Vulnerability Details : CVE-2018-15756

CVE Name: CVE-2018-15756: Dos vulnerability on Vmware Spring Framework, Oracle Flexcube Private Banking, Oracle Insurance Policy Administration J2Ee, Oracle Retail Xstore Point Of Service, Oracle Weblogic Server, Oracle Retail Invoice Matching, Oracle Primavera Gateway, Oracle Communications Unified Inventory Management, Oracle Endeca Information Discovery Integrator, Oracle Enterprise Manager Ops Center, Oracle Healthcare Master Person Index, Oracle Insurance Calculation Engine, Oracle Insurance Rules Palette, Oracle Retail Integration Bus, Oracle Retail Order Broker, Oracle Retail Predictive Application Server, Oracle Retail Service Backbone, Oracle Webcenter Sites, Oracle Agile Plm, Oracle Communications Converged Application Server Service Controller, Oracle Communications Element Manager, Oracle Communications Online Mediation Controller, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager, Oracle Enterprise Manager For Fusion Applications, Oracle Goldengate Application Adapters, Oracle Identity Manager Connector, Oracle Mysql Enterprise Monitor, Oracle Rapid Planning, Oracle Retail Assortment Planning, Oracle Retail Clearance Optimization Engine, Oracle Retail Financial Integration, Oracle Communications Brm Elastic Charging Engine, Oracle Communications Diameter Signaling Router, Oracle Financial Services Analytical Applications Infrastructure, Oracle Primavera Analytics, Oracle Retail Advanced Inventory Planning, Oracle Retail Markdown Optimization, Oracle Tape Library Acsls, Debian Debian Linux
Description: Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Publish date: 2018-10-18T22:29Z
Last Update: 2022-05-13T20:56Z

CVSS Scores & Vulnerability Types

CVSS Score
7.5
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH
Actack VectorNETWORK
Actack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Vulnerability Type(s)Dos
CWE IDN/I

Products Affected By CVE-2018-15756

# Vendor Product Vulnerable Versions
1 Vmware Spring Framework 3
2 Oracle Flexcube Private Banking 3
3 Oracle Insurance Policy Administration J2Ee 8
4 Oracle Retail Xstore Point Of Service 1
5 Oracle Weblogic Server 4
6 Oracle Retail Invoice Matching 6
7 Oracle Primavera Gateway 4
8 Oracle Communications Unified Inventory Management 2
9 Oracle Endeca Information Discovery Integrator 1
10 Oracle Enterprise Manager Ops Center 1
11 Oracle Healthcare Master Person Index 2
12 Oracle Insurance Calculation Engine 4
13 Oracle Insurance Rules Palette 9
14 Oracle Retail Integration Bus 4
15 Oracle Retail Order Broker 4
16 Oracle Retail Predictive Application Server 8
17 Oracle Retail Service Backbone 3
18 Oracle Webcenter Sites 1
19 Oracle Agile Plm 4
20 Oracle Communications Converged Application Server Service Controller 2
21 Oracle Communications Element Manager 3
22 Oracle Communications Online Mediation Controller 1
23 Oracle Communications Session Report Manager 5
24 Oracle Communications Session Route Manager 5
25 Oracle Enterprise Manager For Fusion Applications 1
26 Oracle Goldengate Application Adapters 1
27 Oracle Identity Manager Connector 1
28 Oracle Mysql Enterprise Monitor 2
29 Oracle Rapid Planning 2
30 Oracle Retail Assortment Planning 2
31 Oracle Retail Clearance Optimization Engine 1
32 Oracle Retail Financial Integration 4
33 Oracle Communications Brm Elastic Charging Engine 2
34 Oracle Communications Diameter Signaling Router 4
35 Oracle Financial Services Analytical Applications Infrastructure 1
36 Oracle Primavera Analytics 1
37 Oracle Retail Advanced Inventory Planning 1
38 Oracle Retail Markdown Optimization 1
39 Oracle Tape Library Acsls 1
40 Debian Debian Linux 1

