Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-6577

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2014-6577
Last Modified 14 Apr 2015 10:01:25
Published 21 Jan 2015 10:28:16
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2014-6577

Summary

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

Vulnerable Systems

Application

  • Oracle Database Server 11.2.0.3

  • Oracle Database Server 11.2.0.4

  • Oracle Database Server 12.1.0.1

  • Oracle Database Server 12.1.0.2


References

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

MISC - https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/

SECTRACK - 1031572

BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE

MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html


Last Updated: 27 May 2016 11:08:24