cnvd - cnvd-2022-33106

cnvd-2022-33106

Vulnerability from cnvd

Title: Oracle Fusion Middleware和Oracle Business Intelligence Enterprise Edition存在未明漏洞（CNVD-2022-33106）

Description:

Oracle Fusion Middleware（Oracle融合中间件）和Oracle Business Intelligence Enterprise Edition都是美国甲骨文（Oracle）公司的产品。Oracle Fusion Middleware是一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。Oracle Business Intelligence Enterprise Edition是一款智能商业分析软件。对企业数据进行可视化分析，从而辅助决策、降低总体拥有成本并提高整个组织的投资回报率。

Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware存在安全漏洞，该漏洞允许未经身份验证的攻击者通过 HTTP 进行网络访问，从而破坏 Oracle 商业智能企业版。成功的攻击需要来自攻击者以外的其他人的人工交互，并且虽然漏洞存在于 Oracle 商业智能企业版中，但攻击可能会显着影响其他产品（范围更改）。攻击者可利用该漏洞对某些Oracle Business Intelligence Enterprise Edition可访问数据的未经授权的更新、插入或删除访问，以及对 Oracle Business Intelligence Enterprise Edition 可访问数据的子集的未经授权的读取访问。

Severity: 中

Patch Name: Oracle Fusion Middleware和Oracle Business Intelligence Enterprise Edition存在未明漏洞（CNVD-2022-33106）的补丁

Patch Description:

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.oracle.com/security-alerts/cpuapr2022.html

