Exploit Title: Oracle Manager WebGate Subcomponent Unspecified Remote Information Disclosure
Product: Access Manager component in Oracle Fusion Middleware
Vulnerable Versions: 10.1.4.3, 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0, and 220.127.116.11.0
Advisory Publication: Apr 15, 2014
Latest Update: Apr 15, 2014
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: CVE-2014-2404
Risk Level: Medium
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) (legend)
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]
Jing Wang has reported two vulnerabilities in Oracle Access Manager, which can be exploited by malicious users to disclose potentially sensitive information and cause a DoS (Denial of Service).
1) An unspecified error within the “WebGate” sub-component can be exploited to disclose certain Oracle Access Manager accessible data.
This vulnerability is reported in versions 10.1.4.3, 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0, and 220.127.116.11.0.
2) An unspecified error within the “Webserver Plugin” sub-component can be exploited to cause a hang or frequently repeatable crash of the application.
This vulnerability is reported in version 18.104.22.168.
Solution : Apply updates.
Reported by : Jing Wang.
Changelog : 2014-06-13: Updated “Description” section and credits. Added
one link to the “Original Advisory” section.
Reference original advisory : Oracle: