Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0163
Security Advisory: Oracle Financial Services Applications
18 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Financial Services Applications
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-8013 CVE-2018-3051 CVE-2018-3050
CVE-2018-3049 CVE-2018-3048 CVE-2018-3047
CVE-2018-3046 CVE-2018-3045 CVE-2018-3044
CVE-2018-3043 CVE-2018-3042 CVE-2018-3041
CVE-2018-3040 CVE-2018-3039 CVE-2018-3038
CVE-2018-3037 CVE-2018-3036 CVE-2018-3035
CVE-2018-3034 CVE-2018-3033 CVE-2018-3032
CVE-2018-3031 CVE-2018-3030 CVE-2018-3029
CVE-2018-3028 CVE-2018-3027 CVE-2018-3026
CVE-2018-3025 CVE-2018-3024 CVE-2018-3023
CVE-2018-3022 CVE-2018-3021 CVE-2018-3020
CVE-2018-3019 CVE-2018-3015 CVE-2018-2982
CVE-2018-2981 CVE-2018-2980 CVE-2018-2979
CVE-2018-2975 CVE-2018-2974 CVE-2018-2899
CVE-2018-2898 CVE-2018-2897 CVE-2018-2896
CVE-2018-2895 CVE-2018-1275 CVE-2017-5645
CVE-2014-3577
Member content until: Friday, August 17 2018
Reference: ASB-2018.0094
ASB-2018.0089
ASB-2018.0086
ASB-2018.0082
OVERVIEW
Multiple vulnerabilities have been identified in
Oracle Banking Corporate Lending, versions 12.3.0,
12.4.0, 12.5.0, 14.0.0, 14.1.0
Oracle Banking Payments, versions 12.2.0, 12.3.0,
12.4.0, 12.5.0, 14.1.0
Oracle Banking Platform, versions 2.6.0, 2.6.1, 2.6.2
Oracle Financial Services Analytical Applications
Infrastructure, versions 7.3.3.x, 8.0.x
Oracle Financial Services Behavior Detection Platform,
version 8.0.x
Oracle Financial Services Funds Transfer Pricing, versions
6.1.1, 8.0.x
Oracle Financial Services Hedge Management and IFRS
Valuations, versions 8.0.4, 8.0.5
Oracle Financial Services Loan Loss Forecasting and
Provisioning, versions 8.0.4, 8.0.5
Oracle Financial Services Profitability Management,
versions 6.1.1, 8.0.x
Oracle Financial Services Revenue Management and Billing,
versions 2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0,
2.5.0.2.0, 2.5.0.3.0
Oracle FLEXCUBE Enterprise Limits and Collateral
Management, versions 12.3.0, 14.0.0, 14.1.0
Oracle FLEXCUBE Investor Servicing, versions 12.0.4,
12.1.0, 12.3.0, 12.4.0
Oracle FLEXCUBE Universal Banking, versions 11.3.0,
11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0,
12.3.0, 12.4.0, 14.0.0, 14.1.0
[1]
IMPACT
The vendor has provided the following information regarding
the vulnerabilities:
"This Critical Patch Update contains 56 new security fixes
for Oracle Financial Services Applications. 21 of these
vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network
without requiring user credentials." [1]
"CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2018-3050
8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data
or all Oracle Banking Corporate Lending accessible data as
well as unauthorized access to critical data or complete
access to all Oracle Banking Corporate Lending accessible
data.
CVE-2018-3027
8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all
Oracle Banking Payments accessible data as well as
unauthorized access to critical data or complete access to
all Oracle Banking Payments accessible data.
CVE-2018-3051
8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification
access to critical data or all Oracle FLEXCUBE Enterprise
Limits and Collateral Management accessible data as well as
unauthorized access to critical data or complete access to
all Oracle FLEXCUBE Enterprise Limits and Collateral
Management accessible data.
CVE-2018-3035
8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data
or all Oracle FLEXCUBE Investor Servicing accessible data as
well as unauthorized access to critical data or complete
access to all Oracle FLEXCUBE Investor Servicing accessible
data.
CVE-2018-3015
8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data
or all Oracle FLEXCUBE Universal Banking accessible data as
well as unauthorized access to critical data or complete
access to all Oracle FLEXCUBE Universal Banking accessible
data.
CVE-2018-8013
7.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 7.3.3.x and 8.0.x.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle
Financial Services Analytical Applications Infrastructure.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
Oracle Financial Services Analytical Applications
Infrastructure accessible data as well as unauthorized read
access to a subset of Oracle Financial Services Analytical
Applications Infrastructure accessible data and unauthorized
ability to cause a partial denial of service (partial DOS)
of Oracle Financial Services Analytical Applications
Infrastructure. Note: Please refer MOS document (Doc ID
2380553.1) for applicability across other Oracle Financial
Services products.
CVE-2018-3040
6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Banking Corporate Lending.
CVE-2018-3022
6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS)
of Oracle Banking Payments.
