CVE-2018-1000122, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000300, CVE-2018-1000301
Oracle has released updates for fixing multiple vulnerabilities in Oracle HTTP Server.
PUBLISH DATE: 18-10-2018
Multiple vulnerabilities have been reported in Oracle HTTP Server. People with malicious intent can exploit these vulnerabilities to disclose potentially sensitive information, launch Denial of Service attacks and compromise a vulnerable system.
Following vulnerabilities have been found in Oracle HTTP Server.
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code. This vulnerability allows an attacker to leak information or induce a Denial of Service condition.
A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 when it handles FTP URL. This may lead to Denial of Service or far worse consequences.
A NULL pointer deference in curl 7.21.0 to and including curl 7.58.0 in the LDAP code may allow an attacker to cause a Denial of Service.
Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more. This may lead curl to overflow a heap-based memory buffer when closing down an FTP connection with very long server command replies. Fixed versions for this vulnerability are curl < 7.54.1 and curl >= 7.60.0.
CURL version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service. Curl can be tricked into reading data beyond the end of a heap-based buffer used to store downloaded RTSP content.
CURL versions < 7.20.0 and curl >= 7.60.0 have been fixed for this vulnerability.
Oracle HTTP Server 12.x
Apply relevant updates to avoid being a potential victim of successful exploitation of these vulnerabilities.
(users will need to login to access the link)