Rewterz Threat Advisory – Oracle Primavera P6 Enterprise Project Portfolio Management Multiple Vulnerabilities

Severity

High

Analysis Summary

Multiple vulnerabilities have been reported in Oracle Primavera P6 Enterprise Project Portfolio Management, which may lead to disclosure of sensitive information and security bypass, if exploited.
 

CVE-2018-0734
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. Variations in the signing algorithm can be used by an attacker to recover the private key. 
 

CVE-2016-1000031
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

CVE-2018-0735
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. 

Impact

• Exposure of sensitive information 
• Security Bypass 
• Other Unknown impact

Affected Vendors

Oracle

Affected Products

Oracle Primavera P6 Enterprise Project Portfolio Management 8.4

Remediation

Apply update.

https://support.oracle.com/rs?type=doc&id=2512516.1

Additional Information:

CVE-2018-0734

Fixed in OpenSSL 1.1.1a (Affected 1.1.1)

Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)

Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p)

CVE-2018-0735

Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)

Fixed in OpenSSL 1.1.1a (Affected 1.1.1)