CVE-2014-3577
6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Supported versions that are affected are 2.3.0.2.0,
2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0 and
2.5.0.3.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle Financial Services Revenue Management and
Billing. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to
some of Oracle Financial Services Revenue Management and
Billing accessible data as well as unauthorized read access
to a subset of Oracle Financial Services Revenue Management
and Billing accessible data.
CVE-2018-3041
6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle FLEXCUBE
Enterprise Limits and Collateral Management.
CVE-2018-3030
6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle FLEXCUBE Investor Servicing.
CVE-2018-2979
6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle FLEXCUBE Universal Banking.
CVE-2018-3036
6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Banking
Corporate Lending accessible data as well as unauthorized
read access to a subset of Oracle Banking Corporate Lending
accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Banking Corporate
Lending.
CVE-2018-3020
6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Banking Payments
accessible data as well as unauthorized read access to a
subset of Oracle Banking Payments accessible data and
unauthorized ability to cause a partial denial of service
(partial DOS) of Oracle Banking Payments.
CVE-2018-3037
6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to
some of Oracle FLEXCUBE Enterprise Limits and Collateral
Management accessible data as well as unauthorized read
access to a subset of Oracle FLEXCUBE Enterprise Limits and
Collateral Management accessible data and unauthorized
ability to cause a partial denial of service (partial DOS)
of Oracle FLEXCUBE Enterprise Limits and Collateral
Management.
CVE-2018-3028
6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle FLEXCUBE
Investor Servicing accessible data as well as unauthorized
read access to a subset of Oracle FLEXCUBE Investor
Servicing accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of Oracle FLEXCUBE
Investor Servicing.
CVE-2018-2974
6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle FLEXCUBE
Universal Banking accessible data as well as unauthorized
read access to a subset of Oracle FLEXCUBE Universal Banking
accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle FLEXCUBE Universal
Banking.
CVE-2018-2895
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle
Banking Corporate Lending, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle Banking Corporate Lending
accessible data as well as unauthorized read access to a
subset of Oracle Banking Corporate Lending accessible data.
CVE-2018-2896
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
require human interaction from a person other than the
attacker and while the vulnerability is in Oracle Banking
Payments, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to
some of Oracle Banking Payments accessible data as well as
unauthorized read access to a subset of Oracle Banking
Payments accessible data.
CVE-2018-2897
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle FLEXCUBE Enterprise Limits and
Collateral Management, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle FLEXCUBE Enterprise Limits
and Collateral Management accessible data as well as
unauthorized read access to a subset of Oracle FLEXCUBE
Enterprise Limits and Collateral Management accessible data.
CVE-2018-2898
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle
FLEXCUBE Investor Servicing, attacks may significantly
impact additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle FLEXCUBE Investor Servicing
accessible data as well as unauthorized read access to a
subset of Oracle FLEXCUBE Investor Servicing accessible
data.
CVE-2018-2899
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle
FLEXCUBE Universal Banking, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle FLEXCUBE Universal Banking
accessible data as well as unauthorized read access to a
subset of Oracle FLEXCUBE Universal Banking accessible data.
CVE-2018-3042
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Banking
Corporate Lending accessible data and unauthorized ability
to cause a partial denial of service (partial DOS) of Oracle
Banking Corporate Lending.
CVE-2018-3044
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Banking
Corporate Lending accessible data as well as unauthorized
read access to a subset of Oracle Banking Corporate Lending
accessible data.
CVE-2018-3048
5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle
Banking Corporate Lending, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle Banking Corporate Lending
accessible data as well as unauthorized read access to a
subset of Oracle Banking Corporate Lending accessible data.
CVE-2018-3023
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Banking Payments
accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Banking Payments.
CVE-2018-3024
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Banking Payments
accessible data as well as unauthorized read access to a
subset of Oracle Banking Payments accessible data.
CVE-2018-3026
5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows low privileged attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
require human interaction from a person other than the
attacker and while the vulnerability is in Oracle Banking
Payments, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to
some of Oracle Banking Payments accessible data as well as
unauthorized read access to a subset of Oracle Banking
Payments accessible data.
CVE-2018-3043
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to
some of Oracle FLEXCUBE Enterprise Limits and Collateral
Management accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of Oracle FLEXCUBE
Enterprise Limits and Collateral Management.
CVE-2018-3045
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to
some of Oracle FLEXCUBE Enterprise Limits and Collateral
Management accessible data as well as unauthorized read
access to a subset of Oracle FLEXCUBE Enterprise Limits and
Collateral Management accessible data.
CVE-2018-3049
5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle FLEXCUBE Enterprise Limits and
Collateral Management, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle FLEXCUBE Enterprise Limits
and Collateral Management accessible data as well as
unauthorized read access to a subset of Oracle FLEXCUBE
Enterprise Limits and Collateral Management accessible data.
