Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU) - Nessus

High   Plugin ID: 83469

This page contains detailed information about the Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 83469
Name: Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU)
Filename: oracle_webcenter_sites_apr_2015_cpu.nasl
Vulnerability Published: 2014-02-06
This Plugin Published: 2015-05-14
Last Modification Time: 2022-04-11
Plugin Version: 1.6
Plugin Type: local
Plugin Family: Windows
Dependencies: oracle_webcenter_sites_installed.nbin
Required KB Items [?]: SMB/WebCenter_Sites/Installed

Vulnerability Information

Severity: High
Vulnerability Published: 2014-02-06
Patch Published: 2015-04-14
CVE [?]: CVE-2014-0050, CVE-2014-0112
CPE [?]: cpe:/a:oracle:fusion_middleware

Synopsis

The website content management system installed on the remote host is affected by multiple vulnerabilities.

Description

The Oracle WebCenter Sites installed on the remote host is missing patches from the April 2015 CPU. It is, therefore, affected by multiple vulnerabilities :

- A flaw exists within 'MultipartStream.java' in Apache Commons FileUpload when parsing malformed Content-Type headers. A remote attacker, using a crafted header, can exploit this to cause an infinite loop, resulting in a denial of service. (CVE-2014-0050)

- ParametersInterceptor in Apache Struts does not properly restrict access to the getClass method. A remote attacker, using a crafted request, can exploit this to manipulate the ClassLoader, thus allowing the execution of arbitrary code. (CVE-2014-0112)

Solution

Apply the appropriate patch according to the April 2015 Oracle Critical Patch Update advisory.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU) vulnerability:

  1. Metasploit: exploit/multi/http/struts_code_exec_classloader
    [Apache Struts ClassLoader Manipulation Remote Code Execution]
  2. Metasploit: auxiliary/dos/http/apache_commons_fileupload_dos
    [Apache Commons FileUpload and Apache Tomcat DoS]
  3. Exploit-DB: exploits/multiple/dos/31615.rb
    [EDB-31615: Apache Commons FileUpload and Apache Tomcat - Denial of Service]
  4. Exploit-DB: exploits/multiple/remote/33142.rb
    [EDB-33142: Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)]
  5. Exploit-DB: exploits/multiple/remote/41690.rb
    [EDB-41690: Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)]
  6. GitHub: https://github.com/NCSU-DANCE-Research-Group/CDL
    [CVE-2014-0050]
  7. GitHub: https://github.com/adedov/victims-version-search
    [CVE-2014-0050]
  8. GitHub: https://github.com/jrrdev/cve-2014-0050
    [CVE-2014-0050: CVE-2014-0050 Vulnerable site sample]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:6.2 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.2 (Medium)

Go back to menu.

Plugin Source

This is the oracle_webcenter_sites_apr_2015_cpu.nasl nessus plugin source code. This script is Copyright (C) 2015-2022 Tenable Network Security, Inc. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(83469);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2014-0050", "CVE-2014-0112");
  script_bugtraq_id(65400, 67064);

  script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The website content management system installed on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Oracle WebCenter Sites installed on the remote host is missing
patches from the April 2015 CPU. It is, therefore, affected by
multiple vulnerabilities :

  - A flaw exists within 'MultipartStream.java' in Apache
    Commons FileUpload when parsing malformed Content-Type
    headers. A remote attacker, using a crafted header,
    can exploit this to cause an infinite loop, resulting
    in a denial of service. (CVE-2014-0050)

  - ParametersInterceptor in Apache Struts does not properly
    restrict access to the getClass method. A remote
    attacker, using a crafted request, can exploit this to
    manipulate the ClassLoader, thus allowing the execution
    of arbitrary code. (CVE-2014-0112)");
  # https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56618dc1");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2015 Oracle
Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.");

  script_dependencies("oracle_webcenter_sites_installed.nbin");
  script_require_keys("SMB/WebCenter_Sites/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("smb_func.inc");
include("misc_func.inc");

port = kb_smb_transport();

get_kb_item_or_exit('SMB/WebCenter_Sites/Installed');

versions = get_kb_list('SMB/WebCenter_Sites/*/Version');
if (isnull(versions)) exit(1, 'Unable to obtain version list for Oracle WebCenter Sites');

report = '';

foreach key (keys(versions))
{
  fix = '';

  version = versions[key];
  revision = get_kb_item(key - '/Version' + '/Revision');
  path = get_kb_item(key - '/Version' + '/Path');

  if (isnull(version) || isnull(revision)) continue;

  # Patch 19278850 - 11.1.1.8.0 < Revision 165274
  if (version =~ "^11\.1\.1\.8\.0$" && revision < 165274)
    fix = '\n  Fixed Revision : 165274' +
          '\n  Required Patch : 19278850';

