-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0163
         Security Advisory: Oracle Financial Services Applications
                               18 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Financial Services Applications
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Existing Account      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-8013 CVE-2018-3051 CVE-2018-3050
                      CVE-2018-3049 CVE-2018-3048 CVE-2018-3047
                      CVE-2018-3046 CVE-2018-3045 CVE-2018-3044
                      CVE-2018-3043 CVE-2018-3042 CVE-2018-3041
                      CVE-2018-3040 CVE-2018-3039 CVE-2018-3038
                      CVE-2018-3037 CVE-2018-3036 CVE-2018-3035
                      CVE-2018-3034 CVE-2018-3033 CVE-2018-3032
                      CVE-2018-3031 CVE-2018-3030 CVE-2018-3029
                      CVE-2018-3028 CVE-2018-3027 CVE-2018-3026
                      CVE-2018-3025 CVE-2018-3024 CVE-2018-3023
                      CVE-2018-3022 CVE-2018-3021 CVE-2018-3020
                      CVE-2018-3019 CVE-2018-3015 CVE-2018-2982
                      CVE-2018-2981 CVE-2018-2980 CVE-2018-2979
                      CVE-2018-2975 CVE-2018-2974 CVE-2018-2899
                      CVE-2018-2898 CVE-2018-2897 CVE-2018-2896
                      CVE-2018-2895 CVE-2018-1275 CVE-2017-5645
                      CVE-2014-3577  
Member content until: Friday, August 17 2018
Reference:            ASB-2018.0094
                      ASB-2018.0089
                      ASB-2018.0086
                      ASB-2018.0082

OVERVIEW

        Multiple vulnerabilities have been identified in 
         Oracle Banking Corporate Lending, versions  12.3.0,
          12.4.0,  12.5.0,  14.0.0,  14.1.0
         Oracle Banking Payments, versions  12.2.0,  12.3.0,
          12.4.0,  12.5.0,  14.1.0
         Oracle Banking Platform, versions  2.6.0,  2.6.1,  2.6.2
         Oracle Financial Services Analytical Applications
          Infrastructure, versions  7.3.3.x,  8.0.x
         Oracle Financial Services Behavior Detection Platform,
          version  8.0.x
         Oracle Financial Services Funds Transfer Pricing, versions
          6.1.1,  8.0.x
         Oracle Financial Services Hedge Management and IFRS
          Valuations, versions  8.0.4,  8.0.5
         Oracle Financial Services Loan Loss Forecasting and
          Provisioning, versions  8.0.4,  8.0.5
         Oracle Financial Services Profitability Management,
          versions  6.1.1,  8.0.x
         Oracle Financial Services Revenue Management and Billing,
          versions  2.3.0.2.0,  2.4.0.0.0,  2.4.0.1.0,  2.5.0.1.0,
          2.5.0.2.0,  2.5.0.3.0
         Oracle FLEXCUBE Enterprise Limits and Collateral
          Management, versions  12.3.0,  14.0.0,  14.1.0
         Oracle FLEXCUBE Investor Servicing, versions  12.0.4,
          12.1.0,  12.3.0,  12.4.0
         Oracle FLEXCUBE Universal Banking, versions  11.3.0,
          11.4.0,  12.0.1,  12.0.2,  12.0.3,  12.1.0,  12.2.0,
          12.3.0,  12.4.0,  14.0.0,  14.1.0
        [1]


IMPACT

        The vendor has provided the following information regarding
        the vulnerabilities:
        
        "This Critical Patch Update contains 56 new security fixes
        for Oracle Financial Services Applications.   21 of these
        vulnerabilities may be remotely exploitable without
        authentication,  i.e.,  may be exploited over a network
        without requiring user credentials." [1]
        
        
        
        "CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2018-1275
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        The supported version that is affected is 10.1. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle
        Application Testing Suite.  Successful attacks of this
        vulnerability can result in takeover of Oracle Application
        Testing Suite.
        
        CVE-2018-1275
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        The supported version that is affected is 10.1. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle
        Application Testing Suite.  Successful attacks of this
        vulnerability can result in takeover of Oracle Application
        Testing Suite.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.1.0.5 and
        13.2.x. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Enterprise Manager Base Platform.  Successful
        attacks of this vulnerability can result in takeover of
        Enterprise Manager Base Platform.
        
        CVE-2018-3050
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Banking Corporate Lending accessible data as
        well as  unauthorized access to critical data or complete
        access to all Oracle Banking Corporate Lending accessible
        data.
        
        CVE-2018-3027
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        of this vulnerability can result in  unauthorized creation,
        deletion or modification access to critical data or all
        Oracle Banking Payments accessible data as well as
        unauthorized access to critical data or complete access to
        all Oracle Banking Payments accessible data.
        
        CVE-2018-3051
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in  unauthorized creation, deletion or modification
        access to critical data or all Oracle FLEXCUBE Enterprise
        Limits and Collateral Management accessible data as well as
        unauthorized access to critical data or complete access to
        all Oracle FLEXCUBE Enterprise Limits and Collateral
        Management accessible data.
        
        CVE-2018-3035
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle FLEXCUBE Investor Servicing accessible data as
        well as  unauthorized access to critical data or complete
        access to all Oracle FLEXCUBE Investor Servicing accessible
        data.
        
        CVE-2018-3015
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle FLEXCUBE Universal Banking accessible data as
        well as  unauthorized access to critical data or complete
        access to all Oracle FLEXCUBE Universal Banking accessible
        data.
        
        CVE-2018-8013
        
        7.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
        
        Supported versions that are affected are 7.3.3.x and  8.0.x.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Financial Services Analytical Applications Infrastructure.
        Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Oracle Financial Services Analytical Applications
        Infrastructure accessible data as well as  unauthorized read
        access to a subset of Oracle Financial Services Analytical
        Applications Infrastructure accessible data and unauthorized
        ability to cause a partial denial of service (partial DOS)
        of Oracle Financial Services Analytical Applications
        Infrastructure. Note: Please refer MOS document (Doc ID
        2380553.1) for applicability across other Oracle Financial
        Services products.
        
        CVE-2018-3040
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Banking Corporate Lending.
        
        CVE-2018-3022
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        of this vulnerability can result in unauthorized ability to
        cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Banking Payments.
        
        CVE-2014-3577
        
        6.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 2.3.0.2.0,
        2.4.0.0.0,  2.4.0.1.0,  2.5.0.1.0,  2.5.0.2.0 and
        2.5.0.3.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle Financial Services Revenue Management and
        Billing.  Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle Financial Services Revenue Management and
        Billing accessible data as well as  unauthorized read access
        to a subset of Oracle Financial Services Revenue Management
        and Billing accessible data.
        
        CVE-2018-3041
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in unauthorized ability to cause a hang or frequently
        repeatable crash (complete DOS) of Oracle FLEXCUBE
        Enterprise Limits and Collateral Management.
        
        CVE-2018-3030
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle FLEXCUBE Investor Servicing.
        
        CVE-2018-2979
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle FLEXCUBE Universal Banking.
        
        CVE-2018-3036
        
        6.3
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle Banking
        Corporate Lending accessible data as well as  unauthorized
        read access to a subset of Oracle Banking Corporate Lending
        accessible data and unauthorized ability to cause a partial
        denial of service (partial DOS) of Oracle Banking Corporate
        Lending.
        
        CVE-2018-3020
        
        6.3
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Banking Payments
        accessible data as well as  unauthorized read access to a
        subset of Oracle Banking Payments accessible data and
        unauthorized ability to cause a partial denial of service
        (partial DOS) of Oracle Banking Payments.
        
        CVE-2018-3037
        
        6.3
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle FLEXCUBE Enterprise Limits and Collateral
        Management accessible data as well as  unauthorized read
        access to a subset of Oracle FLEXCUBE Enterprise Limits and
        Collateral Management accessible data and unauthorized
        ability to cause a partial denial of service (partial DOS)
        of Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.
        
        CVE-2018-3028
        
        6.3
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Investor Servicing accessible data as well as  unauthorized
        read access to a subset of Oracle FLEXCUBE Investor
        Servicing accessible data and unauthorized ability to cause
        a partial denial of service (partial DOS) of Oracle FLEXCUBE
        Investor Servicing.
        
        CVE-2018-2974
        
        6.3
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Universal Banking accessible data as well as  unauthorized
        read access to a subset of Oracle FLEXCUBE Universal Banking
        accessible data and unauthorized ability to cause a partial
        denial of service (partial DOS) of Oracle FLEXCUBE Universal
        Banking.
        
        CVE-2018-2895
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Banking Corporate Lending, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle Banking Corporate Lending
        accessible data as well as  unauthorized read access to a
        subset of Oracle Banking Corporate Lending accessible data.
        
        CVE-2018-2896
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Oracle Banking
        Payments, attacks may significantly impact additional
        products. Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle Banking Payments accessible data as well as
        unauthorized read access to a subset of Oracle Banking
        Payments accessible data.
        