Detail of Verions Affected

# Product Type Vendor Product Version
1 Application Vmware Spring Framework *
2 Application Vmware Spring Framework *
3 Application Vmware Spring Framework 5.1.0
4 Application Oracle Flexcube Private Banking 12.1.0
5 Application Oracle Insurance Policy Administration J2Ee 10.2.0
6 Application Oracle Retail Xstore Point Of Service 7.1
7 Application Oracle Weblogic Server 12.1.3.0.0
8 Application Oracle Retail Invoice Matching 13.0
9 Application Oracle Flexcube Private Banking 12.0.1
10 Application Oracle Primavera Gateway 16.2
11 Application Oracle Primavera Gateway 15.2
12 Application Oracle Retail Invoice Matching 12.0
13 Application Oracle Flexcube Private Banking 12.0.3
14 Application Oracle Communications Unified Inventory Management 7.3
15 Application Oracle Endeca Information Discovery Integrator 3.2.0
16 Application Oracle Enterprise Manager Ops Center 12.3.3
17 Application Oracle Healthcare Master Person Index 3.0
18 Application Oracle Insurance Calculation Engine 10.2
19 Application Oracle Insurance Rules Palette 10.0
20 Application Oracle Insurance Rules Palette 10.1
21 Application Oracle Insurance Rules Palette 10.2
22 Application Oracle Insurance Rules Palette 10.2.0
23 Application Oracle Insurance Rules Palette 11.0
24 Application Oracle Retail Integration Bus 15.0
25 Application Oracle Retail Order Broker 5.1
26 Application Oracle Retail Order Broker 5.2
27 Application Oracle Retail Order Broker 15.0
28 Application Oracle Retail Order Broker 16.0
29 Application Oracle Retail Predictive Application Server 16.0
30 Application Oracle Retail Service Backbone 15.0
31 Application Oracle Webcenter Sites 12.2.1.3.0
32 Application Oracle Weblogic Server 10.3.6.0.0
33 Application Oracle Weblogic Server 12.2.1.3.0
34 Application Oracle Agile Plm 9.3.3
35 Application Oracle Agile Plm 9.3.4
36 Application Oracle Agile Plm 9.3.5
37 Application Oracle Agile Plm 9.3.6
38 Application Oracle Communications Converged Application Server Service Controller 6.1
39 Application Oracle Communications Element Manager 8.1.1
40 Application Oracle Communications Element Manager 8.2.0
41 Application Oracle Communications Element Manager 8.2.1
42 Application Oracle Communications Online Mediation Controller 6.1
43 Application Oracle Communications Session Report Manager 8.1.1
44 Application Oracle Communications Session Report Manager 8.2.0
45 Application Oracle Communications Session Report Manager 8.2.1
46 Application Oracle Communications Session Route Manager 8.1.1
47 Application Oracle Communications Session Route Manager 8.2.0
48 Application Oracle Communications Session Route Manager 8.2.1
49 Application Oracle Communications Unified Inventory Management 7.4.0
50 Application Oracle Enterprise Manager For Fusion Applications 13.3.0.0
51 Application Oracle Goldengate Application Adapters 12.3.2.1.0
52 Application Oracle Identity Manager Connector 9.0
53 Application Oracle Insurance Policy Administration J2Ee 10.0
54 Application Oracle Insurance Policy Administration J2Ee 10.2
55 Application Oracle Mysql Enterprise Monitor *
56 Application Oracle Mysql Enterprise Monitor *
57 Application Oracle Primavera Gateway 17.12
58 Application Oracle Rapid Planning 12.1
59 Application Oracle Rapid Planning 12.2
60 Application Oracle Retail Assortment Planning 15.0
61 Application Oracle Retail Assortment Planning 16.0
62 Application Oracle Retail Clearance Optimization Engine 14.0.5
63 Application Oracle Retail Financial Integration 14.0
64 Application Oracle Retail Financial Integration 14.1
65 Application Oracle Retail Financial Integration 15.0
66 Application Oracle Retail Financial Integration 16.0
67 Application Oracle Retail Integration Bus 16.0
68 Application Oracle Retail Invoice Matching 13.1
69 Application Oracle Retail Invoice Matching 13.2
70 Application Oracle Retail Invoice Matching 14.0
71 Application Oracle Retail Invoice Matching 14.1
72 Application Oracle Retail Predictive Application Server 15.0.3
73 Application Oracle Weblogic Server 12.2.1.4.0
74 Application Oracle Communications Brm Elastic Charging Engine 11.3
75 Application Oracle Communications Brm Elastic Charging Engine 12.0
76 Application Oracle Communications Converged Application Server Service Controller 6.0
77 Application Oracle Communications Diameter Signaling Router 8.0.0
78 Application Oracle Communications Diameter Signaling Router 8.1
79 Application Oracle Communications Diameter Signaling Router 8.2
80 Application Oracle Communications Diameter Signaling Router 8.2.1
81 Application Oracle Communications Session Report Manager 8.0.0
82 Application Oracle Communications Session Report Manager 8.1.0
83 Application Oracle Communications Session Route Manager 8.0.0
84 Application Oracle Communications Session Route Manager 8.1.0
85 Application Oracle Financial Services Analytical Applications Infrastructure *
86 Application Oracle Healthcare Master Person Index 4.0.2
87 Application Oracle Insurance Calculation Engine 9.7
88 Application Oracle Insurance Calculation Engine 10.0
89 Application Oracle Insurance Calculation Engine 10.1
90 Application Oracle Insurance Policy Administration J2Ee 10.1
91 Application Oracle Insurance Policy Administration J2Ee 10.2.4
92 Application Oracle Insurance Policy Administration J2Ee 11.0
93 Application Oracle Insurance Policy Administration J2Ee 11.1.0
94 Application Oracle Insurance Policy Administration J2Ee 11.2.0
95 Application Oracle Insurance Rules Palette 10.2.4
96 Application Oracle Insurance Rules Palette 11.0.2
97 Application Oracle Insurance Rules Palette 11.1.0
98 Application Oracle Insurance Rules Palette 11.2.0
99 Application Oracle Primavera Analytics 18.8
100 Application Oracle Primavera Gateway 18.8.0
101 Application Oracle Retail Advanced Inventory Planning 15.0
102 Application Oracle Retail Integration Bus 15.0.3
103 Application Oracle Retail Integration Bus 16.0.3
104 Application Oracle Retail Markdown Optimization 13.4.4
105 Application Oracle Retail Predictive Application Server 14.0.3
106 Application Oracle Retail Predictive Application Server 14.0.3.26
107 Application Oracle Retail Predictive Application Server 14.1.3
108 Application Oracle Retail Predictive Application Server 14.1.3.37
109 Application Oracle Retail Predictive Application Server 15.0.3.100
110 Application Oracle Retail Predictive Application Server 16.0.3
111 Application Oracle Retail Service Backbone 16.0
112 Application Oracle Retail Service Backbone 16.0.1
113 Application Oracle Tape Library Acsls 8.5
114 Operating System Debian Debian Linux 9.0

References For CVE-2018-15756

Hyperlink Resource
https://pivotal.io/security/cve-2018-15756 Vendor Advisory
http://www.securityfocus.com/bid/105703 Third Party Advisory, URL Repurposed, VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E Issue Tracking, Mailing List, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html Mailing List, Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Not Applicable, Third Party Advisory