The versions of Oracle Siebel CRM installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2019 CPU advisory.

  - Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Information Manager     Console (Apache Xalan)). Supported versions that are affected are 8.5.1.0 - 8.5.1.7, 8.6.0 and 8.6.1.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Knowledge. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Knowledge accessible data as well as unauthorized read access     to a subset of Oracle Knowledge accessible data and unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Knowledge. (CVE-2014-0107)     
  - Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Information Manager     Console (Apache Commons BeanUtils)). Supported versions that are affected are 8.5.1.0 - 8.5.1.7, 8.6.0 and     8.6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Knowledge. Successful attacks of this vulnerability can result in takeover of Oracle     Knowledge. (CVE-2014-0114)

  - Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Information Manager     Console (Apache Derby)). Supported versions that are affected are 8.5.1.0 - 8.5.1.7, 8.6.0 and 8.6.1.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Knowledge. Successful attacks of this vulnerability can result in unauthorized access to     critical data or complete access to all Oracle Knowledge accessible data and unauthorized ability to cause     a hang or frequently repeatable crash (complete DOS) of Oracle Knowledge. (CVE-2015-1832)     
  - Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Information Manager     Console (JGroups)). Supported versions that are affected are 8.5.1.0 - 8.5.1.7, 8.6.0 and 8.6.1. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Knowledge. Successful attacks of this vulnerability can result in takeover of Oracle Knowledge.
    (CVE-2016-2141)

  - Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Information Manager     Console (Apache Commons FileUpload)). Supported versions that are affected are 8.5.1.0 - 8.5.1.7, 8.6.0     and 8.6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Knowledge. Successful attacks of this vulnerability can result in takeover of Oracle     Knowledge. (CVE-2016-1000031)

  - Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Web Applications     (InfoCenter)). Supported versions that are affected are 8.5.1.0 - 8.5.1.7, 8.6.0 and 8.6.1. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Knowledge. Successful attacks require human interaction from a person other than the attacker and     while the vulnerability is in Oracle Knowledge, attacks may significantly impact additional products.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Oracle Knowledge accessible data as well as unauthorized read access to a subset of Oracle     Knowledge accessible data. (CVE-2019-2719)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Siebel Server 8.5.1.x <= 8.5.1.7 / 8.6.0 / 8.6.1 (April 2019 CPU)

critical Nessus Plugin ID 212392

Version 1.3

Version 1.2

Version 1.1

Version 1.3 Dec 12, 2024, 9:55 AM CVSS metrics ("CVSSv2 score" set to 7.5) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202412120955
Version 1.2 Dec 11, 2024, 10:15 PM CEA reference Plugin Feed: 202412112215
Version 1.1 Dec 11, 2024, 5:27 PM New Plugin Feed: 202412111727