Vulnerability CVE-2016-3506 - CERT Civis.Net

Vulnerability Name:

CVE-2016-3506 (CCN-115131)

Assigned:

2016-07-19

Published:

2016-07-19

Updated:

2018-07-19

Summary:

Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2; the Oracle Retail Xstore Point of Service 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, and 16.0; the Oracle Retail Warehouse Management System 14.04, 14.1.3, and 15.0.1; the Oracle Retail Workforce Management 1.60.7, and 1.64.0; the Oracle Retail Clearance Optimization Engine 13.4; the Oracle Retail Markdown Optimization 13.4 and 14.0; and Oracle Retail Merchandising System 16.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

CVSS v3 Severity:

8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2016-3506

Source: CCN
Type: IBM Security Bulletin 787785 (Security Access Manager Appliance)
Multiple Security vulnerabilities have been fixed in the IBM Security Access Manager Appliance

Source: CCN
Type: Oracle CPUApr2017
Oracle Critical Patch Update Advisory - April 2017

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Source: CCN
Type: Oracle CPUApr2018
Oracle Critical Patch Update Advisory - April 2018

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Source: CCN
Type: Oracle CPUJul2016
Oracle Critical Patch Update Advisory - July 2016

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Source: CCN
Type: Oracle CPUJul2017
Oracle Critical Patch Update Advisory - July 2017

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Source: CCN
Type: Oracle CPUJul2018
Oracle Critical Patch Update Advisory - July 2018

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: CCN
Type: Oracle CPUOct2017
Oracle Critical Patch Update Advisory - October 2017

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: BID
Type: Third Party Advisory, VDB Entry
91787

Source: CCN
Type: BID-91787
Oracle July 2016 Critical Patch Update Multiple Vulnerabilities

Source: BID
Type: UNKNOWN
91867

Source: CCN
Type: BID-91867
Oracle Database Server CVE-2016-3506 Remote Security Vulnerability

Source: SECTRACK
Type: UNKNOWN
1036363

Source: XF
Type: UNKNOWN
oracle-cpujul2016-cve20163506(115131)

Source: CCN
Type: IBM Security Bulletin 1282324 (Security Information Queue)
IBM Security Information Queue uses database components with known vulnerabilities (CVE-2016-3506, CVE-2018-1058, CVE-2018-10936, CVE-2019-9193)

Source: CCN
Type: IBM Security Bulletin 6207897 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2016-3506)

Source: CCN
Type: IBM Security Bulletin 6494735 (Disconnected Log Collector)
IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities (CVE-2016-3506, CVE-2020-13692)

Source: CCN
Type: IBM Security Bulletin 6852633 (Tivoli Network Manager)
Due to use of Oracle JDBC component, ITNM is vulnerable to an unspecified vulnerability (CVE-2016-3506)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-3506

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:jdbc:11.2.0.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:jdbc:12.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:jdbc:12.1.0.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:retail_order_broker_cloud_service:5.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_order_broker_cloud_service:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:13.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:13.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:13.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_markdown_optimization:13.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_clearance_optimization_engine:13.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:5.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:6.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:6.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:micros_relate_crm_software:10.8:*:*:*:*:*:*:*

OR cpe:/a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:micros_relate_crm_software:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_assortment_planning:14.1.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_workforce_management:1.60.7:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_workforce_management:1.64.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*

AND

cpe:/o:ibm:security_access_manager_appliance_firmware:9.0.1.0:*:*:*:*:*:*:*

OR cpe:/o:ibm:security_access_manager_appliance_firmware:9.0.2.0:*:*:*:*:*:*:*

OR cpe:/h:ibm:security_access_manager_appliance:9.0.3.0:*:*:*:*:*:*:*

OR cpe:/h:ibm:security_access_manager_appliance:9.0.4.0:*:*:*:*:*:*:*

OR cpe:/h:ibm:security_access_manager_appliance:9.0.5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_information_queue:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_information_queue:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_information_queue:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_information_queue:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_information_queue:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:*

Denotes that component is vulnerable