Alexander Kornbrust

**Name of the Vulnerable Software and Affected Versions** Oracle Zero Data Loss Recovery Appliance Software versions 23.1.0 through 23.1.202509 **Description** A difficult to exploit issue exists in the Oracle Zero Data Loss Recovery Appliance Software, specifically within the Security component. An unauthenticated attacker with network access via Oracle Net can compromise the software. Exploitation requires human interaction from someone other than the attacker and can lead to unauthorized read access to a subset of the software’s data. **Recommendations** Update Oracle Zero Data Loss Recovery Appliance Software to a version later than 23.1.202509.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 23.4 through 23.8 **Description** A vulnerability exists within the JDBC component of Oracle Database Server. This difficult-to-exploit issue allows a low-privileged attacker with authenticated OS user privileges to compromise JDBC. Successful exploitation requires human interaction from a person other than the attacker. While the vulnerability resides in JDBC, attacks may impact additional products. Successful attacks can lead to unauthorized access to critical data or complete access to all JDBC accessible data. **Recommendations** Versions prior to 23.4 and after 23.8 are not affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database - Enterprise Edition Sharding (affected versions not specified) **Description** The issue affects the Oracle Database - Enterprise Edition Sharding component, allowing a low-privileged attacker with local logon privilege to compromise it. Successful attacks can result in the takeover of Oracle Database - Enterprise Edition Sharding and may have a significant impact on additional products. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database - Enterprise Edition Sharding version 19c **Description** The issue is related to insufficient input validation in the Oracle Database - Enterprise Edition Sharding component of Oracle Database Server. This easily exploitable vulnerability allows a high-privileged attacker with Create Any Procedure privilege and network access via Oracle Net to compromise Oracle Database - Enterprise Edition Sharding, potentially resulting in a takeover. **Recommendations** For Oracle Database - Enterprise Edition Sharding version 19c, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting network access via Oracle Net to minimize the risk of exploitation. Restrict the Create Any Procedure privilege to only those users who require it, to reduce the potential attack surface.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.2.0.1 and 19c **Description** The issue is related to insufficient input validation in the Core RDBMS component of Oracle Database Server. It allows a high-privileged attacker with Create Session and Execute Catalog Role privileges and network access via Oracle Net to compromise the Core RDBMS, resulting in unauthorized read access to a subset of Core RDBMS accessible data. **Recommendations** For version 12.2.0.1, update to a version that includes the fix for this issue. For version 19c, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c Description: The issue exists due to insufficient input validation in the Core RDBMS component of Oracle Database Server. This can be exploited by a remote attacker to impact the integrity of protected information. A successful attack can result in unauthorized access to update, insert, or delete some Core RDBMS accessible data. Recommendations: For versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server version 19c Description: The issue exists due to insufficient input validation in the RDBMS Security component of Oracle Database Server. This allows a remote attacker to gain unauthorized access to protected information using the Oracle Net protocol stack. Successful attacks can result in unauthorized access to critical data or complete access to all RDBMS Security accessible data. Recommendations: For version 19c, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Oracle Net protocol stack to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.20 through 2.4.43 **Description** The issue is related to the implementation of the HTTP/2 mechanism in the Apache HTTP Server, which is associated with inconsistent interpretation of HTTP requests. This can allow a remote attacker to cause a denial of service. A specially crafted value for the `Cache-Digest` header in a HTTP/2 request would result in a crash when the server tries to HTTP/2 PUSH a resource afterwards. **Recommendations** For Apache HTTP Server versions 2.4.20 through 2.4.43, configuring the HTTP/2 feature via "H2Push off" will mitigate this issue for unpatched servers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Configuration Manager version 12.1.2.0.6 **Description** The issue exists due to insufficient input validation in the Discovery and collection script component of Oracle Configuration Manager. This allows a remote attacker to gain unauthorized access to protected information, or modify, add, or delete data. The vulnerability can be exploited by a low-privileged attacker with network access via HTTP, potentially resulting in unauthorized access to critical data or complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For version 12.1.2.0.6, update to a newer version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Discovery and collection script component to minimize the risk of unauthorized data access or modification.

