-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2022.0159
       Oracle Financial Services Applications Critical Patch Updates
                               20 July 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Oracle Banking Products
                  Oracle Financial Services Products
                  Oracle FLEXCUBE Products
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Resolution:       Patch/Upgrade
CVE Names:        CVE-2022-25647 CVE-2022-24823 CVE-2022-24729
                  CVE-2022-23437 CVE-2022-23181 CVE-2022-22978
                  CVE-2022-22971 CVE-2022-22963 CVE-2022-21586
                  CVE-2022-21585 CVE-2022-21584 CVE-2022-21583
                  CVE-2022-21582 CVE-2022-21581 CVE-2022-21580
                  CVE-2022-21579 CVE-2022-21578 CVE-2022-21577
                  CVE-2022-21576 CVE-2022-21544 CVE-2022-21428
                  CVE-2021-44832 CVE-2021-43859 CVE-2021-43797
                  CVE-2021-41303 CVE-2021-41184 CVE-2021-40690
                  CVE-2021-38296 CVE-2021-37714 CVE-2021-36090
                  CVE-2021-34429 CVE-2021-29425 CVE-2021-23337
                  CVE-2020-36518 CVE-2020-9492 CVE-2020-7712
                  CVE-2018-1273  

Comment: CVSS (Max):  9.8* CVE-2022-22978 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Oracle, [NVD]
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
         * Not all CVSS available when published

OVERVIEW

        
        Multiple vulnerabilities have been identified in :
         o Oracle Banking Branch, version 14.5
         o Oracle Banking Cash Management, version 14.5
         o Oracle Banking Corporate Lending Process Management, version
           14.5
         o Oracle Banking Credit Facilities Process Management, version
           14.5
         o Oracle Banking Deposits and Lines of Credit Servicing, version
           2.7
         o Oracle Banking Electronic Data Exchange for Corporates, version
           14.5
         o Oracle Banking Liquidity Management, versions 14.2, 14.5
         o Oracle Banking Origination, version 14.5
         o Oracle Banking Party Management, version 2.7
         o Oracle Banking Platform, versions 2.6.2, 2.9, 2.12
         o Oracle Banking Supply Chain Finance, version 14.5
         o Oracle Banking Trade Finance, version 14.5
         o Oracle Banking Trade Finance Process Management, version 14.5
         o Oracle Banking Virtual Account Management, version 14.5
         o Oracle Financial Services Analytical Applications
           Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0,
           8.1.2.1
         o Oracle Financial Services Behavior Detection Platform, versions
           8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1
         o Oracle Financial Services Crime and Compliance Management
           Studio, versions 8.0.8.2.0, 8.0.8.3.0
         o Oracle Financial Services Enterprise Case Management, versions
           8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1
         o Oracle Financial Services Revenue Management and Billing,
           versions 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0
         o Oracle Financial Services Trade-Based Anti Money Laundering
           Enterprise Edition, versions 8.0.7.0, 8.0.8.0
         o Oracle FLEXCUBE Core Banking, versions 5.2, 11.6-11.8, 11.10
         o Oracle FLEXCUBE Private Banking, version 12.1
         o Oracle FLEXCUBE Universal Banking, versions 12.1-12.4,
           14.0-14.3, 14.5
        [1]


IMPACT

        The vendor has provided the following information regarding the
        vulnerabilities:
        
        "This Critical Patch Update contains 59 new security patches for
        Oracle Financial Services Applications. 38 of these vulnerabilities
        may be remotely exploitable without authentication, i.e., may be
        exploited over a network without requiring user credentials." [1]
        
        "CVE-2022-22963
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        The supported version that is affected is 14.5. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Banking Branch. Successful attacks of this
        vulnerability can result in takeover of Oracle Banking Branch.
         Affects:
         o Oracle Banking Branch 14.5
         o Oracle Banking Cash Management 14.5
         o Oracle Banking Corporate Lending Process Management 14.5
         o Oracle Banking Credit Facilities Process Management 14.5
         o Oracle Banking Electronic Data Exchange for Corporates 14.5
         o Oracle Banking Liquidity Management 14.2, 14.5
         o Oracle Banking Origination 14.5
         o Oracle Banking Supply Chain Finance 14.5
         o Oracle Banking Trade Finance Process Management 14.5
         o Oracle Banking Virtual Account Management 14.5
        
