Operating System:

[WIN][UNIX/Linux]

Published:

18 July 2018

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2018.0175 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0175
                   Security Advisory: Oracle Siebel CRM
                               18 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Siebel CRM
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Modify Arbitrary Files -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-2959  
Member content until: Friday, August 17 2018

OVERVIEW

        A vulnerability has been identified in 
         Siebel Applications, version  18.0
        [1]


IMPACT

        The vendor has provided the following information regarding
        the vulnerability:
        
        "This Critical Patch Update contains 1 new security fix for
        Oracle Siebel CRM.   This vulnerability is remotely
        exploitable without authentication,  i.e.,  may be exploited
        over a network without requiring user credentials." [1]
        
        
        
        "CVE-2018-2959
        
        4.3
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
        
        The supported version that is affected is 18.0. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Siebel UI
        Framework.  Successful attacks require human interaction
        from a person other than the attacker. Successful attacks of
        this vulnerability can result in  unauthorized update,
        insert or delete access to some of Siebel UI Framework
        accessible data." [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon
        as possible. Until you apply the CPU fixes, it may be
        possible to reduce the risk of successful attack by blocking
        network protocols required by an attack. For attacks that
        require certain privileges or access to certain packages,
        removing the privileges or the ability to access the
        packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may
        break application functionality, so Oracle strongly
        recommends that customers test changes on non-production
        systems. Neither approach should be considered a long-term
        solution as neither corrects the underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2018
            http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

        [2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
            http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW07jtWaOgq3Tt24GAQgUsRAA3H7jfXCbGQhHkhQ1GjhOddfH8taRDzWh
l8kGSpS0nJVW/WPANpYuqkzPxB+UAgBLXiUZ8McjEQhxj9SooLW1Qo8p+kb4P3Tz
s6CMZdFniC3iEvt7XfhIK4/En3H6BDZrUDLe8a6bPEP3yqscDpgn0I5Yf0fHdUHC
gOaf3Xt3wPGSU+Knv7g2GQZD6aQLCHrT/DY8K+Mc7b6q38RaNKh+uACXNMt4P8qj
2l2aHuv7mpOaFDveykZuxV1OM4TUdSKxC0OQOJ4Djphw92lI5Uaz22wMxiR3F8yM
D0A/YiQx85sk28bhvAf500A6UG92cEyZ73uIZl8RLYN25O5Aw2EVg/5MqZsksjPL
e2QiHOzIxQJFxcSXwAfrNvD/7aUg3gAvUfPCTSBEdEv/e93LRIu6oZ51yUAwAZjK
pzhXNA3EB1K/ENwcD74MgomnvFKOX15hTQ6DYSHonzTtGd/fcLQLQ0ju17leWlkr
6u81tL6ihbp+00wDPdT8ljA6wfazHB2JG3fKJ9IfnB8ttT+AdI0YiA2HtMrStY56
dznUNb1eE7mOwWibs+Dhnt5AR38ZUD+Hm1zjsLdsjWeK4oSg7G7jX23ma9jo9EuK
8YBHPW5jSre3vlzI3J9nfXkGY6ORokvdKtujy55Ix8d2CkHBeDQLZ9Y7cWFLyhvK
LYWkUNBc4YI=
=tn2J
-----END PGP SIGNATURE-----