cnvd - cnvd-2021-08524

cnvd-2021-08524

Vulnerability from cnvd

Title: Oracle ZFS Storage Appliance访问控制错误漏洞

Description:

Oracle ZFS Storage Appliance是美国Oracle公司的一个支持闪存、PB级文件存储并内置Oracle数据库的存储设备。

Oracle ZFS Storage Appliance Kit product存在安全漏洞。攻击者可利用漏洞登录到执行Oracle ZFS存储设备工具包的基础设施，从而破坏Oracle ZFS存储设备工具包。

Severity: 低

Patch Name: Oracle ZFS Storage Appliance访问控制错误漏洞的补丁

Patch Description:

Oracle ZFS Storage Appliance是美国Oracle公司的一个支持闪存、PB级文件存储并内置Oracle数据库的存储设备。

Oracle ZFS Storage Appliance Kit product存在安全漏洞。攻击者可利用漏洞登录到执行Oracle ZFS存储设备工具包的基础设施，从而破坏Oracle ZFS存储设备工具包。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.oracle.com/security-alerts/cpujan2021.html

Reference: https://www.oracle.com/security-alerts/cpujan2021.html

Impacted products

Name
Oracle Oracle ZFS Storage Appliance Kit 8.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-1999",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-1999"
    }
  },
  "description": "Oracle ZFS Storage Appliance\u662f\u7f8e\u56fdOracle\u516c\u53f8\u7684\u4e00\u4e2a\u652f\u6301\u95ea\u5b58\u3001PB\u7ea7\u6587\u4ef6\u5b58\u50a8\u5e76\u5185\u7f6eOracle\u6570\u636e\u5e93\u7684\u5b58\u50a8\u8bbe\u5907\u3002\n\nOracle ZFS Storage Appliance Kit product\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u767b\u5f55\u5230\u6267\u884cOracle ZFS\u5b58\u50a8\u8bbe\u5907\u5de5\u5177\u5305\u7684\u57fa\u7840\u8bbe\u65bd\uff0c\u4ece\u800c\u7834\u574fOracle ZFS\u5b58\u50a8\u8bbe\u5907\u5de5\u5177\u5305\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.oracle.com/security-alerts/cpujan2021.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-08524",
  "openTime": "2021-02-02",
  "patchDescription": "Oracle ZFS Storage Appliance\u662f\u7f8e\u56fdOracle\u516c\u53f8\u7684\u4e00\u4e2a\u652f\u6301\u95ea\u5b58\u3001PB\u7ea7\u6587\u4ef6\u5b58\u50a8\u5e76\u5185\u7f6eOracle\u6570\u636e\u5e93\u7684\u5b58\u50a8\u8bbe\u5907\u3002\r\n\r\nOracle ZFS Storage Appliance Kit product\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u767b\u5f55\u5230\u6267\u884cOracle ZFS\u5b58\u50a8\u8bbe\u5907\u5de5\u5177\u5305\u7684\u57fa\u7840\u8bbe\u65bd\uff0c\u4ece\u800c\u7834\u574fOracle ZFS\u5b58\u50a8\u8bbe\u5907\u5de5\u5177\u5305\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle ZFS Storage Appliance\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle Oracle ZFS Storage Appliance Kit 8.8"
  },
  "referenceLink": "https://www.oracle.com/security-alerts/cpujan2021.html",
  "serverity": "\u4f4e",
  "submitTime": "2021-01-25",
  "title": "Oracle ZFS Storage Appliance\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2021-1999 (GCVE-0-2021-1999)

Vulnerability from cvelistv5

Published

2021-01-20 14:50

Modified

2024-09-26 18:45

Severity ?

5.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

CWE

Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle ZFS Storage Appliance Kit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle ZFS Storage Appliance Kit accessible data.

Summary

Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: RAS subsystems). The supported version that is affected is 8.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle ZFS Storage Appliance Kit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 5.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N).

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Sun ZFS Storage Appliance Kit (AK) Software	Version: 8.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:32:01.529Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-1999",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T17:55:53.678973Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T18:45:23.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sun ZFS Storage Appliance Kit (AK) Software",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "8.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: RAS subsystems). The supported version that is affected is 8.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle ZFS Storage Appliance Kit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 5.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle ZFS Storage Appliance Kit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle ZFS Storage Appliance Kit accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:50:00",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2021-1999",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Sun ZFS Storage Appliance Kit (AK) Software",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "8.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: RAS subsystems). The supported version that is affected is 8.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle ZFS Storage Appliance Kit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 5.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "5.0",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle ZFS Storage Appliance Kit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle ZFS Storage Appliance Kit accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2021-1999",
    "datePublished": "2021-01-20T14:50:00",
    "dateReserved": "2020-12-09T00:00:00",
    "dateUpdated": "2024-09-26T18:45:23.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted