Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0159 Oracle Financial Services Applications Critical Patch Updates 20 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Banking Products Oracle Financial Services Products Oracle FLEXCUBE Products Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-25647 CVE-2022-24823 CVE-2022-24729 CVE-2022-23437 CVE-2022-23181 CVE-2022-22978 CVE-2022-22971 CVE-2022-22963 CVE-2022-21586 CVE-2022-21585 CVE-2022-21584 CVE-2022-21583 CVE-2022-21582 CVE-2022-21581 CVE-2022-21580 CVE-2022-21579 CVE-2022-21578 CVE-2022-21577 CVE-2022-21576 CVE-2022-21544 CVE-2022-21428 CVE-2021-44832 CVE-2021-43859 CVE-2021-43797 CVE-2021-41303 CVE-2021-41184 CVE-2021-40690 CVE-2021-38296 CVE-2021-37714 CVE-2021-36090 CVE-2021-34429 CVE-2021-29425 CVE-2021-23337 CVE-2020-36518 CVE-2020-9492 CVE-2020-7712 CVE-2018-1273 Comment: CVSS (Max): 9.8* CVE-2022-22978 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Oracle, [NVD] Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * Not all CVSS available when published OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Banking Branch, version 14.5 o Oracle Banking Cash Management, version 14.5 o Oracle Banking Corporate Lending Process Management, version 14.5 o Oracle Banking Credit Facilities Process Management, version 14.5 o Oracle Banking Deposits and Lines of Credit Servicing, version 2.7 o Oracle Banking Electronic Data Exchange for Corporates, version 14.5 o Oracle Banking Liquidity Management, versions 14.2, 14.5 o Oracle Banking Origination, version 14.5 o Oracle Banking Party Management, version 2.7 o Oracle Banking Platform, versions 2.6.2, 2.9, 2.12 o Oracle Banking Supply Chain Finance, version 14.5 o Oracle Banking Trade Finance, version 14.5 o Oracle Banking Trade Finance Process Management, version 14.5 o Oracle Banking Virtual Account Management, version 14.5 o Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1 o Oracle Financial Services Behavior Detection Platform, versions 8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1 o Oracle Financial Services Crime and Compliance Management Studio, versions 8.0.8.2.0, 8.0.8.3.0 o Oracle Financial Services Enterprise Case Management, versions 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1 o Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0 o Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0 o Oracle FLEXCUBE Core Banking, versions 5.2, 11.6-11.8, 11.10 o Oracle FLEXCUBE Private Banking, version 12.1 o Oracle FLEXCUBE Universal Banking, versions 12.1-12.4, 14.0-14.3, 14.5 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 59 new security patches for Oracle Financial Services Applications. 38 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] "CVE-2022-22963 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 14.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Branch. Successful attacks of this vulnerability can result in takeover of Oracle Banking Branch. Affects: o Oracle Banking Branch 14.5 o Oracle Banking Cash Management 14.5 o Oracle Banking Corporate Lending Process Management 14.5 o Oracle Banking Credit Facilities Process Management 14.5 o Oracle Banking Electronic Data Exchange for Corporates 14.5 o Oracle Banking Liquidity Management 14.2, 14.5 o Oracle Banking Origination 14.5 o Oracle Banking Supply Chain Finance 14.5 o Oracle Banking Trade Finance Process Management 14.5 o Oracle Banking Virtual Account Management 14.5 CVE-2021-41303 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2018-1273 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2022-22978 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2020-9492 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2022-24729 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0 and 8.1.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. Affects: o Oracle Financial Services Analytical Applications Infrastructure 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1 o Oracle Financial Services Behavior Detection Platform 8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1 o Oracle Financial Services Enterprise Case Management 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1 o Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition 8.0.7.0, 8.0.8.0 CVE-2020-36518 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0 and 8.1.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. Affects: o Oracle Financial Services Analytical Applications Infrastructure 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1 o Oracle Financial Services Behavior Detection Platform 8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1 o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 o Oracle Financial Services Enterprise Case Management 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1 o Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition 8.0.7.0, 8.0.8.0 CVE-2021-36090 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2021-38296 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Crime and Compliance Management Studio accessible data. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2022-25647 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2021-37714 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2021-40690 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N The supported version that is affected is 12.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Private Banking accessible data. Affects: o Oracle FLEXCUBE Private Banking 12.1 CVE-2021-43859 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 12.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle FLEXCUBE Private Banking. Affects: o Oracle FLEXCUBE Private Banking 12.1 CVE-2020-7712 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2021-23337 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2022-21544 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Supported versions that are affected are 12.1-12.4, 14.0-14.3 and 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Universal Banking. Affects: o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5 CVE-2022-23181 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Crime and Compliance Management Studio executes to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2022-21582 6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Trade Finance. Affects: o Oracle Banking Trade Finance 14.5 CVE-2022-21585 6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Trade Finance. Affects: o Oracle Banking Trade Finance 14.5 CVE-2022-21428 6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L Supported versions that are affected are 12.1-12.4, 14.0-14.3 and 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle FLEXCUBE Universal Banking. Affects: o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5 CVE-2022-21578 6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L Supported versions that are affected are 12.1-12.4, 14.0-14.3 and 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle FLEXCUBE Universal Banking. Affects: o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5 CVE-2021-44832 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 12.1. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Private Banking. Affects: o Oracle FLEXCUBE Private Banking 12.1 CVE-2022-23437 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H The supported version that is affected is 2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Deposits and Lines of Credit Servicing. Affects: o Oracle Banking Deposits and Lines of Credit Servicing 2.7 o Oracle Banking Party Management 2.7 o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 o Oracle FLEXCUBE Universal Banking 12.4 CVE-2021-43797 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N The supported version that is affected is 2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Deposits and Lines of Credit Servicing accessible data. Affects: o Oracle Banking Deposits and Lines of Credit Servicing 2.7 o Oracle Banking Party Management 2.7 o Oracle Banking Platform 2.6.2 CVE-2022-22971 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Crime and Compliance Management Studio. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2022-21583 6.4 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data as well as unauthorized update, insert or delete access to some of Oracle Banking Trade Finance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Trade Finance. Affects: o Oracle Banking Trade Finance 14.5 CVE-2022-21584 6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. Affects: o Oracle Banking Trade Finance 14.5 CVE-2022-21586 6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. Affects: o Oracle Banking Trade Finance 14.5 CVE-2022-21576 6.4 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle FLEXCUBE Universal Banking. Affects: o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3, 14.5 CVE-2022-21577 6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1-12.4, 14.0-14.3 and 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. Affects: o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5 CVE-2022-21579 6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N Supported versions that are affected are 12.1-12.4, 14.0-14.3 and 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. Affects: o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5 CVE-2021-41184 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 2.9 and 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Platform accessible data as well as unauthorized read access to a subset of Oracle Banking Platform accessible data. Affects: o Oracle Banking Platform 2.9, 2.12 CVE-2022-21581 5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized read access to a subset of Oracle Banking Trade Finance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Trade Finance. Affects: o Oracle Banking Trade Finance 14.5 CVE-2022-21580 5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Supported versions that are affected are 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0 and 4.0.0.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Revenue Management and Billing. Affects: o Oracle Financial Services Revenue Management and Billing 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0 CVE-2022-24823 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Crime and Compliance Management Studio executes to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Crime and Compliance Management Studio accessible data. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2021-34429 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Crime and Compliance Management Studio. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Financial Services Crime and Compliance Management Studio accessible data. Affects: o Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0, 8.0.8.3.0 CVE-2021-29425 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Supported versions that are affected are 5.2, 11.6-11.8 and 11.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Core Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Core Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Core Banking accessible data. Affects: o Oracle FLEXCUBE Core Banking 5.2, 11.6-11.8, 11.10" [2] MITIGATION "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - July 2022 https://www.oracle.com/security-alerts/cpujul2022.html [2] Text Form of Oracle Critical Patch Update - July 2022 Risk Matrices https://www.oracle.com/security-alerts/cpujul2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYtejnMkNZI30y1K9AQg9cQ/+Jo3ukbXwKtIPapOAKboT4Q4sXlpUlSm3 E9aLIRX9qDgLloyNGxAYvXo3sTga+SaMF53K9QTN7Azwxi2OrmVWSe6qBgbQIlui YQtK+h312foBNGuKpO0CTN441ynF+7G1zTpVkWcR3OdtMoOlNOJZyBJlGOOu5hFS T6CX9FbjLPeKWw+B5SLt3BklaU5fag6OhEVERcFR/zyv4he43wN1a6IolRMgG9Z7 TUBnId7jGaFk2S3EdwvSbxaKRpP/KuFWHaPVc0saincTc1UEu3TIeODFrKSZw098 uFMA6a0+KXgEIIhv9ItzRhcipEhNBB6osRkKZIxtEsXNBaCRRtYgVO6nFE25f93r kD9o/j6Wxi2NvVxypOLGq+FvqZ9zAcKBFC7uAa+k2D3pmAu8sNJL2q+cVZgMfPQe 35Ei88sCntD19soeTmF9Csyjkw5axtIuPhn34yes6f5u9OukIUwJi1JUs6zwkErN D4owrnUejYzOQgaL+ynqQG2WF5RBrSQJ1SX28O7Ao7dVdcgYXYoDpjSZ1uiBNZYQ RsxEuxewKyT/Q1Mk5hPEsmTPXVPKeEwQvmIyvAp0R9XDvf0Sl0qbLdDRBPVE+xmc uGi0JVBTgU+Bnn9QnexSenjgPtNiYCBeIxBnk8bqsWjLrFTqfS28tJsoFdBgJvVL kKM3K8KHT2E= =Whg4 -----END PGP SIGNATURE-----