Summaryinfo

A vulnerability classified as critical has been found in Oracle Communications Unified Assurance up to 5.5.19/6.0.3. This issue affects some unknown processing of the component Core. The manipulation leads to denial of service. This vulnerability is documented as CVE-2023-42794. The attack can be initiated remotely. There is not any exploit available.

Detailsinfo

A vulnerability was found in Oracle Communications Unified Assurance up to 5.5.19/6.0.3 (Cloud Software). It has been rated as critical. This issue affects some unknown processing of the component Core. The manipulation with an unknown input leads to a denial of service vulnerability. Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. Impacted is availability. The summary by CVE is:

Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

The weakness was released 01/16/2024 as Oracle Critical Patch Update Advisory - January 2024. It is possible to read the advisory at oracle.com. The identification of this vulnerability is CVE-2023-42794. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 239817 (TencentOS Server 3: tomcat (TSSA-2024:0045)), which helps to determine the existence of the flaw in a target environment.

A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (239817). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Cloud Software

Vendor

• Oracle

Name

• Communications Unified Assurance

Version

• 5.5.0
• 5.5.1
• 5.5.2
• 5.5.3
• 5.5.4
• 5.5.5
• 5.5.6
• 5.5.7
• 5.5.8
• 5.5.9
• 5.5.10
• 5.5.11
• 5.5.12
• 5.5.13
• 5.5.14
• 5.5.15
• 5.5.16
• 5.5.17
• 5.5.18
• 5.5.19
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion