Paul Barbé

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Essbase Administration Services version 21.4.3.0.0 **Description** The issue is related to insufficient input validation in the EAS Administration and EAS Console components of Oracle Hyperion Essbase Administration Services. This allows a high-privileged attacker with logon to the infrastructure where Oracle Hyperion Essbase Administration Services executes to compromise the service. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data. The vulnerability may significantly impact additional products. **Recommendations** For version 21.4.3.0.0, consider restricting access to the EAS Administration and EAS Console components until a patch is available. As a temporary workaround, limit the use of the HTTP protocol to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Essbase versions prior to 11.1.2.4.046 Oracle Essbase versions prior to 21.3 Description: The issue allows a low-privileged attacker with network access via HTTP to compromise Essbase Administration Services, potentially impacting additional products. Successful attacks can result in unauthorized access to critical data, complete access to all Essbase Administration Services accessible data, as well as unauthorized update, insert, or delete access to some of the accessible data. Recommendations: For Oracle Essbase versions prior to 11.1.2.4.046, update to version 11.1.2.4.046 or later. For Oracle Essbase versions prior to 21.3, update to version 21.3 or later.

Name of the Vulnerable Software and Affected Versions: Oracle Essbase versions prior to 11.1.2.4.046 Oracle Essbase versions prior to 21.3 Description: The issue allows a low-privileged attacker with network access via HTTP to compromise Essbase Administration Services, potentially resulting in unauthorized access to critical data or complete access to all accessible data. While the vulnerability is in Essbase Administration Services, attacks may significantly impact additional products. Recommendations: For Oracle Essbase versions prior to 11.1.2.4.046, update to version 11.1.2.4.046 or later. For Oracle Essbase versions prior to 21.3, update to version 21.3 or later.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.2.6 through 12.2.10 Description: The issue allows a low-privileged attacker with network access via HTTP to compromise Oracle Shipping Execution, resulting in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data or complete access to all accessible data. Recommendations: For versions 12.2.6 through 12.2.10, update to a version that includes the fix for this issue to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Essbase versions prior to 11.1.2.4.046 Oracle Essbase versions prior to 21.3 Description: The issue allows an unauthenticated attacker with network access via HTTP to compromise Essbase Administration Services, resulting in unauthorized read access to a subset of accessible data. The vulnerability is easily exploitable and affects the EAS Console component. Recommendations: For Oracle Essbase versions prior to 11.1.2.4.046, update to version 11.1.2.4.046 or later. For Oracle Essbase versions prior to 21.3, update to version 21.3 or later.

Name of the Vulnerable Software and Affected Versions: Oracle Essbase versions prior to 11.1.2.4.046 Oracle Essbase versions prior to 21.3 Description: The issue allows an unauthenticated attacker with network access via HTTP to compromise Essbase Administration Services. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of Essbase Administration Services. Recommendations: For versions prior to 11.1.2.4.046, update to version 11.1.2.4.046 or later. For versions prior to 21.3, update to version 21.3 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle Essbase versions prior to 11.1.2.4.046 Oracle Essbase versions prior to 21.3 **Description** The issue is related to insufficient input validation in the EAS Console component of Oracle Essbase Administration Services. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Essbase Administration Services, potentially leading to a takeover. Attacks may significantly impact additional products. **Recommendations** For versions prior to 11.1.2.4.046, update to version 11.1.2.4.046 or later. For versions prior to 21.3, update to version 21.3 or later. As a temporary workaround, consider restricting access to the EAS Console component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Essbase Analytic Provider Services version 11.1.2.4 **Description** The issue is related to errors in processing input data in the JAPI component of Essbase Analytic Provider Services. This can allow a remote attacker to gain full access to critical data. The vulnerability can be easily exploited by an unauthenticated attacker with network access via HTTP, but successful attacks require human interaction from a person other than the attacker. This can result in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data. **Recommendations** For version 11.1.2.4, consider restricting access to the JAPI component until a patch is available. As a temporary workaround, disabling the JAPI component can help minimize the risk of exploitation. Additionally, restricting network access via HTTP to the Essbase Analytic Provider Services can also reduce the risk.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 8.0.25 and prior **Description** The issue is related to errors in resource release in the Server: Optimizer component of the MySQL Server product. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For versions 8.0.25 and prior, update to a version later than 8.0.25 to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Infrastructure Technology version 11.2.5.0 **Description** The issue is related to insufficient input validation in the Lifecycle Management component. It allows a high-privileged attacker with network access via HTTP to compromise Hyperion Infrastructure Technology, resulting in unauthorized access to critical data or complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. Successful attacks require human interaction from a person other than the attacker. **Recommendations** For version 11.2.5.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Infrastructure Technology version 11.2.5.0 **Description** The issue is related to insufficient input validation in the Lifecycle Management component. It allows a high-privileged attacker with network access via HTTP to compromise Hyperion Infrastructure Technology, but successful attacks require human interaction from a person other than the attacker. This can result in unauthorized creation, deletion, or modification access to critical data or all Hyperion Infrastructure Technology accessible data, as well as unauthorized access to critical data or complete access to all Hyperion Infrastructure Technology accessible data. **Recommendations** For version 11.2.5.0, consider restricting access to the Lifecycle Management component to minimize the risk of exploitation until a patch is available. Additionally, ensure that all inputs are thoroughly validated to prevent unauthorized data access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion BI+ versions 11.1.2.4 through 11.2.5.0 **Description** The issue is related to insufficient input validation in the UI and Visualization component of Oracle Hyperion BI+, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized read access to a subset of Oracle Hyperion BI+ accessible data. **Recommendations** For versions 11.1.2.4 and 11.2.5.0, consider restricting access to the UI and Visualization component until a fix is available. As a temporary workaround, restrict the use of HTTP protocol to minimize the risk of exploitation. Avoid using the vulnerable component for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.0 through 2.4.46 **Description** The issue is caused by a stack overflow in the `mod auth digest` function of the Apache HTTP Server. This can be triggered by a specially crafted Digest nonce. Although there are no reports of this overflow being exploitable, certain compiler and/or compilation options might make it possible, with limited consequences due to the size and value of the overflow. **Recommendations** For Apache HTTP Server versions 2.4.0 through 2.4.46, consider updating to a version where this issue is fixed, as the current version may be vulnerable to a stack overflow in the `mod auth digest` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.