BDU:2020-05190: Уязвимость библиотеки jQuery, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю оказать воздействие на целостность защищаемой информации

Описание уязвимости Уязвимость библиотеки jQuery сязана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на целостность защищаемой информации
Вендор Oracle Corp., ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения, Novell Inc., Fedora Project, Red Hat Inc., The jQuery Foundation, АО "НППКТ"
Наименование ПО WebLogic Server, Retail Back Office, Retail Central Office, Retail Returns Management, PeopleSoft Enterprise PeopleTools, Astra Linux Special Edition (запись в едином реестре российских программ №369), Debian GNU/Linux, WebCenter Sites, Oracle JDeveloper, Astra Linux Common Edition (запись в едином реестре российских программ №4433), Communications Application Session Controller, Communications Operations Monitor, OpenSUSE Leap, Application Testing Suite, Fedora, Insurance Allocation Manager for Enterprise Profitability, Hyperion Financial Repoting, Oracle Policy Automation Connector for Siebel, Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), PeopleSoft Enterprise HCM Human Resources, Oracle Hospitality Materials Control, Oracle Healthcare Foundation, Oracle Agile Product Lifecycle Management for Process, Oracle Financial Services Liquidity Risk Measurement and Management, Oracle Financial Services Market Risk Measurement and Management, Oracle Communications Element Manager, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager, Oracle Banking Enterprise Collections, Primavera Gateway, Oracle Financial Services Liquidity Risk Management, Oracle Financial Services Hedge Management and IFRS Valuations, Financial Services Balance Sheet Planning, Oracle Financial Services Loan Loss Forecasting and Provisioning, Oracle Financial Services Asset Liability Management, Financial Services Profitability Management, Financial Services Funds Transfer Pricing, Financial Services Price Creation and Discovery, Openshift Service Mesh, Enterprise Manager Ops Center, Financial Services Analytical Applications Infrastructure, Oracle FLEXCUBE Private Banking, Communications Billing and Revenue Management, Oracle Communications Interactive Session Recorder, Communications Analytics, Communications Diameter Signaling Router, Oracle Banking Digital Experience, REST Data Services, Banking Platform, Communications WebRTC Session Controller, Oracle Hospitality Simphony, A-MQ Interconnect, Financial Services Institutional Performance Analytics, Insurance Insbridge Rating and Underwriting, jQuery, Oracle Enterprise Session Border Controller, Oracle Financial Services Analytical Applications Reconciliation Framework, Oracle Financial Services Basel Regulatory Capital Basic, Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, Oracle Financial Services Data Foundation, Oracle Financial Services Data Integration Hub, Insurance Accounting Analyzer, Oracle Insurance Data Foundation, Oracle Policy Automation, Oracle Policy Automation for Mobile Devices, Oracle Retail Customer Management and Segmentation Foundation, Siebel UI Framework, JD Edwards EnterpriseOne Orchestrator, StorageTek Tape Analytics SW Tool, JD Edwards EnterpriseOne Tools, Transportation Management, Siebel Mobile Applications, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Версия ПО
  • 10.3.6.0.0 (WebLogic Server)
  • 12.1.3.0.0 (WebLogic Server)
  • 14.0 (Retail Back Office)
  • 14.1 (Retail Back Office)
  • 14.0 (Retail Central Office)
  • 14.1 (Retail Central Office)
  • 14.0 (Retail Returns Management)
  • 14.1 (Retail Returns Management)
  • 8.56 (PeopleSoft Enterprise PeopleTools)
  • 8.57 (PeopleSoft Enterprise PeopleTools)
  • 1.6 «Смоленск» (Astra Linux Special Edition)
  • 8.0 (Debian GNU/Linux)
  • 9.0 (Debian GNU/Linux)
  • 12.2.1.3.0 (WebLogic Server)
  • 12.2.1.3.0 (WebCenter Sites)
  • 12.2.1.3.0 (Oracle JDeveloper)
  • 2.12 «Орёл» (Astra Linux Common Edition)
  • 3.8.0 (Communications Application Session Controller)
  • 3.4 (Communications Operations Monitor)
  • 15.1 (OpenSUSE Leap)
  • 10.0 (Debian GNU/Linux)
