Detections
Analytics

Oracle Traffic Director Multiple Vulnerabilities (July 2014 CPU)

high Nessus Plugin ID 76938

Language:

Synopsis

The remote host is running software with multiple vulnerabilities.

Description

The remote host is running an unpatched version of Oracle Traffic Director that is affected by the following vulnerabilities :

 - The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739)

 - The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks.
 (CVE-2013-1740)

 - NSS contains an integer overflow flaw that allows remote attackers to cause a denial of service.
 (CVE-2013-1741)

 - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605)

 - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid.
 (CVE-2013-5606)

 - Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490)

 - Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491)

 - An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue could allow man-in- the-middle attacks. (CVE-2014-1492)

Solution

Apply the appropriate patch according to the July 2014 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?77697fb1

Plugin Details

Severity: High

ID: 76938

File Name: oracle_traffic_director_july_2014_cpu.nasl

Version: 1.6

Type: remote

Family: Misc.

Published: 7/31/2014

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:fusion_middleware, cpe:/a:oracle:traffic_director

Required KB Items: installed_sw/Oracle Traffic Director

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2014

Vulnerability Publication Date: 7/15/2014

Reference Information

CVE: CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492

BID: 62966, 63736, 63737, 63738, 64944, 65332, 65335, 66356