Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0174
Security Advisory: Oracle Retail Applications
18 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Retail Applications
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote with User Interaction
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-3053 CVE-2018-3052 CVE-2018-2891
CVE-2018-2888 CVE-2018-2882 CVE-2018-2881
CVE-2018-1275 CVE-2017-12617 CVE-2017-5664
CVE-2017-5645 CVE-2017-5533 CVE-2016-9878
CVE-2016-6814 CVE-2016-3506 CVE-2016-1181
CVE-2015-7940
Member content until: Friday, August 17 2018
Reference: ASB-2018.0172
ASB-2018.0163
ASB-2018.0089
ASB-2018.0028
OVERVIEW
Multiple vulnerabilities have been identified in
MICROS Lucas, versions 2.9.5.3, 2.9.5.4, 2.9.5.5,
2.9.5.6
MICROS Relate CRM Software, versions 10.8.x, 11.4.x
MICROS Retail-J, versions 10.2.x, 11.0.x, 12.0.x,
12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
MICROS XBR, versions 7.0.2, 7.0.4
Oracle Retail Back Office, versions 14.0, 14.1
Oracle Retail Bulk Data Integration, version 16.0
Oracle Retail Central Office, versions 14.0, 14.1
Oracle Retail Clearance Optimization Engine, version
14.0.5
Oracle Retail Convenience and Fuel POS Software, version
2.1.132
Oracle Retail Customer Management and Segmentation
Foundation, versions 16.x, 17.x
Oracle Retail Financial Integration, versions 13.2.x,
14.0.x, 14.1.x, 15.0.x, 16.0.x
Oracle Retail Integration Bus, versions 12.0.x, 13.0.x,
13.1.x, 13.2.x, 14.0.0 14.1.0, 14.0.x, 14.1.x, 15.0,
15.0.x, 16.0, 16.0.x
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0
Oracle Retail Point-of-Sale, versions 14.0, 14.1
Oracle Retail Point-of-Service, versions 14.0, 14.1
Oracle Retail Predictive Application Server, version
15.0.3
Oracle Retail Returns Management, versions 14.0, 14.1
Oracle Retail Service Backbone, versions 14.0.x, 14.1.x,
15.0.x, 16.0.x
Oracle Retail Service Layer, versions 12.0.x, 13.0.x,
13.1.x, 13.2.x, 14.0.x
[1]
IMPACT
The vendor has provided the following information regarding
the vulnerabilities:
"This Critical Patch Update contains 31 new security fixes
for Oracle Retail Applications. 26 of these
vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network
without requiring user credentials." [1]
"CVE-2017-5533
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 2.9.5.3,
2.9.5.4,2.9.5.5 and 2.9.5.6. Easily exploitable
vulnerability allows unauthenticated attacker with network
access via HTTP to compromise MICROS Lucas. Successful
attacks of this vulnerability can result in takeover of
MICROS Lucas.
CVE-2017-5533
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 2.9.5.3,
2.9.5.4,2.9.5.5 and 2.9.5.6. Easily exploitable
vulnerability allows unauthenticated attacker with network
access via HTTP to compromise MICROS Lucas. Successful
attacks of this vulnerability can result in takeover of
MICROS Lucas.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5533
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 2.9.5.3,
2.9.5.4,2.9.5.5 and 2.9.5.6. Easily exploitable
vulnerability allows unauthenticated attacker with network
access via HTTP to compromise MICROS Lucas. Successful
attacks of this vulnerability can result in takeover of
MICROS Lucas.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2016-6814
9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are 12.0.x, 13.0.x,
13.1.x, 13.2.x, 14.0.x, 14.1.x, 15.0.x and 16.0.x.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle
Retail Integration Bus. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in Oracle Retail Integration Bus,
attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in
takeover of Oracle Retail Integration Bus.
CVE-2016-6814
9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are 12.0.x, 13.0.x,
13.1.x, 13.2.x, 14.0.x, 14.1.x, 15.0.x and 16.0.x.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle
Retail Integration Bus. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in Oracle Retail Integration Bus,
attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in
takeover of Oracle Retail Integration Bus.
CVE-2016-1181
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 12.1.0.5.
Difficult to exploit vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager for Fusion Middleware. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager for Fusion Middleware.
CVE-2017-12617
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.2.1.2.0 and
12.2.1.3.0. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise FMW Platform. Successful attacks of this
vulnerability can result in takeover of FMW Platform.
CVE-2016-3506
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 2.1.132. Difficult
to exploit vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle Retail
Convenience and Fuel POS Software. Successful attacks of
this vulnerability can result in takeover of Oracle Retail
Convenience and Fuel POS Software.
CVE-2018-2882
7.7
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Supported versions that are affected are 10.2.x, 11.0.x,
12.0.x,12.1.x, 12.1.1.x,12.1.2.x and 13.1.x. Easily
exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise MICROS Retail-J.