        CVE-2021-41303
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in takeover of Oracle Financial Services
        Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2018-1273
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in takeover of Oracle Financial Services
        Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2022-22978
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in takeover of Oracle Financial Services
        Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2020-9492
          8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows low privileged attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in takeover of Oracle Financial Services
        Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2022-24729
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 8.0.7.0-8.1.0.0, 8.1.1.0,
        8.1.2.0 and 8.1.2.1. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle Financial Services Analytical Applications Infrastructure.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Financial Services Analytical Applications Infrastructure.
         Affects:
         o Oracle Financial Services Analytical Applications
           Infrastructure 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
         o Oracle Financial Services Behavior Detection Platform 8.0.7.0,
           8.0.8.0, 8.1.1.0-8.1.2.1
         o Oracle Financial Services Enterprise Case Management 8.0.7.1,
           8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1
         o Oracle Financial Services Trade-Based Anti Money Laundering
           Enterprise Edition 8.0.7.0, 8.0.8.0
        
        CVE-2020-36518
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 8.0.7.0-8.1.0.0, 8.1.1.0,
        8.1.2.0 and 8.1.2.1. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle Financial Services Analytical Applications Infrastructure.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Financial Services Analytical Applications Infrastructure.
         Affects:
         o Oracle Financial Services Analytical Applications
           Infrastructure 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
         o Oracle Financial Services Behavior Detection Platform 8.0.7.0,
           8.0.8.0, 8.1.1.0-8.1.2.1
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
         o Oracle Financial Services Enterprise Case Management 8.0.7.1,
           8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1
         o Oracle Financial Services Trade-Based Anti Money Laundering
           Enterprise Edition 8.0.7.0, 8.0.8.0
        
        CVE-2021-36090
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle Financial
        Services Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2021-38296
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in unauthorized access to critical data or
        complete access to all Oracle Financial Services Crime and Compliance
        Management Studio accessible data.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2022-25647
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle Financial
        Services Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2021-37714
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle Financial
        Services Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2021-40690
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        The supported version that is affected is 12.1. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle FLEXCUBE Private Banking. Successful
        attacks of this vulnerability can result in unauthorized access to
        critical data or complete access to all Oracle FLEXCUBE Private
        Banking accessible data.
         Affects:
         o Oracle FLEXCUBE Private Banking 12.1
        
        CVE-2021-43859
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        The supported version that is affected is 12.1. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle FLEXCUBE Private Banking. Successful
        attacks of this vulnerability can result in unauthorized ability to
        cause a hang or frequently repeatable crash (complete DOS) of Oracle
        FLEXCUBE Private Banking.
         Affects:
         o Oracle FLEXCUBE Private Banking 12.1
        
        CVE-2020-7712
          7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows high privileged attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in takeover of Oracle Financial Services
        Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2021-23337
          7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows high privileged attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in takeover of Oracle Financial Services
        Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2022-21544
          7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
        Supported versions that are affected are 12.1-12.4, 14.0-14.3 and
        14.5. Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle FLEXCUBE
        Universal Banking. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this
        vulnerability can result in takeover of Oracle FLEXCUBE Universal
        Banking.
         Affects:
         o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5
        
        CVE-2022-23181
          7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Difficult to exploit vulnerability allows low privileged attacker
        with logon to the infrastructure where Oracle Financial Services
        Crime and Compliance Management Studio executes to compromise Oracle
        Financial Services Crime and Compliance Management Studio. Successful
        attacks of this vulnerability can result in takeover of Oracle
        Financial Services Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2022-21582
          6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
        The supported version that is affected is 14.5. Difficult to exploit
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Banking Trade Finance. Successful attacks
        require human interaction from a person other than the attacker.
        Successful attacks of this vulnerability can result in unauthorized
        creation, deletion or modification access to critical data or all
        Oracle Banking Trade Finance accessible data as well as unauthorized
        access to critical data or complete access to all Oracle Banking
        Trade Finance accessible data and unauthorized ability to cause a
        partial denial of service (partial DOS) of Oracle Banking Trade
        Finance.
         Affects:
         o Oracle Banking Trade Finance 14.5
        
        CVE-2022-21585
          6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
        The supported version that is affected is 14.5. Difficult to exploit
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Banking Trade Finance. Successful attacks
        require human interaction from a person other than the attacker.
        Successful attacks of this vulnerability can result in unauthorized
        creation, deletion or modification access to critical data or all
        Oracle Banking Trade Finance accessible data as well as unauthorized
        access to critical data or complete access to all Oracle Banking
        Trade Finance accessible data and unauthorized ability to cause a
        partial denial of service (partial DOS) of Oracle Banking Trade
        Finance.
         Affects:
         o Oracle Banking Trade Finance 14.5
        
        CVE-2022-21428
          6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
        Supported versions that are affected are 12.1-12.4, 14.0-14.3 and
        14.5. Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle FLEXCUBE
        Universal Banking. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this
        vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Oracle FLEXCUBE Universal
        Banking accessible data as well as unauthorized access to critical
        data or complete access to all Oracle FLEXCUBE Universal Banking
        accessible data and unauthorized ability to cause a partial denial of
        service (partial DOS) of Oracle FLEXCUBE Universal Banking.
         Affects:
         o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5
        
        CVE-2022-21578
          6.7 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
        Supported versions that are affected are 12.1-12.4, 14.0-14.3 and
        14.5. Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle FLEXCUBE
        Universal Banking. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this
        vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Oracle FLEXCUBE Universal
        Banking accessible data as well as unauthorized access to critical
        data or complete access to all Oracle FLEXCUBE Universal Banking
        accessible data and unauthorized ability to cause a partial denial of
        service (partial DOS) of Oracle FLEXCUBE Universal Banking.
         Affects:
         o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5
        
        CVE-2021-44832
          6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
        The supported version that is affected is 12.1. Difficult to exploit
        vulnerability allows high privileged attacker with network access via
        HTTP to compromise Oracle FLEXCUBE Private Banking. Successful
        attacks of this vulnerability can result in takeover of Oracle
        FLEXCUBE Private Banking.
         Affects:
         o Oracle FLEXCUBE Private Banking 12.1
        
        CVE-2022-23437
          6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
        The supported version that is affected is 2.7. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Banking Deposits and Lines of Credit
        Servicing. Successful attacks require human interaction from a person
        other than the attacker. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a hang or frequently
        repeatable crash (complete DOS) of Oracle Banking Deposits and Lines
        of Credit Servicing.
         Affects:
         o Oracle Banking Deposits and Lines of Credit Servicing 2.7
         o Oracle Banking Party Management 2.7
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
         o Oracle FLEXCUBE Universal Banking 12.4
        
        CVE-2021-43797
          6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
        The supported version that is affected is 2.7. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Banking Deposits and Lines of Credit
        Servicing. Successful attacks require human interaction from a person
        other than the attacker. Successful attacks of this vulnerability can
        result in unauthorized creation, deletion or modification access to
        critical data or all Oracle Banking Deposits and Lines of Credit
        Servicing accessible data.
         Affects:
         o Oracle Banking Deposits and Lines of Credit Servicing 2.7
         o Oracle Banking Party Management 2.7
         o Oracle Banking Platform 2.6.2
        
        CVE-2022-22971
          6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows low privileged attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle Financial
        Services Crime and Compliance Management Studio.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2022-21583
          6.4 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
        The supported version that is affected is 14.5. Difficult to exploit
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Banking Trade Finance. Successful attacks
        of this vulnerability can result in unauthorized access to critical
        data or complete access to all Oracle Banking Trade Finance
        accessible data as well as unauthorized update, insert or delete
        access to some of Oracle Banking Trade Finance accessible data and
        unauthorized ability to cause a partial denial of service (partial
        DOS) of Oracle Banking Trade Finance.
         Affects:
         o Oracle Banking Trade Finance 14.5
        
        CVE-2022-21584
          6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
        The supported version that is affected is 14.5. Difficult to exploit
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Banking Trade Finance. Successful attacks
        require human interaction from a person other than the attacker.
        Successful attacks of this vulnerability can result in unauthorized
        creation, deletion or modification access to critical data or all
        Oracle Banking Trade Finance accessible data as well as unauthorized
        access to critical data or complete access to all Oracle Banking
        Trade Finance accessible data.
         Affects:
         o Oracle Banking Trade Finance 14.5
        