  # Patch 18846487 - 11.1.1.6.1 < Revision 164040
  if (version =~ "^11\.1\.1\.6\.1$" && revision < 164040)
    fix = '\n  Fixed Revision : 164040' +
          '\n  Required Patch : 18846487';

  # Patch 20617648 - 7.6.2 < Revision 162566
  if (version =~ "^7\.6\.2(\.|$)" && revision < 162566)
    fix = '\n  Fixed Revision : 162566' +
          '\n  Required Patch : 20617648';

  if (fix != '')
  {
    if (!isnull(path)) report += '\n  Path           : ' + path;
    report += '\n  Version        : ' + version +
              '\n  Revision       : ' + revision +
              fix + '\n';
  }
}

if (report != '')
{
  if (report_verbosity > 0) security_hole(port:port, extra:report);
  else security_hole(port);
}
else audit(AUDIT_INST_VER_NOT_VULN, "Oracle WebCenter Sites");

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/oracle_webcenter_sites_apr_2015_cpu.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\oracle_webcenter_sites_apr_2015_cpu.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/oracle_webcenter_sites_apr_2015_cpu.nasl

Go back to menu.

How to Run

Here is how to run the Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU) plugin ID 83469.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl oracle_webcenter_sites_apr_2015_cpu.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a oracle_webcenter_sites_apr_2015_cpu.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - oracle_webcenter_sites_apr_2015_cpu.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state oracle_webcenter_sites_apr_2015_cpu.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 73675 - CentOS 6 : tomcat6 (CESA-2014:0429)
  • 72401 - Debian DSA-2856-1 : libcommons-fileupload-java - denial of service
  • 73421 - Debian DSA-2897-1 : tomcat7 - security update
  • 78165 - F5 Networks BIG-IP : Apache Commons FileUpload vulnerability (K15189)
  • 72544 - Fedora 20 : apache-commons-fileupload-1.3-5.fc20 (2014-2175)
  • 72545 - Fedora 19 : apache-commons-fileupload-1.3-5.fc19 (2014-2183)
  • 79982 - GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilities
  • 73003 - Mandriva Linux Security Advisory : apache-commons-fileupload (MDVSA-2014:056)
  • 83293 - MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities
  • 83295 - MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities
  • 75324 - openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)
  • 78603 - Oracle Endeca Information Discovery Studio Multiple Vulnerabilities (October 2014 CPU)
  • 73677 - Oracle Linux 6 : tomcat6 (ELSA-2014-0429)
  • 72853 - RHEL 5 / 6 : JBoss EAP (RHSA-2014:0253)
  • 73678 - RHEL 6 : tomcat6 (RHSA-2014:0429)
  • 76240 - RHEL 5 / 6 : JBoss Web Server (RHSA-2014:0525)
  • 76241 - RHEL 5 / 6 : JBoss Web Server (RHSA-2014:0526)
  • 117393 - Apache Struts 2.x < 2.3.16.2 Multiple Vulnerabilities (S2-020)
  • 81105 - Apache Struts 2.0.0 < 2.3.16.1 Multiple Vulnerabilities (credentialed check) (Deprecated)
  • 73763 - Apache Struts 2 ClassLoader Manipulation Incomplete Fix for Security Bypass
  • 72692 - Apache Tomcat 7.0.x < 7.0.52 Content-Type DoS
  • 72693 - Apache Tomcat 8.0.x < 8.0.3 Content-Type DoS
  • 72874 - Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : tomcat6, tomcat7 vulnerabilities (USN-2130-1)
  • 76388 - VMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007)
  • 78670 - VMware vCenter Orchestrator Appliance 5.5.x < 5.5.2 DoS (VMSA-2014-0007)
  • 78671 - VMware vCenter Orchestrator 5.5.x < 5.5.2 DoS (VMSA-2014-0007)
  • 77728 - VMware Security Updates for vCenter Server (VMSA-2014-0008)
  • 77630 - VMSA-2014-0008 : VMware vSphere product updates to third-party libraries
  • 76967 - IBM WebSphere Application Server 7.0 < Fix Pack 33 Multiple Vulnerabilities
  • 76995 - IBM WebSphere Application Server 8.0 < Fix Pack 9 Multiple Vulnerabilities
  • 74235 - IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.2 Multiple Vulnerabilities
  • 74156 - IBM WebSphere Portal 8.x < 8.0.0.1 CF12 Multiple Vulnerabilities
  • 74293 - IBM WebSphere Portal Apache Commons FileUpload DoS

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file oracle_webcenter_sites_apr_2015_cpu.nasl version 1.6. For more plugins, visit the Nessus Plugin Library.

Go back to menu.