-2022-21366)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1;
    Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read     access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21282, CVE-2022-21296)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle     GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21283)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,     17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21291, CVE-2022-21305)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,     17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21293, CVE-2022-21294, CVE-2022-21340)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1;
    Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21299)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311,     11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21341)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM     Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial     denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21349)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,     17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21360, CVE-2022-21365)

  - AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS     extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)

  - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from     uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread     Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed     in Log4j 2.17.0, 2.12.3, and 2.3.1. (CVE-2021-45105)

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat     10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local     attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue     is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)

  - A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is     a setuid tool designed to allow unprivileged users to run commands as privileged users according     predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly     and ends trying to execute environment variables as commands. An attacker can leverage this by crafting     environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully     executed the attack can cause a local privilege escalation given unprivileged users administrative rights     on the target machine. (CVE-2021-4034)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to     drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt     mishandles bounds checking. (CVE-2021-42739)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier. (CVE-2021-44790)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

  - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including :

  - Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether     the objects are allowed or not. This can provide an attack vector that can be exploited. (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS     connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that     appender. (CVE-2020-9488)

  - JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is     configured to reference an untrusted site or if the site referenced can be accesseed by the attacker.
    (CVE-2022-23302)

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2852 advisory.

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. (CVE-2020-9488)

  - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled     recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data     to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0     and 2.12.3. (CVE-2021-45105)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5020 advisory.

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. (CVE-2020-9488)

  - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect     against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log     messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup     substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous     releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to     true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar     org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see     https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code     execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and     com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory.

  - A vulnerability exists in the Oracle Applications Framework product of Oracle E-Business Suite (component:
    Home page). The supported version that is affected is 12.2.10. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Applications Framework.
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification     access to critical data or all Oracle Applications Framework accessible data as well as unauthorized     access to critical data or complete access to all Oracle Applications Framework accessible data.
    (CVE-2021-2200)

  - A vulnerability exists in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing     Administration). Supported versions that are affected are 12.2.7-12.2.10. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful     attacks of this vulnerability can result in unauthorized creation, deletion or modification access to     critical data or all Oracle Marketing accessible data as well as unauthorized access to critical data or     complete access to all Oracle Marketing accessible data. (CVE-2021-2205)

  - A vulnerability exists in the Oracle Email Center product of Oracle E-Business Suite (component: Message     Display). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Email     Center. While the vulnerability is in Oracle Email Center, attacks may significantly impact additional     products. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or     delete access to some of Oracle Email Center accessible data. (CVE-2021-2209)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2020 CPU advisory.

  - An unspecified vulnerability exists in the Console component. An unauthenticated, remote attacker with     network access via HTTP can exploit this issue to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14750, CVE-2020-14882)

  - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit     this issue via the IIOP and T3 protocols to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14859)

  - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit     this issue via the IIOP protocol to compromise the server. Successful attacks of this vulnerability can     result in takeover of Oracle WebLogic Server. (CVE-2020-14841)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 16.1-16.2, 17.7-17.12, 18.8, and 19.12 versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2020 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (Apache Derby)). Supported versions that are affected are 16.1-16.2, 17.7-17.12, 18.8 and 19.12. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized access to critical     data or complete access to all Primavera Unifier accessible data and unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Primavera Unifier. (CVE-2015-1832)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (iText)). Supported versions that are affected are 16.1-16.2, 17.7-17.12, 18.8 and 19.12. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Primavera Unifier. Successful attacks require human interaction from a person other than the attacker.
    Successful attacks of this vulnerability can result in takeover of Primavera Unifier. (CVE-2017-9096)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (Apache Solr)). Supported versions that are affected are 16.1-16.2, 17.7-17.12, 18.8 and 19.12. Difficult     to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise     Primavera Unifier. Successful attacks of this vulnerability can result in takeover of Primavera Unifier.
    (CVE-2019-17558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3817 advisory.

    Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport     protocol to or from AMQ Broker 6 and 7.

    This update provides various bug fixes and enhancements in addition to the client package versions     previously released on Red Hat Enterprise Linux 6, 7, and 8.

    Security Fix(es):

    * jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime     (CVE-2020-11113)

    * wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297)

    * wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing     Denial of Service (CVE-2020-14307)

    * log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, and 19.12.0-19.12.4 versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle     Construction and Engineering (component: Admin (Apache     Ant)). Supported versions that are affected are     16.2.0-16.2.11 and 17.12.0-17.12.7. Easily exploitable     vulnerability allows unauthenticated attacker with     network access via HTTP to compromise Primavera Gateway.
    Successful attacks of this vulnerability can result in     takeover of Primavera Gateway.

  - Vulnerability in the Primavera Gateway product of Oracle     Construction and Engineering (component: Admin     (jQuery)). Supported versions that are affected are     16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9 and     19.12.0-19.12.4. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise Primavera Gateway. Successful attacks require     human interaction from a person other than the attacker     and while the vulnerability is in Primavera Gateway,     attacks may significantly impact additional products.
    Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of     Primavera Gateway accessible data as well as     unauthorized read access to a subset of Primavera     Gateway accessible data.

  - Vulnerability in the Primavera Gateway product of Oracle     Construction and Engineering (component: Admin (Log4j)).
    Supported versions that are affected are 16.2.0-16.2.11,     17.12.0-17.12.7, 18.8.0-18.8.9 and 19.12.0-19.12.4.
    Difficult to exploit vulnerability allows     unauthenticated attacker with network access via SMTPS     to compromise Primavera Gateway. Successful attacks of     this vulnerability can result in unauthorized read     access to a subset of Primavera Gateway accessible data.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Log4j on the remote host is < 2.13.2. It is, therefore, affected by an improper certificate validation vulnerability in the log4j SMTP appender. An attacker could leverage this vulnerability to perform a man-in-the-middle attack.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202482	RHEL 7 : nutch (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	low
199716	RHEL 8 : nutch (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	low
195854	RHEL 6 : log4j (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
195818	RHEL 5 : log4j (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
190670	GLSA-202402-16 : Apache Log4j: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
165276	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.3.5)	Nessus	Misc.	critical
164607	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.0.2.6)	Nessus	Misc.	critical
164601	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.4)	Nessus	Misc.	critical
164572	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1)	Nessus	Misc.	critical
156860	Apache Log4j 1.x Multiple Vulnerabilities	Nessus	Misc.	critical
156396	Debian DLA-2852-1 : apache-log4j2 - LTS security update	Nessus	Debian Local Security Checks	low
156015	Debian DSA-5020-1 : apache-log4j2 - security update	Nessus	Debian Local Security Checks	critical
148952	Oracle E-Business Suite Multiple Vulnerabilities (April 2021 CPU)	Nessus	Misc.	critical
141807	Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)	Nessus	Misc.	critical
141641	Oracle Primavera Unifier (Oct 2020 CPU)	Nessus	CGI abuses	critical
140747	RHEL 6 / 7 / 8 : AMQ Clients 2.8.0 Release (Moderate) (RHSA-2020:3817)	Nessus	Red Hat Local Security Checks	high
138526	Oracle Primavera Gateway (Jul 2020 CPU)	Nessus	CGI abuses	critical
136424	Apache Log4j < 2.13.2 Improper Certificate Verification	Nessus	Misc.	low

Detections

Analytics

CVE-2020-9488

low

Tenable Plugins

low

low

critical

critical

critical

critical

critical

critical

critical

critical

low

critical

critical

critical

critical

high

critical

low