CVE-2018-3031
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle FLEXCUBE
Investor Servicing accessible data and unauthorized ability
to cause a partial denial of service (partial DOS) of Oracle
FLEXCUBE Investor Servicing.
CVE-2018-3032
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle FLEXCUBE
Investor Servicing accessible data as well as unauthorized
read access to a subset of Oracle FLEXCUBE Investor
Servicing accessible data.
CVE-2018-3034
5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle
FLEXCUBE Investor Servicing, attacks may significantly
impact additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle FLEXCUBE Investor Servicing
accessible data as well as unauthorized read access to a
subset of Oracle FLEXCUBE Investor Servicing accessible
data.
CVE-2018-2980
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle FLEXCUBE
Universal Banking accessible data and unauthorized ability
to cause a partial denial of service (partial DOS) of Oracle
FLEXCUBE Universal Banking.
CVE-2018-2981
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle FLEXCUBE
Universal Banking accessible data as well as unauthorized
read access to a subset of Oracle FLEXCUBE Universal Banking
accessible data.
CVE-2018-3019
5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle
FLEXCUBE Universal Banking, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Oracle FLEXCUBE Universal Banking
accessible data as well as unauthorized read access to a
subset of Oracle FLEXCUBE Universal Banking accessible data.
CVE-2018-3038
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTP
to compromise Oracle Banking Corporate Lending. Successful
attacks of this vulnerability can result in unauthorized
read access to a subset of Oracle Banking Corporate Lending
accessible data.
CVE-2018-3046
5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.3.0, 12.4.0,
12.5.0, 14.0.0 and 14.1.0. Difficult to exploit
vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Corporate
Lending. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all Oracle Banking Corporate Lending accessible
data.
CVE-2018-3021
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTP
to compromise Oracle Banking Payments. Successful attacks
of this vulnerability can result in unauthorized read
access to a subset of Oracle Banking Payments accessible
data.
CVE-2018-3025
5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.0, 12.3.0,
12.4.0, 12.5.0 and 14.1.0. Difficult to exploit
vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Payments.
Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to
all Oracle Banking Payments accessible data.
CVE-2018-3039
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of Oracle
FLEXCUBE Enterprise Limits and Collateral Management
accessible data.
CVE-2018-3047
5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.3.0, 14.0.0 and
14.1.0. Difficult to exploit vulnerability allows low
privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Enterprise Limits and Collateral
Management. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all Oracle FLEXCUBE Enterprise Limits and
Collateral Management accessible data.
CVE-2018-3029
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
read access to a subset of Oracle FLEXCUBE Investor
Servicing accessible data.
CVE-2018-3033
5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.0.4, 12.1.0,
12.3.0 and 12.4.0. Difficult to exploit vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Investor Servicing. Successful
attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle
FLEXCUBE Investor Servicing accessible data.
CVE-2018-2975
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
read access to a subset of Oracle FLEXCUBE Universal Banking
accessible data.
CVE-2018-2982
5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 11.3.0, 11.4.0,
12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
14.0.0 and 14.1.0. Difficult to exploit vulnerability allows
low privileged attacker with network access via HTTP to
compromise Oracle FLEXCUBE Universal Banking. Successful
attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle
FLEXCUBE Universal Banking accessible data." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2018
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
[2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW07OnWaOgq3Tt24GAQg7KBAAg+llpmS+88PuOEga2/6+CBeNqBlB1H/Q
Y9ggu01gNFTkvDxzxnGUD/MCzUb7B3OJYMV6abzxVgudX5ocgFDW7pQx1AAMr+8d
nxns6nZ7tQi14nlYsaQ26+FJVaISG5Y+is+vQWAIou4SA9PAeUAD/wD1bcgTa+eF
sGCk+oWfjTMA75+FMWqznR4VMNNUCrYQ3Qhaw36cOsugfkay1WrUo44UD4cuShh0
MgzmilLBmuE6FYes0vGMsvMHOs8XZkAJrq+HyLDfmNjJagcupCvdJW/ZhFkgnIB2
a+HPIJxOT8ELFcqZDNKrpAA7iqZA1g76apUIZpksNxkwSKsq17/RHDBayqS08Q0N
QHiLX36CYqmKJXQx0NqZ6LBeIVqCpaZ1IkR5B3D/R8XBT/7SIvxslVAdq4XnlilU
wQZu/veQmJwqo/9EGJdXyddfbLyv2zsmG0Vs+WbaOGKUed9T56TAX/ESAIhGpz16
yYnjug1Qt4raptYA/U7fvGCFzwCAU4GKcSyueP5SmdLh97eCqEuIjzlYMygv/7cS
Eo6fmETiQL9yY0bro6pDW87lEr9KvKVzF3tR9+hAALX7//kA0HW3YKT1EAWHhHXp
LcpxXkD31qPm2BvSzywa+TnW5P/RzSmBcMFT9BozPeTCLw33EdoLDw6l8X/qITvN
7TKQOhcmaDs=
=Hn3S
-----END PGP SIGNATURE-----