Description
===
NICE Engage is an interaction recording platform. The default configuration in
versions <= 6.5 (and possible higher) binds an unauthenticated JMX/RMI
interface to all network interfaces, without restricting registration of
MBeans, which allows remote attackers to execute
used by WikiLeaks, when it was discovered to be
affected by a XSS vulnerability subsequently patched.
Around one year ago Red Timmy Sec discovered a Remote Command Execution
vulnerability on FlexPaper. The vendor was immediately contacted and a CVE
registered (2018-11686). However
For the anniversary of the discovery of CVE-2018-2879 by Sec Consult
(https://sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/)
we have decided to release OAMbuster, a multi-thread implementation of
CVE-2018-2879.
Link of the exploit: