Detections
Analytics

Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU)

high Nessus Plugin ID 133042

Language:

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Oracle Secure Global Desktop installed on the remote host is missing a security patch from the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

 - A remote code execution vulnerability exists in the Core (Apache Axis) component. An unauthenticated, adjacent attacker can exploit this issue, to execute arbitrary commands. (CVE-2019-0227)

 - A cross-site scripting vulnerability exists in the Web Server (Appache HTTPD Server) component. An unauthenticated, remote attacker can exploit this issue via causing the link on the mod_proxy error page to be malformed and point to a page of the attacker's choice. (CVE-2019-10092)

 - A cross-site scripting vulnerability exists in faces/context/PartialViewContextImpl.java in Eclipse (Mojarra) due to mishandling of a client window field. An unauthenticated, remote attacker can exploit this issue, to perform unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as to perform an unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data. (CVE-2019-17091)

Solution

Apply the appropiate patch according to the January 2020 Oracle Critical Patch Update Advisory.

See Also

http://www.nessus.org/u?bc4414d8

http://www.nessus.org/u?2cb6a420

Plugin Details

Severity: High

ID: 133042

File Name: oracle_secure_global_desktop_jan_2020_cpu.nasl

Version: 1.5

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/17/2020

Updated: 12/5/2022

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-10098

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-0227

Vulnerability Information

CPE: cpe:/a:oracle:virtualization_secure_global_desktop

Required KB Items: Host/Oracle_Secure_Global_Desktop/Version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/14/2020

Vulnerability Publication Date: 1/14/2020

Reference Information

CVE: CVE-2019-0227, CVE-2019-10092, CVE-2019-10098, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-17091

BID: 107867