  • 13.3.0.1 (Application Testing Suite)
  • 31 (Fedora)
  • 8.0.8 (Insurance Allocation Manager for Enterprise Profitability)
  • 11.1.2.4 (Hyperion Financial Repoting)
  • 10.4.6 (Oracle Policy Automation Connector for Siebel)
  • 12.2.1.4.0 (WebLogic Server)
  • 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»)
  • 9.2 (PeopleSoft Enterprise HCM Human Resources)
  • 18.1 (Oracle Hospitality Materials Control)
  • 7.1.1 (Oracle Healthcare Foundation)
  • 6.2.0.0 (Oracle Agile Product Lifecycle Management for Process)
  • 8.0.7 (Oracle Financial Services Liquidity Risk Measurement and Management)
  • 8.0.8 (Oracle Financial Services Liquidity Risk Measurement and Management)
  • 8.0.6 (Oracle Financial Services Market Risk Measurement and Management)
  • 8.0.8 (Oracle Financial Services Market Risk Measurement and Management)
  • 32 (Fedora)
  • 8.58 (PeopleSoft Enterprise PeopleTools)
  • 8.1.1 (Oracle Communications Element Manager)
  • 8.2.0 (Oracle Communications Element Manager)
  • 8.1.1 (Oracle Communications Session Report Manager)
  • 8.2.0 (Oracle Communications Session Report Manager)
  • 8.1.1 (Oracle Communications Session Route Manager)
  • 8.2.0 (Oracle Communications Session Route Manager)
  • 2.7.0 (Oracle Banking Enterprise Collections)
  • 2.8.0 (Oracle Banking Enterprise Collections)
  • от 16.2.0 до 16.2.11 включительно (Primavera Gateway)
  • 8.0.6 (Oracle Financial Services Liquidity Risk Management)
  • от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Hedge Management and IFRS Valuations)
  • 8.0.8 (Financial Services Balance Sheet Planning)
  • от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Loan Loss Forecasting and Provisioning)
  • 8.0.6 (Oracle Financial Services Asset Liability Management)
  • 8.0.7 (Oracle Financial Services Asset Liability Management)
  • 8.0.6 (Financial Services Profitability Management)
  • 8.0.7 (Financial Services Profitability Management)
  • 8.0.6 (Financial Services Funds Transfer Pricing)
  • 8.0.7 (Financial Services Funds Transfer Pricing)
  • 8.0.7 (Financial Services Price Creation and Discovery)
  • 1.0 (Openshift Service Mesh)
  • 15.2 (OpenSUSE Leap)
  • 8.2.1 (Oracle Communications Element Manager)
  • 8.2.1 (Oracle Communications Session Report Manager)
  • 8.2.1 (Oracle Communications Session Route Manager)
  • 14.1.1.0.0 (WebLogic Server)
  • 12.4.0.0 (Enterprise Manager Ops Center)
  • от 8.0.6 до 8.1.0 включительно (Financial Services Analytical Applications Infrastructure)
  • 12.0.0 (Oracle FLEXCUBE Private Banking)
  • 12.1.0 (Oracle FLEXCUBE Private Banking)
  • от 17.12.0 до 17.12.7 включительно (Primavera Gateway)
  • от 18.8.0 до 18.8.9 включительно (Primavera Gateway)
  • от 19.12.0 до 19.12.4 включительно (Primavera Gateway)
  • 7.5.0.23.0 (Communications Billing and Revenue Management)
  • 12.0.0.3.0 (Communications Billing and Revenue Management)
  • 12.2.1.4.0 (WebCenter Sites)
  • от 6.1. до 6.4 включительно (Oracle Communications Interactive Session Recorder)
  • 12.1.1 (Communications Analytics)
  • от 8.0.0 до 8.2.2 включительно (Communications Diameter Signaling Router)
  • 18.1 (Oracle Banking Digital Experience)
  • 18.2 (Oracle Banking Digital Experience)
  • 18.3 (Oracle Banking Digital Experience)
  • 19.1 (Oracle Banking Digital Experience)
  • 19.2 (Oracle Banking Digital Experience)
  • 20.1 (Oracle Banking Digital Experience)
  • 11.2.0.4 (REST Data Services)
  • 12.1.0.2 (REST Data Services)
  • 12.2.0.1 (REST Data Services)
  • 18c (REST Data Services)
  • от 2.4.0 до 2.10.0 включительно (Banking Platform)
  • 33 (Fedora)
  • 7.2 (Communications WebRTC Session Controller)
  • 18.1 (Oracle Hospitality Simphony)
  • 18.2 (Oracle Hospitality Simphony)
  • от 19.1.0 до 19.1.2 включительно (Oracle Hospitality Simphony)
  • 1.y for RHEL 7 (A-MQ Interconnect)
  • 8.0.6 (Financial Services Institutional Performance Analytics)
  • 8.1.0 (Financial Services Institutional Performance Analytics)
  • 8.0.6 (Financial Services Price Creation and Discovery)
  • от 5.0.0.0 до 5.6.0.0 включительно (Insurance Insbridge Rating and Underwriting)
  • 5.6.1.0 (Insurance Insbridge Rating and Underwriting)