**Name of the Vulnerable Software and Affected Versions** TIBCO JasperReports Server versions 7.1.1 and below TIBCO JasperReports Server for AWS Marketplace versions 7.1.1 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below **Description** The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. **Recommendations** For TIBCO JasperReports Server versions 7.1.1 and below, update to a version above 7.1.1 to resolve the issue. For TIBCO JasperReports Server for AWS Marketplace versions 7.1.1 and below, update to a version above 7.1.1 to resolve the issue. For TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below, update to a version above 7.1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle Enterprise Manager versions 12.1.0.5, 13.2.0.0, 13.3.0.0 **Description** The issue is related to insufficient access control in the Application Performance Management component of Oracle Enterprise Manager, specifically in the EM Request Monitoring module. This can be exploited by a remote attacker to gain unauthorized access to sensitive information or to modify, add, or delete data using the HTTP protocol. Successful attacks can result in unauthorized access to critical data, complete access to all accessible data, or the ability to update, insert, or delete data, as well as cause a partial denial of service. **Recommendations** For versions 12.1.0.5, 13.2.0.0, and 13.3.0.0, consider restricting access to the EM Request Monitoring component until a patch is available. As a temporary workaround, limit the use of the HTTP protocol for accessing the Application Performance Management product to minimize the risk of exploitation. Restrict network access to the Application Performance Management component to reduce the potential for unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c **Description** The issue is related to a vulnerability in the Core RDBMS component of Oracle Database Server, which can be exploited by a high-privileged attacker with Create Session and Execute Catalog Role privileges. The attacker must have network access via Oracle Net. Successful attacks require human interaction from a person other than the attacker and can result in the takeover of Core RDBMS. This vulnerability is difficult to exploit and can be used by an attacker to compromise the Core RDBMS component. **Recommendations** For versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, consider restricting access to the Core RDBMS component until a patch is available. As a temporary workaround, limit the use of the Oracle Net protocol to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 13.4 iPadOS versions prior to 13.4 macOS Catalina versions prior to 10.15.4 tvOS versions prior to 13.4 watchOS versions prior to 6.2 iTunes for Windows versions prior to 12.10.5 iCloud for Windows versions prior to 10.9.3 and 7.18 Description: A buffer overflow issue was addressed with improved bounds checking. This issue may allow a remote attacker to execute arbitrary code. The issue is related to the libxml2 library. Recommendations: For iOS versions prior to 13.4, update to iOS 13.4 or later. For iPadOS versions prior to 13.4, update to iPadOS 13.4 or later. For macOS Catalina versions prior to 10.15.4, update to macOS Catalina 10.15.4 or later. For tvOS versions prior to 13.4, update to tvOS 13.4 or later. For watchOS versions prior to 6.2, update to watchOS 6.2 or later. For iTunes for Windows versions prior to 12.10.5, update to iTunes for Windows 12.10.5 or later. For iCloud for Windows versions prior to 10.9.3 and 7.18, update to iCloud for Windows 10.9.3 or 7.18 or later.

**Name of the Vulnerable Software and Affected Versions** Enterprise Manager Base Platform versions 12.1.0.5, 13.2.0.0, 13.3.0.0 **Description** The issue is related to insufficient access control in the Oracle Management Service component of the Enterprise Manager Base Platform. It can be exploited by a remote attacker to gain unauthorized access to protected information or cause a denial of service using the HTTP protocol. Successful attacks can result in unauthorized access to critical data, modification of some accessible data, or a partial denial of service. **Recommendations** For version 12.1.0.5, update to a version that includes the necessary security patches to resolve the issue. For version 13.2.0.0, apply the recommended security fixes to mitigate the risk of exploitation. For version 13.3.0.0, consider restricting access to the Oracle Management Service component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Enterprise Manager Base Platform versions 12.1.0.5, 13.2.0.0, 13.3.0.0 **Description** The issue is related to insufficient access control in the Connector Framework component of Oracle Enterprise Manager Base Platform. This can be exploited by a remote attacker to gain unauthorized access to sensitive information or cause a denial of service via the HTTP protocol. Successful attacks can result in unauthorized access to critical data, modification of some accessible data, or a partial denial of service. **Recommendations** For version 12.1.0.5, update to a version that includes the fix for this issue. For version 13.2.0.0, update to a version that includes the fix for this issue. For version 13.3.0.0, update to a version that includes the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Oracle Enterprise Manager Base Platform versions 12.1.0.5, 13.2.0.0, 13.3.0.0 **Description** The issue is related to insufficient access control in the Job System component of Oracle Enterprise Manager Base Platform. It can be exploited by a remote attacker to gain unauthorized access to protected information or cause a denial of service using the HTTP protocol. Successful attacks can result in unauthorized access to critical data, update, insert, or delete access to some data, and the ability to cause a partial denial of service. **Recommendations** For version 12.1.0.5, update to a version that includes the fix for this issue. For version 13.2.0.0, update to a version that includes the fix for this issue. For version 13.3.0.0, update to a version that includes the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Oracle FLEXCUBE Investor Servicing versions 12.1.0 through 12.4.0 Oracle FLEXCUBE Investor Servicing versions 14.0.0 through 14.1.0 **Description** The issue is related to inadequate access controls in the Infrastructure component of Oracle FLEXCUBE Investor Servicing, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. **Recommendations** For Oracle FLEXCUBE Investor Servicing versions 12.1.0 through 12.4.0, update to a version outside of the affected range to resolve the issue. For Oracle FLEXCUBE Investor Servicing versions 14.0.0 through 14.1.0, update to a version outside of the affected range to resolve the issue. As a temporary workaround, consider restricting access to the Infrastructure component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle FLEXCUBE Investor Servicing versions 12.1.0 through 12.4.0 Oracle FLEXCUBE Investor Servicing versions 14.0.0 through 14.1.0 **Description** The issue is related to inadequate access control in the Infrastructure component of Oracle FLEXCUBE Investor Servicing, allowing an attacker to compromise the system via HTTP protocol. Successful attacks can result in unauthorized access to critical data, as well as unauthorized update, insert, or delete access to some data. **Recommendations** For versions 12.1.0 through 12.4.0, update to a version outside of this range to resolve the issue. For versions 14.0.0 through 14.1.0, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the Infrastructure component until a patch is available. Restrict access to sensitive data and implement additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Enterprise Manager Base Platform versions 12.1.0.5, 13.2.0.0, 13.3.0.0 **Description** The issue is related to insufficient access control in the Application Service Level Mgmt component of Oracle Enterprise Manager. It can be exploited by a remote attacker to gain unauthorized access to protected information or cause a denial of service using the HTTP protocol. Successful attacks can result in unauthorized access to critical data, update, insert, or delete access to some data, and the ability to cause a partial denial of service. **Recommendations** For version 12.1.0.5, update to a version that includes the fix for this issue. For version 13.2.0.0, update to a version that includes the fix for this issue. For version 13.3.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Application Service Level Mgmt component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Enterprise Manager versions 12.1.0.5, 13.2.0.0, 13.3.0.0 **Description** The issue is related to a component of the Enterprise Manager Base Platform product, specifically the Connector Framework, and is associated with inadequate access control. This allows a high-privileged attacker with network access via HTTP to compromise the Enterprise Manager Base Platform, resulting in unauthorized access to critical data, complete access to all accessible data, and the ability to update, insert, or delete some accessible data. Additionally, it can cause a partial denial of service. **Recommendations** For versions 12.1.0.5, 13.2.0.0, and 13.3.0.0, consider restricting access to the Connector Framework component to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the HTTP access to the Enterprise Manager Base Platform until the issue is resolved. Restrict access to sensitive data and ensure that only authorized personnel have access to the Enterprise Manager Base Platform.