csaf_certbund - wid-sec-w-2025-0805

WID-SEC-W-2025-0805

Vulnerability from csaf_certbund - Published: 2025-04-15 22:00 - Updated: 2025-04-15 22:00

Summary

Oracle Utilities Applications: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Oracle Utilities Applications ist eine Produktfamilie mit branchenspezifischen Lösungen für Ver- und Entsorger.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Utilities Applications ausnutzen, um die Verfügbarkeit zu gefährden.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Oracle Utilities Applications ist eine Produktfamilie mit branchenspezifischen L\u00f6sungen f\u00fcr Ver- und Entsorger.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Utilities Applications ausnutzen, um die Verf\u00fcgbarkeit zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0805 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0805.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0805 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0805"
      },
      {
        "category": "external",
        "summary": "Oracle Critical Patch Update Advisory - April 2025 - Appendix Oracle Utilities Applications vom 2025-04-15",
        "url": "https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixUTIL"
      }
    ],
    "source_lang": "en-US",
    "title": "Oracle Utilities Applications: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-04-15T22:00:00.000+00:00",
      "generator": {
        "date": "2025-04-16T09:15:58.826+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0805",
      "initial_release_date": "2025-04-15T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-04-15T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.3.0.3.0-4.3.0.6.0",
                "product": {
                  "name": "Oracle Utilities Applications 4.3.0.3.0-4.3.0.6.0",
                  "product_id": "T042858",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.3.0.6.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.4.0.0.0",
                "product": {
                  "name": "Oracle Utilities Applications 4.4.0.0.0",
                  "product_id": "T042859",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.4.0.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.4.0.2.0",
                "product": {
                  "name": "Oracle Utilities Applications 4.4.0.2.0",
                  "product_id": "T042860",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.4.0.2.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.4.0.3.0",
                "product": {
                  "name": "Oracle Utilities Applications 4.4.0.3.0",
                  "product_id": "T042861",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.4.0.3.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.5.0.0.0",
                "product": {
                  "name": "Oracle Utilities Applications 4.5.0.0.0",
                  "product_id": "T042862",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.5.0.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.5.0.1.1",
                "product": {
                  "name": "Oracle Utilities Applications 4.5.0.1.1",
                  "product_id": "T042863",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.5.0.1.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.5.0.1.3",
                "product": {
                  "name": "Oracle Utilities Applications 4.5.0.1.3",
                  "product_id": "T042864",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:4.5.0.1.3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "24.1.0.0.0-24.3.0.0.0",
                "product": {
                  "name": "Oracle Utilities Applications 24.1.0.0.0-24.3.0.0.0",
                  "product_id": "T042865",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:utilities:24.3.0.0.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Utilities Applications"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47072",
      "product_status": {
        "known_affected": [
          "T042860",
          "T042861",
          "T042862",
          "T042863",
          "T042864",
          "T042865",
          "T042858",
          "T042859"
        ]
      },
      "release_date": "2025-04-15T22:00:00.000+00:00",
      "title": "CVE-2024-47072"
    },
    {
      "cve": "CVE-2024-47554",
      "product_status": {
        "known_affected": [
          "T042860",
          "T042861",
          "T042862",
          "T042863",
          "T042864",
          "T042865",
          "T042858",
          "T042859"
        ]
      },
      "release_date": "2025-04-15T22:00:00.000+00:00",
      "title": "CVE-2024-47554"
    }
  ]
}

CVE-2024-47554 (GCVE-0-2024-47554)

Vulnerability from cvelistv5 – Published: 2024-10-03 11:32 – Updated: 2025-01-31 15:02

Summary

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Commons IO	Affected: 2.0 , < 2.14.0 (semver)

Credits

CodeQL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-47554",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T13:00:56.326970Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-04T15:03:37.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-31T15:02:47.229Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/10/03/2"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250131-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "commons-io:commons-io",
          "product": "Apache Commons IO",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.14.0",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "tool",
          "value": "CodeQL"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache Commons IO.\u003c/p\u003e\u003cp\u003eThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-03T11:32:48.936Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-47554",
    "datePublished": "2024-10-03T11:32:48.936Z",
    "dateReserved": "2024-09-26T16:12:46.116Z",
    "dateUpdated": "2025-01-31T15:02:47.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47072 (GCVE-0-2024-47072)

Vulnerability from cvelistv5 – Published: 2024-11-07 23:38 – Updated: 2025-11-03 22:19

Summary

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-121 - Stack-based Buffer Overflow
CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/x-stream/xstream/security/advi…	x_refsource_CONFIRM
	https://github.com/x-stream/xstream/commit/bb838c…	x_refsource_MISC
	https://x-stream.github.io/CVE-2024-47072.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	x-stream	xstream	Affected: < 1.4.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "x-stream",
            "vendor": "x-stream",
            "versions": [
              {
                "lessThan": "1.4.21",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47072",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-08T15:17:42.864003Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-08T15:20:08.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:19:56.488Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "x-stream",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-07T23:38:52.978Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"
        },
        {
          "name": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"
        },
        {
          "name": "https://x-stream.github.io/CVE-2024-47072.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://x-stream.github.io/CVE-2024-47072.html"
        }
      ],
      "source": {
        "advisory": "GHSA-hfq9-hggm-c56q",
        "discovery": "UNKNOWN"
      },
      "title": "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47072",
    "datePublished": "2024-11-07T23:38:52.978Z",
    "dateReserved": "2024-09-17T17:42:37.029Z",
    "dateUpdated": "2025-11-03T22:19:56.488Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-0805

CVE-2024-47554 (GCVE-0-2024-47554)

CVE-2024-47072 (GCVE-0-2024-47072)

Tags

Sightings

Nomenclature