        CVE-2018-2897
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks require human interaction
        from a person other than the attacker and while the
        vulnerability is in Oracle FLEXCUBE Enterprise Limits and
        Collateral Management, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle FLEXCUBE Enterprise Limits
        and Collateral Management accessible data as well as
        unauthorized read access to a subset of Oracle FLEXCUBE
        Enterprise Limits and Collateral Management accessible data.
        
        CVE-2018-2898
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        FLEXCUBE Investor Servicing, attacks may significantly
        impact additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle FLEXCUBE Investor Servicing
        accessible data as well as  unauthorized read access to a
        subset of Oracle FLEXCUBE Investor Servicing accessible
        data.
        
        CVE-2018-2899
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and  14.1.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        FLEXCUBE Universal Banking, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle FLEXCUBE Universal Banking
        accessible data as well as  unauthorized read access to a
        subset of Oracle FLEXCUBE Universal Banking accessible data.
        
        CVE-2018-3042
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle Banking
        Corporate Lending accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Oracle
        Banking Corporate Lending.
        
        CVE-2018-3044
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle Banking
        Corporate Lending accessible data as well as  unauthorized
        read access to a subset of Oracle Banking Corporate Lending
        accessible data.
        
        CVE-2018-3048
        
        5.4
        
        AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Banking Corporate Lending, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle Banking Corporate Lending
        accessible data as well as  unauthorized read access to a
        subset of Oracle Banking Corporate Lending accessible data.
        
        CVE-2018-3023
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Banking Payments
        accessible data and unauthorized ability to cause a partial
        denial of service (partial DOS) of Oracle Banking Payments.
        
        CVE-2018-3024
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Banking Payments
        accessible data as well as  unauthorized read access to a
        subset of Oracle Banking Payments accessible data.
        
        CVE-2018-3026
        
        5.4
        
        AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows low privileged attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Oracle Banking
        Payments, attacks may significantly impact additional
        products. Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle Banking Payments accessible data as well as
        unauthorized read access to a subset of Oracle Banking
        Payments accessible data.
        
        CVE-2018-3043
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle FLEXCUBE Enterprise Limits and Collateral
        Management accessible data and unauthorized ability to cause
        a partial denial of service (partial DOS) of Oracle FLEXCUBE
        Enterprise Limits and Collateral Management.
        
        CVE-2018-3045
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle FLEXCUBE Enterprise Limits and Collateral
        Management accessible data as well as  unauthorized read
        access to a subset of Oracle FLEXCUBE Enterprise Limits and
        Collateral Management accessible data.
        
        CVE-2018-3049
        
        5.4
        
        AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks require human interaction
        from a person other than the attacker and while the
        vulnerability is in Oracle FLEXCUBE Enterprise Limits and
        Collateral Management, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle FLEXCUBE Enterprise Limits
        and Collateral Management accessible data as well as
        unauthorized read access to a subset of Oracle FLEXCUBE
        Enterprise Limits and Collateral Management accessible data.
        
        CVE-2018-3031
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Investor Servicing accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Oracle
        FLEXCUBE Investor Servicing.
        
        CVE-2018-3032
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Investor Servicing accessible data as well as  unauthorized
        read access to a subset of Oracle FLEXCUBE Investor
        Servicing accessible data.
        
        CVE-2018-3034
        
        5.4
        
        AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        FLEXCUBE Investor Servicing, attacks may significantly
        impact additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle FLEXCUBE Investor Servicing
        accessible data as well as  unauthorized read access to a
        subset of Oracle FLEXCUBE Investor Servicing accessible
        data.
        
        CVE-2018-2980
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Universal Banking accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Oracle
        FLEXCUBE Universal Banking.
        
        CVE-2018-2981
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Universal Banking accessible data as well as  unauthorized
        read access to a subset of Oracle FLEXCUBE Universal Banking
        accessible data.
        
        CVE-2018-3019
        
        5.4
        
        AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        FLEXCUBE Universal Banking, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle FLEXCUBE Universal Banking
        accessible data as well as  unauthorized read access to a
        subset of Oracle FLEXCUBE Universal Banking accessible data.
        
        CVE-2018-3038
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP
        to compromise Oracle Banking Corporate Lending.  Successful
        attacks of this vulnerability can result in  unauthorized
        read access to a subset of Oracle Banking Corporate Lending
        accessible data.
        
        CVE-2018-3046
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 12.3.0, 12.4.0,
        12.5.0, 14.0.0 and 14.1.0. Difficult to exploit
        vulnerability allows low privileged attacker with network
        access via HTTP to compromise Oracle Banking Corporate
        Lending.  Successful attacks of this vulnerability can
        result in  unauthorized access to critical data or complete
        access to all Oracle Banking Corporate Lending accessible
        data.
        
        CVE-2018-3021
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP
        to compromise Oracle Banking Payments.  Successful attacks
        of this vulnerability can result in  unauthorized read
        access to a subset of Oracle Banking Payments accessible
        data.
        
        CVE-2018-3025
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 12.2.0, 12.3.0,
        12.4.0, 12.5.0 and  14.1.0. Difficult to exploit
        vulnerability allows low privileged attacker with network
        access via HTTP to compromise Oracle Banking Payments.
        Successful attacks of this vulnerability can result in
        unauthorized access to critical data or complete access to
        all Oracle Banking Payments accessible data.
        
        CVE-2018-3039
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in  unauthorized read access to a subset of Oracle
        FLEXCUBE Enterprise Limits and Collateral Management
        accessible data.
        
        CVE-2018-3047
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 12.3.0, 14.0.0 and
        14.1.0. Difficult to exploit vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Enterprise Limits and Collateral
        Management.  Successful attacks of this vulnerability can
        result in  unauthorized access to critical data or complete
        access to all Oracle FLEXCUBE Enterprise Limits and
        Collateral Management accessible data.
        
        CVE-2018-3029
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in  unauthorized
        read access to a subset of Oracle FLEXCUBE Investor
        Servicing accessible data.
        
        CVE-2018-3033
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 12.0.4, 12.1.0,
        12.3.0 and 12.4.0. Difficult to exploit vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Investor Servicing.  Successful
        attacks of this vulnerability can result in  unauthorized
        access to critical data or complete access to all Oracle
        FLEXCUBE Investor Servicing accessible data.
        
        CVE-2018-2975
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        read access to a subset of Oracle FLEXCUBE Universal Banking
        accessible data.
        
        CVE-2018-2982
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0,
        14.0.0 and 14.1.0. Difficult to exploit vulnerability allows
        low privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        access to critical data or complete access to all Oracle
        FLEXCUBE Universal Banking accessible data." [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon
        as possible. Until you apply the CPU fixes, it may be
        possible to reduce the risk of successful attack by blocking
        network protocols required by an attack. For attacks that
        require certain privileges or access to certain packages,
        removing the privileges or the ability to access the
        packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may
        break application functionality, so Oracle strongly
        recommends that customers test changes on non-production
        systems. Neither approach should be considered a long-term
        solution as neither corrects the underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2018
            http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

        [2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
            http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW07OnWaOgq3Tt24GAQg7KBAAg+llpmS+88PuOEga2/6+CBeNqBlB1H/Q
Y9ggu01gNFTkvDxzxnGUD/MCzUb7B3OJYMV6abzxVgudX5ocgFDW7pQx1AAMr+8d
nxns6nZ7tQi14nlYsaQ26+FJVaISG5Y+is+vQWAIou4SA9PAeUAD/wD1bcgTa+eF
sGCk+oWfjTMA75+FMWqznR4VMNNUCrYQ3Qhaw36cOsugfkay1WrUo44UD4cuShh0
MgzmilLBmuE6FYes0vGMsvMHOs8XZkAJrq+HyLDfmNjJagcupCvdJW/ZhFkgnIB2
a+HPIJxOT8ELFcqZDNKrpAA7iqZA1g76apUIZpksNxkwSKsq17/RHDBayqS08Q0N
QHiLX36CYqmKJXQx0NqZ6LBeIVqCpaZ1IkR5B3D/R8XBT/7SIvxslVAdq4XnlilU
wQZu/veQmJwqo/9EGJdXyddfbLyv2zsmG0Vs+WbaOGKUed9T56TAX/ESAIhGpz16
yYnjug1Qt4raptYA/U7fvGCFzwCAU4GKcSyueP5SmdLh97eCqEuIjzlYMygv/7cS
Eo6fmETiQL9yY0bro6pDW87lEr9KvKVzF3tR9+hAALX7//kA0HW3YKT1EAWHhHXp
LcpxXkD31qPm2BvSzywa+TnW5P/RzSmBcMFT9BozPeTCLw33EdoLDw6l8X/qITvN
7TKQOhcmaDs=
=Hn3S
-----END PGP SIGNATURE-----