Vulnerability Name:

CVE-2015-6014 (CCN-109804)

Assigned:2015-08-14
Published:2016-01-19
Updated:2017-09-10
Summary:Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows local users to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2015-4808, CVE-2015-6013, CVE-2015-6015, and CVE-2016-0432.
Note: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this issue is a stack-based buffer overflow in Oracle Outside In 8.5.2 and earlier, which allows remote attackers to execute arbitrary code via a crafted DOC file.
CVSSv2 score based on information provided by https://www.kb.cert.org/vuls/id/916896.
Score may vary based on implementation.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2015-6014

Source: CCN
Type: Microsoft Security Bulletin MS16-079
Security Update for Microsoft Exchange Server (3160339)

Source: CCN
Type: Microsoft Security Bulletin MS16-108
Security Update for Microsoft Exchange Server (3185883)

Source: CCN
Type: Microsoft Security Bulletin MS17-015
Security Update for Microsoft Exchange Server (4013242)

Source: CCN
Type: IBM Security Bulletin 1975750 (WebSphere Portal)
Vulnerabilities in Oracle Outside In Technology affect IBM WebSphere Portal

Source: CCN
Type: IBM Security Bulletin 1975822 (FileNet Content Manager)
Multiple vulnerabilities exist with Oracle Outside In Technology (OIT) in IBM FileNet Content Manager and IBM Content Foundation.

Source: CCN
Type: IBM Security Bulletin 1978747 (Rational DOORS Next Generation)
Multiple Vulnerabilities in Oracle Outside In Technology affects IBM Rational DOORS Next Generation

Source: CCN
Type: US-CERT VU#916896
Oracle Outside In 8.5.2 contains multiple stack buffer overflows

Source: CCN
Type: Oracle Critical Patch Update Advisory - January 2016
Oracle Critical Patch Update Advisory - January 2016

Source: CONFIRM
Type: Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Source: BID
Type: UNKNOWN
81233

Source: SECTRACK
Type: UNKNOWN
1034711

Source: XF
Type: UNKNOWN
oracle-cpujan2016-cve20156014(109804)

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#916896

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:outside_in_technology:8.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:outside_in_technology:8.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:outside_in_technology:8.5.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:outside_in_technology:8.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:outside_in_technology:8.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:outside_in_technology:8.5.2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_portal:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2007:sp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_content_manager:5.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_content_manager:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_content_manager:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2013:cumulative_update_11:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2016:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2013:cumulative_update_12:*:*:*:*:*:*
  • OR cpe:/a:microsoft:exchange_server:2016:cumulative_update_1:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.cisecurity:def:909
    V
    		Oracle Outside In Libraries Elevation of Privilege Vulnerabilities – CVE-2015-6014 (MS16-079)
    2016-07-29
    BACK
    oracle outside in technology 8.5.0
    oracle outside in technology 8.5.1
    oracle outside in technology 8.5.2
    oracle outside in technology 8.5.0
    oracle outside in technology 8.5.1
    oracle outside in technology 8.5.2
    ibm websphere portal 7.0
    ibm websphere portal 8.0
    microsoft exchange server 2007 sp3
    ibm filenet content manager 5.2.0
    microsoft exchange server 2010 sp3
    ibm filenet content manager 5.1.0
    ibm websphere portal 8.5
    microsoft exchange server 2013 sp1
    ibm websphere portal 6.1
    ibm filenet content manager 5.2.1
    ibm rational doors next generation 5.0.2
    microsoft exchange server 2013 cumulative_update_11
    microsoft exchange server 2016
    ibm rational doors next generation 6.0
    ibm rational doors next generation 6.0.1
    microsoft exchange server 2013 cumulative_update_12
    microsoft exchange server 2016 cumulative_update_1