Vulnerability Name:

CVE-2019-2904 (CCN-169217)

Assigned:2018-12-14
Published:2019-10-15
Updated:2021-05-18
Summary:Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2019-2904

Source: CCN
Type: Oracle CPUOct2019
Oracle Critical Patch Update Advisory - October 2019

Source: MISC
Type: Patch, Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: XF
Type: UNKNOWN
oracle-cpuoct2019-cve20192904(169217)

Source: CCN
Type: Oracle CPUApr2020
Oracle Critical Patch Update Advisory - April 2020

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2021.html

Source: CCN
Type: Oracle CPUJan2020
Oracle Critical Patch Update Advisory - January 2020

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.html

Source: CCN
Type: Oracle CPUJul2020
Oracle Critical Patch Update Advisory - July 2020

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: CCN
Type: Oracle CPUOct2020
Oracle Critical Patch Update Advisory - October 2020

Source: N/A
Type: Vendor Advisory
N/A

Source: CCN
Type: ZDI-19-1024
Oracle ADF Faces Deserialization of Untrusted Data Remote Code Execution Vulnerability

Source: MISC
Type: Third Party Advisory, VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-19-1024/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_collections:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_collections:2.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:clinical:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.4.0.5)
  • OR cpe:/a:oracle:communications_network_integrity:*:*:*:*:*:*:*:* (Version >= 7.3.2 and <= 7.3.6)
  • OR cpe:/a:oracle:communications_service_broker:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_service_broker:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:* (Version >= 14.1.0 and <= 14.2.0)
  • OR cpe:/a:oracle:financial_services_revenue_management_and_billing_analytics:2.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_data_management_workbench:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_data_management_workbench:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hyperion_planning:11.1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:rapid_planning:12.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:15.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:16.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_clearance_optimization_engine:13.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_clearance_optimization_engine:14.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_markdown_optimization:13.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_sales_audit:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_sales_audit:16.0.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_service_broker:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hyperion_planning:11.1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_service_broker:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    oracle application testing suite 12.5.0.3
    oracle application testing suite 13.1.0.1
    oracle application testing suite 13.2.0.1
    oracle application testing suite 13.3.0.1
    oracle banking enterprise collections 2.7.0
    oracle banking enterprise collections 2.8.0
    oracle banking enterprise originations 2.7.0
    oracle banking enterprise originations 2.8.0
    oracle banking enterprise product manufacturing 2.7.0
    oracle banking enterprise product manufacturing 2.8.0
    oracle banking platform 2.4.0
    oracle banking platform 2.4.1
    oracle banking platform 2.5.0
    oracle banking platform 2.6.0
    oracle banking platform 2.6.1
    oracle banking platform 2.6.2
    oracle banking platform 2.7.0
    oracle banking platform 2.7.1
    oracle banking platform 2.9.0
    oracle business process management suite 12.2.1.3.0
    oracle business process management suite 12.2.1.4.0
    oracle clinical 5.2
    oracle communications diameter signaling router *
    oracle communications network integrity *
    oracle communications service broker 6.0
    oracle communications service broker 6.1
    oracle communications services gatekeeper 6.0
    oracle communications services gatekeeper 6.1
    oracle enterprise repository 11.1.1.7.0
    oracle financial services lending and leasing 12.5.0
    oracle financial services lending and leasing *
    oracle financial services revenue management and billing analytics 2.6
    oracle financial services revenue management and billing analytics 2.7
    oracle financial services revenue management and billing analytics 2.8
    oracle flexcube private banking 12.0.0
    oracle flexcube private banking 12.1.0
    oracle health sciences data management workbench 2.4
    oracle health sciences data management workbench 2.5
    oracle hyperion planning 11.1.2.4
    oracle rapid planning 12.1.3
    oracle retail assortment planning 15.0.3.0
    oracle retail assortment planning 16.0.3.0
    oracle retail clearance optimization engine 13.4
    oracle retail clearance optimization engine 14.0.3
    oracle retail clearance optimization engine 14.0.5
    oracle retail markdown optimization 13.4
    oracle retail sales audit 15.0.3
    oracle retail sales audit 16.0.2
    oracle jdeveloper 11.1.1.9.0
    oracle jdeveloper 12.1.3.0.0
    oracle application testing suite 12.5.0.3
    oracle flexcube private banking 12.0
    oracle flexcube private banking 12.1
    oracle communications services gatekeeper 6.0
    oracle enterprise repository 11.1.1.7.0
    oracle banking platform 2.4
    oracle banking platform 2.4.1
    oracle retail assortment planning 15.0.3
    oracle application testing suite 13.1.0.1
    oracle application testing suite 13.2.0.1
    oracle banking platform 2.6
    oracle retail clearance optimization engine 14.0.5
    oracle business process management suite 12.2.1.3.0
    oracle jdeveloper 12.2.1.3.0
    oracle banking platform 2.6.1
    oracle banking platform 2.6.2
    oracle application testing suite 13.3.0.1
    oracle communications services gatekeeper 6.1
    oracle communications service broker 6.0
    oracle hyperion planning 11.1.2.4
    oracle banking platform 2.7.1
    oracle banking platform 2.7.0
    oracle communications service broker 6.1
    oracle banking platform 2.9.0