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-21492

Impacted products

Name
Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-21492"
    }
  },
  "description": "Oracle Fusion Middleware\uff08Oracle\u878d\u5408\u4e2d\u95f4\u4ef6\uff09\u548cOracle Business Intelligence Enterprise Edition\u90fd\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Oracle Fusion Middleware\u662f\u4e00\u5957\u9762\u5411\u4f01\u4e1a\u548c\u4e91\u73af\u5883\u7684\u4e1a\u52a1\u521b\u65b0\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u4e86\u4e2d\u95f4\u4ef6\u3001\u8f6f\u4ef6\u96c6\u5408\u7b49\u529f\u80fd\u3002Oracle Business Intelligence Enterprise Edition\u662f\u4e00\u6b3e\u667a\u80fd\u5546\u4e1a\u5206\u6790\u8f6f\u4ef6\u3002\u5bf9\u4f01\u4e1a\u6570\u636e\u8fdb\u884c\u53ef\u89c6\u5316\u5206\u6790\uff0c\u4ece\u800c\u8f85\u52a9\u51b3\u7b56\u3001\u964d\u4f4e\u603b\u4f53\u62e5\u6709\u6210\u672c\u5e76\u63d0\u9ad8\u6574\u4e2a\u7ec4\u7ec7\u7684\u6295\u8d44\u56de\u62a5\u7387\u3002\n\nOracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u901a\u8fc7 HTTP \u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\uff0c\u4ece\u800c\u7834\u574f Oracle \u5546\u4e1a\u667a\u80fd\u4f01\u4e1a\u7248\u3002\u6210\u529f\u7684\u653b\u51fb\u9700\u8981\u6765\u81ea\u653b\u51fb\u8005\u4ee5\u5916\u7684\u5176\u4ed6\u4eba\u7684\u4eba\u5de5\u4ea4\u4e92\uff0c\u5e76\u4e14\u867d\u7136\u6f0f\u6d1e\u5b58\u5728\u4e8e Oracle \u5546\u4e1a\u667a\u80fd\u4f01\u4e1a\u7248\u4e2d\uff0c\u4f46\u653b\u51fb\u53ef\u80fd\u4f1a\u663e\u7740\u5f71\u54cd\u5176\u4ed6\u4ea7\u54c1\uff08\u8303\u56f4\u66f4\u6539\uff09\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9\u67d0\u4e9bOracle Business Intelligence Enterprise Edition\u53ef\u8bbf\u95ee\u6570\u636e\u7684\u672a\u7ecf\u6388\u6743\u7684\u66f4\u65b0\u3001\u63d2\u5165\u6216\u5220\u9664\u8bbf\u95ee\uff0c\u4ee5\u53ca\u5bf9 Oracle Business Intelligence Enterprise Edition \u53ef\u8bbf\u95ee\u6570\u636e\u7684\u5b50\u96c6\u7684\u672a\u7ecf\u6388\u6743\u7684\u8bfb\u53d6\u8bbf\u95ee\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuapr2022.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-33106",
  "openTime": "2022-04-24",
  "patchDescription": "Oracle Fusion Middleware\uff08Oracle\u878d\u5408\u4e2d\u95f4\u4ef6\uff09\u548cOracle Business Intelligence Enterprise Edition\u90fd\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Oracle Fusion Middleware\u662f\u4e00\u5957\u9762\u5411\u4f01\u4e1a\u548c\u4e91\u73af\u5883\u7684\u4e1a\u52a1\u521b\u65b0\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u4e86\u4e2d\u95f4\u4ef6\u3001\u8f6f\u4ef6\u96c6\u5408\u7b49\u529f\u80fd\u3002Oracle Business Intelligence Enterprise Edition\u662f\u4e00\u6b3e\u667a\u80fd\u5546\u4e1a\u5206\u6790\u8f6f\u4ef6\u3002\u5bf9\u4f01\u4e1a\u6570\u636e\u8fdb\u884c\u53ef\u89c6\u5316\u5206\u6790\uff0c\u4ece\u800c\u8f85\u52a9\u51b3\u7b56\u3001\u964d\u4f4e\u603b\u4f53\u62e5\u6709\u6210\u672c\u5e76\u63d0\u9ad8\u6574\u4e2a\u7ec4\u7ec7\u7684\u6295\u8d44\u56de\u62a5\u7387\u3002\r\n\r\nOracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u901a\u8fc7 HTTP \u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\uff0c\u4ece\u800c\u7834\u574f Oracle \u5546\u4e1a\u667a\u80fd\u4f01\u4e1a\u7248\u3002\u6210\u529f\u7684\u653b\u51fb\u9700\u8981\u6765\u81ea\u653b\u51fb\u8005\u4ee5\u5916\u7684\u5176\u4ed6\u4eba\u7684\u4eba\u5de5\u4ea4\u4e92\uff0c\u5e76\u4e14\u867d\u7136\u6f0f\u6d1e\u5b58\u5728\u4e8e Oracle \u5546\u4e1a\u667a\u80fd\u4f01\u4e1a\u7248\u4e2d\uff0c\u4f46\u653b\u51fb\u53ef\u80fd\u4f1a\u663e\u7740\u5f71\u54cd\u5176\u4ed6\u4ea7\u54c1\uff08\u8303\u56f4\u66f4\u6539\uff09\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9\u67d0\u4e9bOracle Business Intelligence Enterprise Edition\u53ef\u8bbf\u95ee\u6570\u636e\u7684\u672a\u7ecf\u6388\u6743\u7684\u66f4\u65b0\u3001\u63d2\u5165\u6216\u5220\u9664\u8bbf\u95ee\uff0c\u4ee5\u53ca\u5bf9 Oracle Business Intelligence Enterprise Edition \u53ef\u8bbf\u95ee\u6570\u636e\u7684\u5b50\u96c6\u7684\u672a\u7ecf\u6388\u6743\u7684\u8bfb\u53d6\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Fusion Middleware\u548cOracle Business Intelligence Enterprise Edition\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-33106\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-21492",
  "serverity": "\u4e2d",
  "submitTime": "2022-04-20",
  "title": "Oracle Fusion Middleware\u548cOracle Business Intelligence Enterprise Edition\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-33106\uff09"
}

CVE-2022-21492 (GCVE-0-2022-21492)

Vulnerability from cvelistv5

Published

2022-04-19 20:38

Modified

2024-09-24 20:05

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data.

Summary

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Server). The supported version that is affected is 5.9.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Business Intelligence Enterprise Edition	Version: 5.9.0.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:38.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21492",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T18:36:38.105010Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T20:05:55.960Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Business Intelligence Enterprise Edition",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "5.9.0.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Server). The supported version that is affected is 5.9.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T20:38:45",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2022-21492",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Business Intelligence Enterprise Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "5.9.0.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Server). The supported version that is affected is 5.9.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "6.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2022-21492",
    "datePublished": "2022-04-19T20:38:45",
    "dateReserved": "2021-11-15T00:00:00",
    "dateUpdated": "2024-09-24T20:05:55.960Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted