Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0260 Oracle Retail Applications 17 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Retail Applications Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-8013 CVE-2018-7489 CVE-2018-3126 CVE-2018-3122 CVE-2018-3115 CVE-2018-2889 CVE-2018-2887 CVE-2018-1305 CVE-2018-1275 CVE-2018-1258 CVE-2017-15095 CVE-2017-5645 CVE-2017-5533 CVE-2016-1000031 Member content until: Friday, November 16 2018 Reference: ASB-2018.0172 ASB-2018.0168 ASB-2018.0163 ASB-2018.0158 ESB-2018.2665 ESB-2018.2563 ESB-2018.2335 ESB-2018.2146 OVERVIEW Multiple vulnerabilities have been identified in : o MICROS Lucas, version 2.9.5 o MICROS Relate CRM Software, versions 10.8, 11.4 o MICROS Retail-J, versions 12.1.2, 13.0.0 o MICROS XBRi, versions 10.5.0, 10.6.0, 10.7.0, 10.8.1, 10.8.2, 10.8.3 o Oracle Retail Allocation, versions 15.0, 16.0 o Oracle Retail Assortment Planning, versions 14.1, 15.0, 16.0 o Oracle Retail Back Office, versions 13.3, 13.4, 14, 14.1 o Oracle Retail Central Office, version 14.1 o Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0 o Oracle Retail Extract Transform and Load, versions 13.0, 13.1, 13.2 o Oracle Retail Financial Integration, versions 13.2, 14.0, 14.1, 15.0, 16.0 o Oracle Retail Integration Bus, version 14.1.2 o Oracle Retail Invoice Matching, versions 15.0, 16.0 o Oracle Retail Open Commerce Platform, versions 5.3, 6.0, 6.0.1 o Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0 o Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1 o Oracle Retail Predictive Application Server, versions 14.0, 14.1, 15.0, 16.0 o Oracle Retail Returns Management, version 14.1 o Oracle Retail Sales Audit, versions 15.0, 16.0 o Oracle Retail Xstore Point of Service, versions 6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] "CVE-2016-1000031 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the MICROS Relate CRM Software component of Oracle Retail Applications (subcomponent: Web Services (Apache Commons)). Supported versions that are affected are 10.8 and 11.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MICROS Relate CRM Software. Successful attacks of this vulnerability can result in takeover of MICROS Relate CRM Software. CVE-2016-1000031 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation component of Oracle Retail Applications (subcomponent: Internal Operations (Apache Commons)). Supported versions that are affected are 16.0 and 17.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in takeover of Oracle Retail Customer Management and Segmentation Foundation. CVE-2017-15095 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Framework (jackson-databind)). Supported versions that are affected are 5.3.0, 6.0.0 and 6.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Open Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Retail Open Commerce Platform. CVE-2017-5533 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Framework (JasperReports)). Supported versions that are affected are 5.3.0, 6.0.0 and 6.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Open Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Retail Open Commerce Platform. CVE-2017-5533 9.8 (Confidentiality, Integrity and Availability AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Order Broker component of Oracle Retail Applications (subcomponent: Order Broker Foundation (JasperReports)). The supported version that is affected is 5.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Order Broker. Successful attacks of this vulnerability can result in takeover of Oracle Retail Order Broker. CVE-2017-5645 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Extract Transform and Load component of Oracle Retail Applications (subcomponent: Mathematical Operators (Apache Log4j)). Supported versions that are affected are 13.0, 13.1 and 13.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Extract Transform and Load. Successful attacks of this vulnerability can result in takeover of Oracle Retail Extract Transform and Load. CVE-2017-5645 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Framework (Apache Log4j)). Supported versions that are affected are 5.3.0, 6.0.0 and 6.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Open Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Retail Open Commerce Platform. CVE-2018-1258 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Vulnerability in the MICROS Lucas component of Oracle Retail Applications (subcomponent: Security (Spring Framework)). The supported version that is affected is 2.9.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MICROS Lucas. Successful attacks of this vulnerability can result in takeover of MICROS Lucas. CVE-2018-1258 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Assortment Planning component of Oracle Retail Applications (subcomponent: Application Core (Spring Framework)). Supported versions that are affected are 14.1, 15.0 and 16.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Assortment Planning. Successful attacks of this vulnerability can result in takeover of Oracle Retail Assortment Planning. CVE-2018-1258 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Financial Integration component of Oracle Retail Applications (subcomponent: PeopleSoft Integration Bugs (Spring Framework)). Supported versions that are affected are 13.2, 14.0, 14.1, 15.0 and 16.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Financial Integration. Successful attacks of this vulnerability can result in takeover of Oracle Retail Financial Integration. CVE-2018-1258 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Integration Bus component of Oracle Retail Applications (subcomponent: RIB Kernal (Spring Framework)). The supported version that is affected is 14.1.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Integration Bus. Successful attacks of this vulnerability can result in takeover of Oracle Retail Integration Bus. CVE-2018-1275 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Framework (Spring Framework)). Supported versions that are affected are 5.3.0, 6.0.0 and 6.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Open Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Retail Open Commerce Platform. CVE-2018-1275 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Order Broker component of Oracle Retail Applications (subcomponent: System Administration (Spring Framework)). Supported versions that are affected are 5.1, 5.2, 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Order Broker. Successful attacks of this vulnerability can result in takeover of Oracle Retail Order Broker. CVE-2018-1275 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Predictive Application Server component of Oracle Retail Applications (subcomponent: RPAS Fusion Client (Spring Framework)). Supported versions that are affected are 14.0, 14.1, 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Predictive Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Retail Predictive Application Server. CVE-2018-1305 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Vulnerability in the Oracle Retail Order Broker component of Oracle Retail Applications (subcomponent: Upgrade Install (Apache Tomcat)). Supported versions that are affected are 5.1, 5.2 and 15.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Order Broker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Retail Order Broker accessible data. CVE-2018-1305 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Vulnerability in the MICROS XBRi component of Oracle Retail Applications (subcomponent: Retail (Apache Tomcat)). Supported versions that are affected are 10.8.3, 10.8.2, 10.8.1, 10.7.0, 10.6.0 and 10.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MICROS XBRi. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MICROS XBRi accessible data. CVE-2018-2887 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Vulnerability in the MICROS Retail-J component of Oracle Retail Applications (subcomponent: Back Office). Supported versions that are affected are 13.0.0 and 12.1.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MICROS Retail-J. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MICROS Retail-J accessible data as well as unauthorized read access to a subset of MICROS Retail-J accessible data. CVE-2018-2889 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerability in the MICROS Retail-J component of Oracle Retail Applications (subcomponent: Internal Operations). The supported version that is affected is 12.1.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MICROS Retail-J. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MICROS Retail-J accessible data. CVE-2018-3115 7.7 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L Vulnerability in the Oracle Retail Sales Audit component of Oracle Retail Applications (subcomponent: Operational Insights). Supported versions that are affected are 15.0 and 16.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Sales Audit. While the vulnerability is in Oracle Retail Sales Audit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Retail Sales Audit accessible data as well as unauthorized update, insert or delete access to some of Oracle Retail Sales Audit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Sales Audit. CVE-2018-3122 6.8 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Integrations). Supported versions that are affected are 6.0, 6.0.1 and 5.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Open Commerce Platform. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Open Commerce Platform accessible data as well as unauthorized access to critical data or complete access to all Oracle Retail Open Commerce Platform accessible data. CVE-2018-3126 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Xstore Point of Service component of Oracle Retail Applications (subcomponent: Xenvironment). Supported versions that are affected are 15.0.2, 16.0.4 and 17.0.2. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Retail Xstore Point of Service. Successful attacks of this vulnerability can result in takeover of Oracle Retail Xstore Point of Service. CVE-2018-7489 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Allocation component of Oracle Retail Applications (subcomponent: General (jackson-databind)). Supported versions that are affected are 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Allocation. Successful attacks of this vulnerability can result in takeover of Oracle Retail Allocation. CVE-2018-7489 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Assortment Planning component of Oracle Retail Applications (subcomponent: Application Core (jackson-databind)). The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Assortment Planning. Successful attacks of this vulnerability can result in takeover of Oracle Retail Assortment Planning. CVE-2018-7489 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Invoice Matching component of Oracle Retail Applications (subcomponent: Security (jackson-databind)). Supported versions that are affected are 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Invoice Matching. Successful attacks of this vulnerability can result in takeover of Oracle Retail Invoice Matching. CVE-2018-7489 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Sales Audit component of Oracle Retail Applications (subcomponent: Operational Insights (jackson-databind)). Supported versions that are affected are 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Sales Audit. Successful attacks of this vulnerability can result in takeover of Oracle Retail Sales Audit. CVE-2018-7489 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Vulnerability in the Oracle Retail Xstore Point of Service component of Oracle Retail Applications (subcomponent: Xenvironment (jackson-databind)). Supported versions that are affected are 6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4 and 17.0.2. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Retail Xstore Point of Service. Successful attacks of this vulnerability can result in takeover of Oracle Retail Xstore Point of Service. CVE-2018-8013 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Vulnerability in the Oracle Retail Back Office component of Oracle Retail Applications (subcomponent: Security (Apache Batik)). Supported versions that are affected are 13.3, 13.4, 14 and 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Back Office. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Back Office accessible data as well as unauthorized read access to a subset of Oracle Retail Back Office accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Back Office. CVE-2018-8013 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Vulnerability in the Oracle Retail Central Office component of Oracle Retail Applications (subcomponent: Security (Apache Batik)). The supported version that is affected is 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Central Office. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Central Office accessible data as well as unauthorized read access to a subset of Oracle Retail Central Office accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Central Office. CVE-2018-8013 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Vulnerability in the Oracle Retail Order Broker component of Oracle Retail Applications (subcomponent: Upgrade Install (Apache Batik)). Supported versions that are affected are 5.1, 5.2, 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Order Broker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Order Broker accessible data as well as unauthorized read access to a subset of Oracle Retail Order Broker accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Order Broker. CVE-2018-8013 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Vulnerability in the Oracle Retail Point-of-Service component of Oracle Retail Applications (subcomponent: Security (Apache Batik)). Supported versions that are affected are 13.4, 14.0 and 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Point-of-Service. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Point-of-Service accessible data as well as unauthorized read access to a subset of Oracle Retail Point-of-Service accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Point-of-Service. CVE-2018-8013 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Vulnerability in the Oracle Retail Returns Management component of Oracle Retail Applications (subcomponent: Security (Apache Batik)). The supported version that is affected is 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Returns Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Returns Management accessible data as well as unauthorized read access to a subset of Oracle Retail Returns Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Returns Management." [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2018 https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html [2] Text Form of Oracle Critical Patch Update - October 2018 Risk Matrices https://www.oracle.com/technetwork/security-advisory/cpuoct2018verbose-5170927.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW8bH42aOgq3Tt24GAQjVkRAAjMLAiD9RVD7O1kiiRAeZBtzPE3RsKLTU LP535MXXvN+eD81PRXqIXbBZQGGZ2/v8lHSB25a3cxXXZSm5L0PcTygkWeWI+rEk rleNG2LEyAVXPn1xPus8D3hTIEgZpIDSaYRiVJbeq9F7BQ6Y6TDxn97dt9woLIL4 iz70GDEvYp16LOYpJIU2jPskEOhSN9iXXtWYf7Gng5npYJ9kyJ7StKVks0CGJZs9 BCY3DerYMCcoMuVLjTpbb0qJMA2d0ynqeiTxq65sV+SDRSk84eLqwPCp/q6Jz32A QVBXbb1kESiUSbcfhigtn1BbqeYDDUhdRScW8dMwF24z83GbKaBe95AXWN5Ivk1J 4d7BzNWqWhofSgPNIbtSOS7j3nDRlMRgRPJW/t5LL6Ty33tJssu+UsZiITMsZmRy feySTUkfhBUuKpA7vTiwvVxcCRLIAAPmhcRo5fIwC49cIxj+WSMOw57t172ufiq3 cra7nSimssdkAxsVFpFFliNlSfj8cYq3yDiE84BZjEIdBX16rpvrzc4cCe/fJZC3 D8+m4a8s5/JeayyHqNjejPwTV1ek+1aCkQ7sB+omSs2nN5BUac9K/WV3Q9lHFNr4 mFewYNlvXAv1gEjSEFXWKTr/Nk1l6xtoopDPeEdfBhplE/4c5crHBfxkct6fyEth zsLX19iCoAQ= =Tfdy -----END PGP SIGNATURE-----