This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Oracle First view 2019-04-22
Product Fmw Platform Last view 2020-07-14
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:* 4
cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:* 4

Related : CVE

  Date Alert Description
7.5 2020-07-14 CVE-2020-13935

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

7.5 2020-07-14 CVE-2020-13934

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

7 2020-05-20 CVE-2020-9484

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

5.3 2019-04-22 CVE-2019-10247

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

CWE : Common Weakness Enumeration

%idName
25% (1) CWE-502 Deserialization of Untrusted Data
25% (1) CWE-476 NULL Pointer Dereference
25% (1) CWE-401 Failure to Release Memory Before Removing Last Reference ('Memory L...
25% (1) CWE-200 Information Exposure

Snort® IPS/IDS

Date Description
2020-11-24 Apache Tomcat WebSocket length denial of service attempt
RuleID : 56086 - Type : SERVER-WEBAPP - Revision : 1
2020-10-22 Apache Tomcat HTTP/2 denial of service attempt
RuleID : 55801 - Type : SERVER-WEBAPP - Revision : 1
2020-10-22 Apache Tomcat HTTP/2 denial of service attempt
RuleID : 55800 - Type : SERVER-WEBAPP - Revision : 1
2020-07-07 Apache Tomcat FileStore directory traversal attempt
RuleID : 54162 - Type : SERVER-WEBAPP - Revision : 1