Due to the risk of exploitation, publishing detailed information of this vulnerability is not recommended. However, the Common Vulnerabilities and Exposures project has assigned this vulnerability the CVE identifier CVE-2019-1105. Vulnerable components: Oracle JD Edwards EnterpriseOne Tools 9.2.6.4 and prior. JD Edwards EnterpriseOne Tools is an extensible business application built on the Oracle JD Edwards software. It provides email, data profiling, reporting, and workflow functionality for large enterprise organizations. Vulnerable components: Easynode Web Server 9.2.6.4 and prior. Easynode Web Server is an application server for the JD Edwards EnterpriseOne Tools. The Easynode Web Server component is an Apache Tomcat component. Easynode Web Server is used to host the application server for JD Edwards EnterpriseOne Tools. Easynode Web Server is vulnerable to a remote code execution vulnerability due to improper validation of user input. An attacker can exploit this vulnerability to execute arbitrary code as the web server user. Exploiting this vulnerability requires no user interaction or knowledge of system passwords. An attacker can exploit this vulnerability to execute arbitrary code as the web server user. Exploiting this vulnerability requires no user interaction or knowledge of system passwords. CVSS 3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C

References:

How to Upgrade to a New Version of Oracle JD Edwards EnterpriseOne Tools

You can find the latest versions of Oracle JD Edwards EnterpriseOne Tools and Easynode Web Server in the Oracle Support Portal.

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 05:38:00 UTC

References