This Solaris system is missing necessary patches to address critical security updates :

  - Vulnerability in the Oracle Communications Session     Border Controller product of Oracle Communications     (component: Routing (glibc)). Supported versions that     are affected are 8.4, 9.0 and 9.1. Difficult to exploit     vulnerability allows unauthenticated attacker with     network access via HTTP to compromise Oracle     Communications Session Border Controller. Successful     attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Communications Session Border     Controller as well as unauthorized update, insert or     delete access to some of Oracle Communications Session     Border Controller accessible data and unauthorized read     access to a subset of Oracle Communications Session     Border Controller accessible data. CVSS 3.1 Base Score     7.0 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
    (CVE-2022-23219)

  - Vulnerability in the Oracle Communications Cloud Native     Core Unified Data Repository product of Oracle     Communications (component: Signaling (glibc)). The     supported version that is affected is 22.1.1. Easily     exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise     Oracle Communications Cloud Native Core Unified Data     Repository. Successful attacks of this vulnerability can     result in takeover of Oracle Communications Cloud Native     Core Unified Data Repository. CVSS 3.1 Base Score 9.8     (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2022-23218)

  - Vulnerability in the Oracle Communications Cloud Native     Core Policy product of Oracle Communications (component:
    Policy (GNU Libtasn1)). Supported versions that are     affected are 22.4.0-22.4.4 and 23.1.0-23.1.1. Easily     exploitable vulnerability allows unauthenticated     attacker with network access via HTTPS to compromise     Oracle Communications Cloud Native Core Policy.
    Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access     to all Oracle Communications Cloud Native Core Policy     accessible data and unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Oracle     Communications Cloud Native Core Policy. CVSS 3.1 Base     Score 9.1 (Confidentiality and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
    (CVE-2021-46848)

  - Vulnerability in the Oracle Text (LibExpat) component of     Oracle Database Server. Supported versions that are     affected are 19.3-19.19 and 21.3-21.10. Easily     exploitable vulnerability allows low privileged attacker     having Create Session, Create Index privilege with     network access via Oracle Net to compromise Oracle Text     (LibExpat). Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Oracle     Text (LibExpat). CVSS 3.1 Base Score 6.5 (Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-43680)

  - Vulnerability in the PeopleSoft Enterprise PeopleTools     product of Oracle PeopleSoft (component: Porting     (Python)). Supported versions that are affected are 8.59     and 8.60. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise PeopleSoft Enterprise PeopleTools. Successful     attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash     (complete DOS) of PeopleSoft Enterprise PeopleTools.
    CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS     Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-45061)

  - Vulnerability in the Oracle Solaris product of Oracle     Systems (component: NSSwitch). Supported versions that     are affected are 10 and 11. Difficult to exploit     vulnerability allows high privileged attacker with     network access via multiple protocols to compromise     Oracle Solaris. Successful attacks require human     interaction from a person other than the attacker and     while the vulnerability is in Oracle Solaris, attacks     may significantly impact additional products (scope     change). Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access     to some of Oracle Solaris accessible data and     unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Solaris. CVSS 3.1 Base     Score 4.0 (Integrity and Availability impacts). CVSS     Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L).
    (CVE-2023-21900)

Detections

Analytics

Oracle Solaris Critical Patch Update : jan2023_SRU11_4_53_132_2

critical Nessus Plugin ID 170171

Version 1.3

Version 1.1

Version 1.1

Version 1.3 Apr 20, 2023, 4:15 PM Plugin metadata (https references for AIX advisories) Plugin Feed: 202304201615
Version 1.1 Jan 20, 2023, 3:59 PM STIG Severity (set to "I") IAVM reference CVE (set "CVE" coverage to "CVE-2023-21900") Plugin Feed: 202301201559
Version 1.1 Jan 23, 2023, 7:12 PM CVE (set "CVE" coverage to "CVE-2022-23218,CVE-2022-23219") CVSS metrics ("CVSSv2 score" set to "10.0") CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to "9.8") CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal score" set to "7.8") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal score" set to "8.8") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv2 score source (set to "CVE-2022-46882") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" set to "Exploits are available") Plugin metadata Severity (changed from "High" to "Critical") Plugin Feed: 202301231912