While the vulnerability is in MICROS Retail-J, attacks may
significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data
or all MICROS Retail-J accessible data.
CVE-2016-9878
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.2 and 12.3.3.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data.
CVE-2016-9878
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.2 and 12.3.3.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data.
CVE-2017-5664
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The supported version that is affected is 2.1.132. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle Retail
Convenience and Fuel POS Software. Successful attacks of
this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all
Oracle Retail Convenience and Fuel POS Software accessible
data.
CVE-2015-7940
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 12.x. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via TLS to compromise Oracle
Communications Policy Management. Successful attacks of
this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle
Communications Policy Management accessible data.
CVE-2016-9878
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.2 and 12.3.3.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data.
CVE-2016-9878
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.2 and 12.3.3.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data.
CVE-2016-9878
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.2 and 12.3.3.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data.
CVE-2018-2888
6.7
AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L
Supported versions that are affected are 10.2.x, 11.0.x,
12.0.x, 12.1.x, 12.1.1.x,12.1.2.x and 13.1.x. Difficult to
exploit vulnerability allows physical access to compromise
MICROS Retail-J. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in MICROS Retail-J, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all
MICROS Retail-J accessible data as well as unauthorized
access to critical data or complete access to all MICROS
Retail-J accessible data and unauthorized ability to cause a
partial denial of service (partial DOS) of MICROS Retail-J.
CVE-2018-3052
6.4
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Supported versions that are affected are 10.8.x and 11.4.x.
Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise MICROS
Relate CRM Software. While the vulnerability is in MICROS
Relate CRM Software, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of MICROS Relate CRM Software
accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of MICROS Relate CRM
Software.
CVE-2018-3053
6.4
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Supported versions that are affected are 16.x and 17.x.
Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise Oracle
Retail Customer Management and Segmentation Foundation.
While the vulnerability is in Oracle Retail Customer
Management and Segmentation Foundation, attacks may
significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Retail
Customer Management and Segmentation Foundation accessible
data and unauthorized ability to cause a partial denial of
service (partial DOS) of Oracle Retail Customer Management
and Segmentation Foundation.
CVE-2018-2881
6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 11.0.x, 12.0.x,
12.1.x, 12.1.1.x, 12.1.2.x and 13.1.x. Easily exploitable
vulnerability allows low privileged attacker with network
access via HTTP to compromise MICROS Retail-J. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of MICROS Retail-J
accessible data as well as unauthorized read access to a
subset of MICROS Retail-J accessible data and unauthorized
ability to cause a partial denial of service (partial DOS)
of MICROS Retail-J.
CVE-2018-2891
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The supported version that is affected is 16.0. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle Retail
Bulk Data Integration. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in Oracle Retail Bulk Data Integration,
attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
Oracle Retail Bulk Data Integration accessible data as well
as unauthorized read access to a subset of Oracle Retail
Bulk Data Integration accessible data." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2018
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
[2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW07jqmaOgq3Tt24GAQjlZw/9GfW8kmoREnelO4iFJwqTRFOhXg2FR1da
ABLxvOByOicr9Y+Axvxop075FGfpzEfSeNw6tI/r4fXBT/i9k+PZAKDOyt3CgBez
RvcALSfrF+p2Ps2XYUg1ITGm7R06mEmV+6YcWXt+E5hr0dPiwRLpceStSfKDC0TP
+yAs+dNQbrJHGRdpQm4mZz6yYM59EB6K5nWiSU3YoEoQY0g2OtEgNgUKv8UEgABX
hto3y6lE36QyVdDqh/c0h0JGLZ/7/OBHRs4No+MQZ3af5CLZPimn8DE4WAzixlCE
xzh3bdfO2PDSy6xB7L3o+knxkBdAkErD6XaxRz1Se9rW/46kj5R4Lm8tlwh9j3SF
X0lzJ5KN1q/8lir6HlWIyuEfSXMC8GJEyreqR5hGzRV6AH5ezbWYYpTa4kcIQilm
4JnEsgyKCazSNT+uq2/Qw5KAs3p5a69whbTkBAbL6VVq3j5AbQOk2mVwJK0wzGI8
StPiXj7sAxgpmm0njxbc77TyTqIABsNJWctpuljWrvELjme2PsB7jYufsI/w6Frv
jmewJAqUv9pVSMFn/YaSdoW6BdM3131r8bEscLOpdhFQIvtVUY4c7H4n6JGQtOlY
HqZZn7GuxfeAl8+JAeFl8aJdtVHC6idhcuoMr7XsI7JsYF4TkwBgM8baAyMEGuq9
3c913bBK/Tc=
=PED2
-----END PGP SIGNATURE-----