Vulnerability CVE-2013-5879 - CERT Civis.Net

Vulnerability Name:

CVE-2013-5879 (CCN-90282)

Assigned:

2013-09-18

Published:

2014-01-14

Updated:

2014-09-04

Summary:

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Maintenance.
Per: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

"Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8."

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-5879

Source: OSVDB
Type: UNKNOWN
102030

Source: SECUNIA
Type: UNKNOWN
56463

Source: CCN
Type: SA57075
IBM WebSphere Portal Oracle Outside In Technology Denial of Service Vulnerability

Source: SECUNIA
Type: UNKNOWN
59704

Source: SECUNIA
Type: UNKNOWN
60504

Source: CCN
Type: IBM Security Bulletin 1664355
Fix available for security vulnerability in Oracle Outside In Technology Code contained in IBM WebSphere Portal (CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1665361
Security Bulletin: Open Source Oracle Jan 2014 - Oracle Outside In vulnerability in IBM Content Navigator (CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1668536
Content Manager Enterprise Edition with use of Outside Technology Vulnerability (CVE-2013-5879)

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21669519

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21682096

Source: CCN
Type: IBM Security Bulletin 1660394
Vulnerability in IBM Content Classification(CVE-2013-5879, CVE-2014-0411)

Source: CCN
Type: IBM Security Bulletin 1665738
Security Bulletin eDiscovery Analyzer (CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1665739
Security Bulletin eDiscovery Manager (CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1669459
IBM Connections Security Refresh for security vulnerabilities in Oracle Outside In Technology Code (CVE-2013-5791 CVE-2013-5763 CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1669519
IBM Content Collector affected by vulnerabilities in Oracle Outside In Technology (CVE-2013-5879) and IBM SDK Java Technology Edition, Version 6 (CVE-2014-0411)

Source: CCN
Type: IBM Security Bulletin 1672337
One vulnerability in IBM FileNet Content Manager and IBM Content Foundation (CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1678830
Multiple security vulnerabilities in IBM Content Analytics with Enterprise Search and IBM OmniFind Enterprise Edition (CVE-2014-0114, CVE-2014-0050, CVE-2013-5879)

Source: CCN
Type: IBM Security Bulletin 1682096
IBM DB2 Accessories Suite for Linux, UNIX and Windows denial of service vulneribility (CVE-2013-5879)

Source: CCN
Type: Oracle Web site
Oracle Critical Patch Update Advisory - January 2014

Source: CONFIRM
Type: Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Source: BID
Type: UNKNOWN
64758

Source: CCN
Type: BID-64758
RETIRED: Oracle January 2014 Critical Patch Update Multiple Vulnerabilities

Source: BID
Type: UNKNOWN
64825

Source: CCN
Type: BID-64825
Oracle Outside In Technology CVE-2013-5879 Local Security Vulnerability

Source: SECTRACK
Type: UNKNOWN
1029613

Source: XF
Type: UNKNOWN
oracle-cpujan2014-cve20135879(90282)

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:fusion_middleware:8.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:fusion_middleware:8.4.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:fusion_middleware:8.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:fusion_middleware:8.4.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:websphere_portal:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:connections:4.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_collector:3.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:filenet_content_manager:5.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:connections:3.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:connections:4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_navigator:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_navigator:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:filenet_content_manager:5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_portal:6.1.5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_portal:6.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_portal:6.0.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_portal:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:content_manager:8.5:*:*:*:*:enterprise:*:*

OR cpe:/a:ibm:websphere_portal:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_portal:6.0:*:*:*:*:*:*:*

Denotes that component is vulnerable