R00T4Dm

**Name of the Vulnerable Software and Affected Versions** Apache Karaf Decanter versions prior to 2.12.0 **Description** The Decanter log socket collector in Apache Karaf has a deserialization issue. The collector operates on port 4560 without authentication. If the `allowed classes` property is exposed, its configuration can be bypassed, leading to potential denial-of-service (DoS) conditions due to untrusted data deserialization. The Decanter log socket collector is not installed by default, meaning users who have not installed it are not affected. **Recommendations** Upgrade to version 2.12.0 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Fory versions prior to 0.12.2 **Description** The issue is a Denial of Service (DoS) resulting from insecure deserialization of untrusted data. An attacker can provide a large, specially crafted data payload that consumes excessive CPU resources during deserialization, leading to CPU exhaustion and rendering the application or system unresponsive. **Recommendations** Upgrade to version 0.12.2 or later.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADManager Plus versions prior to 7183 **Description** The issue allows admin users to exploit an XXE problem to view files. **Recommendations** For versions prior to 7183, update to version 7183 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via T3 or IIOP to compromise the server. Successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 8.0.29 and prior **Description** A vulnerability in the MySQL Server product allows a highly privileged attacker with network access via multiple protocols to compromise the server. The vulnerability is difficult to exploit and can result in unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server, leading to a denial of service. The issue is related to insufficient input validation in the Server: Stored Procedure component. **Recommendations** For versions 8.0.29 and prior, update to a version later than 8.0.29 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation. Additionally, monitor the server for signs of denial of service attacks and implement measures to prevent such attacks.

**Name of the Vulnerable Software and Affected Versions** Oracle BI Publisher versions 12.2.1.3.0 through 12.2.1.4.0 **Description** The issue is related to errors in the code of the Oracle BI Publisher's BI Publisher Security component. It allows a remote attacker to gain read access to data using HTTP requests. Successful attacks can result in unauthorized read access to a subset of Oracle BI Publisher accessible data. **Recommendations** For versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Billing and Revenue Management versions 12.0.0.4 through 12.0.0.5 **Description** The issue is related to insufficient input validation in the Connection Manager component, allowing a low-privileged attacker with network access via TCP to compromise Oracle Communications Billing and Revenue Management. Successful attacks can result in the takeover of Oracle Communications Billing and Revenue Management. **Recommendations** For versions 12.0.0.4 and 12.0.0.5, consider restricting network access via TCP to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and strengthen input validation for the Connection Manager component to prevent potential attacks.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 **Description** The issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition, resulting in unauthorized access to critical data or complete access to all accessible data. The vulnerability is related to the Analytics Web General component and is easily exploitable. **Recommendations** For versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing a remote attacker to cause a denial of service via T3/IIOP protocols. Successful attacks can result in the ability to cause a hang or frequently repeatable crash of Oracle WebLogic Server. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the T3/IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 14.1.1.0.0 **Description** The issue exists due to insufficient input validation in a component of Oracle WebLogic Server. Exploitation can allow a remote attacker to impact the confidentiality and integrity of protected information. Successful attacks require human interaction and can result in unauthorized access to some of the server's accessible data, including update, insert, or delete access, as well as unauthorized read access to a subset of the data. **Recommendations** For version 14.1.1.0.0, consider restricting access to the vulnerable component until a patch is available. As a temporary workaround, limit network access via HTTP to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue exists due to insufficient input validation in the Samples component of Oracle WebLogic Server, allowing a remote attacker to impact the confidentiality and integrity of protected information. Successful attacks require human interaction and may significantly impact additional products, resulting in unauthorized access to Oracle WebLogic Server data. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** A vulnerability in the Oracle WebLogic Server product exists due to insufficient input validation in the Samples component. This easily exploitable issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The vulnerability can result in unauthorized update, insert, or delete access to some of Oracle WebLogic Server's accessible data, as well as unauthorized read access to a subset of Oracle WebLogic Server's accessible data. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the Samples component until a patch is available. Avoid using HTTP requests to access sensitive data in Oracle WebLogic Server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Samples component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of Oracle WebLogic Server's accessible data, as well as unauthorized read access to a subset of the server's accessible data. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0 **Description** The issue is a denial of service caused by sending a specially-crafted request. A remote attacker could exploit this to cause the server to consume all available CPU resources. **Recommendations** For IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0, update to a version that includes a fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring AMQP versions 2.2.0 through 2.2.18 Spring AMQP versions 2.3.0 through 2.3.10 **Description** The issue arises from the Spring AMQP Message object's toString() method, which deserializes a body for a message with content type application/x-java-serialized-object. This allows for the construction of a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. Additionally, the method can create a new String object from the message body, regardless of its size, potentially leading to an OOM Error with large messages. **Recommendations** For Spring AMQP versions 2.2.0 through 2.2.18, consider disabling the toString() method for the Spring AMQP Message object until a patch is available. For Spring AMQP versions 2.3.0 through 2.3.10, restrict the use of the toString() method for the Spring AMQP Message object to prevent potential CPU usage issues and OOM Errors.

**Name of the Vulnerable Software and Affected Versions** Oracle Coherence versions 12.1.3.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle Coherence, allowing an unauthenticated attacker with network access via T3 or IIOP protocols to compromise Oracle Coherence. Successful attacks can result in the takeover of Oracle Coherence. The vulnerability is difficult to exploit. **Recommendations** For versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to the Web Services component of Oracle WebLogic Server, which can be exploited by an unauthenticated attacker with network access via T3 or IIOP protocols. This can lead to a denial of service (DOS) condition, causing the server to hang or crash repeatedly. The vulnerability is due to incorrect resource cleanup or release. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, consider restricting access to the T3 protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the Web Services component until a patch is available. Avoid using the T3 or IIOP protocols in the affected Oracle WebLogic Server versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition version 12.2.1.4.0 **Description** The issue exists due to insufficient input validation in the Analytics Web General component of Oracle Business Intelligence Enterprise Edition. This allows a remote attacker to gain full control over the application via the HTTP protocol. Successful attacks can result in the takeover of Oracle Business Intelligence Enterprise Edition. **Recommendations** For version 12.2.1.4.0, consider disabling the BIRemotingServlet to prevent deserialization of untrusted data until a patch is available. Restrict access to the Analytics Web General component to minimize the risk of exploitation. Avoid using the HTTP protocol to access the vulnerable component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Essbase Analytic Provider Services versions 11.1.2.4 through 21.2 **Description** The issue is related to errors in processing input data in the web component of Essbase Analytic Provider Services. It can be exploited by a remote attacker to cause a denial of service. Successful attacks can result in the ability to cause the service to hang or crash repeatedly, leading to a complete denial of service. **Recommendations** For versions 11.1.2.4 and 21.2, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.