  • 19c (REST Data Services)
  • 7.2.0 (Oracle Healthcare Foundation)
  • 7.2.1 (Oracle Healthcare Foundation)
  • 7.3.0 (Oracle Healthcare Foundation)
  • от 1.2 до 3.5.0 (jQuery)
  • 8.4 (Oracle Enterprise Session Border Controller)
  • от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Analytical Applications Reconciliation Framework)
  • 8.1.0 (Oracle Financial Services Analytical Applications Reconciliation Framework)
  • 8.1.0 (Oracle Financial Services Asset Liability Management)
  • 8.1.0 (Oracle Financial Services Basel Regulatory Capital Basic)
  • от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Basel Regulatory Capital Basic)
  • от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach)
  • 8.1.0 (Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach)
  • от 8.0.6 до 8.1.0 включительно (Oracle Financial Services Data Foundation)
  • 8.0.6 (Oracle Financial Services Data Integration Hub)
  • 8.0.7 (Oracle Financial Services Data Integration Hub)
  • 8.1.0 (Oracle Financial Services Data Integration Hub)
  • 8.1.0 (Financial Services Funds Transfer Pricing)
  • 8.1.0 (Oracle Financial Services Hedge Management and IFRS Valuations)
  • 8.0.7 (Financial Services Institutional Performance Analytics)
  • 8.1.0 (Oracle Financial Services Liquidity Risk Measurement and Management)
  • 8.1.0 (Oracle Financial Services Loan Loss Forecasting and Provisioning)
  • 8.1.0 (Financial Services Profitability Management)
  • 8.0.9 (Insurance Accounting Analyzer)
  • 8.1.0 (Insurance Allocation Manager for Enterprise Profitability)
  • от 8.0.6 до 8.1.0 включительно (Oracle Insurance Data Foundation)
  • 11.1.1.9.0 (Oracle JDeveloper)
  • 12.2.1.4.0 (Oracle JDeveloper)
  • от 12.2.0 до 12.2.20 включительно (Oracle Policy Automation)
  • от 12.2.0 до 12.2.20 включительно (Oracle Policy Automation for Mobile Devices)
  • 19.0 (Oracle Retail Customer Management and Segmentation Foundation)
  • до 20.8 (Siebel UI Framework)
  • от 4.1 до 4.3 включительно (Communications Operations Monitor)
  • до 9.2.5.1 (JD Edwards EnterpriseOne Orchestrator)
  • 2.3.1 (StorageTek Tape Analytics SW Tool)
  • до 9.2.5.0 (JD Edwards EnterpriseOne Tools)
  • 6.1 (Oracle Agile Product Lifecycle Management for Process)
  • 1.4.3 (Transportation Management)
  • до 20.12 включительно (Siebel Mobile Applications)
  • 1.7 (Astra Linux Special Edition)
  • 4.7 (Astra Linux Special Edition)
  • до 2.1 (ОСОН ОСнова Оnyx)
Тип ПО Сетевое программное средство, Прикладное ПО информационных систем, Операционная система, Программное средство защиты, ПО программно-аппаратного средства, ПО сетевого программно-аппаратного средства, Сетевое средство
Операционные системы и аппаратные платформы
Тип ошибки Непринятие мер по защите структуры веб-страницы (или \«Межсайтовая сценарная атака\»)
Идентификатор типа ошибки
Класс уязвимости Уязвимость кода
Дата выявления 29.04.2020
Базовый вектор уязвимости
Уровень опасности уязвимости Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5,8)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,1)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для jQuery:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2021.html

Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2020-11022

Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2020-11022

Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2020-11022/

Для Fedora Project:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/

Для Astra Linux:
Использование рекомендаций производителя:
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16
https://wiki.astralinux.ru/pages/viewpage.action?pageId=47416144
https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2022-0114SE47

Для ОСОН Основа:
Обновление программного обеспечения jquery до версии 3.3.1~dfsg-3+deb10u1
Статус уязвимости Подтверждена производителем
Наличие эксплойта Существует в открытом доступе
Способ эксплуатации
  • Инъекция
Способ устранения Обновление программного обеспечения
Информация об устранении Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
Прочая информация Данные уточняются
Последние изменения