        CVE-2022-21586
          6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
        The supported version that is affected is 14.5. Difficult to exploit
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Banking Trade Finance. Successful attacks
        require human interaction from a person other than the attacker.
        Successful attacks of this vulnerability can result in unauthorized
        creation, deletion or modification access to critical data or all
        Oracle Banking Trade Finance accessible data as well as unauthorized
        access to critical data or complete access to all Oracle Banking
        Trade Finance accessible data.
         Affects:
         o Oracle Banking Trade Finance 14.5
        
        CVE-2022-21576
          6.4 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and
        14.5. Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle FLEXCUBE
        Universal Banking. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Oracle FLEXCUBE Universal Banking accessible data as well as
        unauthorized update, insert or delete access to some of Oracle
        FLEXCUBE Universal Banking accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Oracle FLEXCUBE
        Universal Banking.
         Affects:
         o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3, 14.5
        
        CVE-2022-21577
          6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
        Supported versions that are affected are 12.1-12.4, 14.0-14.3 and
        14.5. Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle FLEXCUBE
        Universal Banking. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this
        vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Oracle FLEXCUBE Universal
        Banking accessible data as well as unauthorized access to critical
        data or complete access to all Oracle FLEXCUBE Universal Banking
        accessible data.
         Affects:
         o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5
        
        CVE-2022-21579
          6.4 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
        Supported versions that are affected are 12.1-12.4, 14.0-14.3 and
        14.5. Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle FLEXCUBE
        Universal Banking. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this
        vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Oracle FLEXCUBE Universal
        Banking accessible data as well as unauthorized access to critical
        data or complete access to all Oracle FLEXCUBE Universal Banking
        accessible data.
         Affects:
         o Oracle FLEXCUBE Universal Banking 12.1-12.4, 14.0-14.3, 14.5
        
        CVE-2021-41184
          6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        Supported versions that are affected are 2.9 and 2.12. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Banking Platform.
        Successful attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle Banking
        Platform, attacks may significantly impact additional products (scope
        change). Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of Oracle
        Banking Platform accessible data as well as unauthorized read access
        to a subset of Oracle Banking Platform accessible data.
         Affects:
         o Oracle Banking Platform 2.9, 2.12
        
        CVE-2022-21581
          5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L
        The supported version that is affected is 14.5. Difficult to exploit
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Banking Trade Finance. Successful attacks
        require human interaction from a person other than the attacker.
        Successful attacks of this vulnerability can result in unauthorized
        creation, deletion or modification access to critical data or all
        Oracle Banking Trade Finance accessible data as well as unauthorized
        read access to a subset of Oracle Banking Trade Finance accessible
        data and unauthorized ability to cause a partial denial of service
        (partial DOS) of Oracle Banking Trade Finance.
         Affects:
         o Oracle Banking Trade Finance 14.5
        
        CVE-2022-21580
          5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
        Supported versions that are affected are 2.9.0.0.0, 2.9.0.1.0,
        3.0.0.0.0-3.2.0.0.0 and 4.0.0.0.0. Difficult to exploit vulnerability
        allows low privileged attacker with network access via HTTP to
        compromise Oracle Financial Services Revenue Management and Billing.
        Successful attacks require human interaction from a person other than
        the attacker. Successful attacks of this vulnerability can result in
        unauthorized access to critical data or complete access to all Oracle
        Financial Services Revenue Management and Billing accessible data as
        well as unauthorized update, insert or delete access to some of
        Oracle Financial Services Revenue Management and Billing accessible
        data and unauthorized ability to cause a partial denial of service
        (partial DOS) of Oracle Financial Services Revenue Management and
        Billing.
         Affects:
         o Oracle Financial Services Revenue Management and Billing
           2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0
        
        CVE-2022-24823
          5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows low privileged attacker with
        logon to the infrastructure where Oracle Financial Services Crime and
        Compliance Management Studio executes to compromise Oracle Financial
        Services Crime and Compliance Management Studio. Successful attacks
        of this vulnerability can result in unauthorized access to critical
        data or complete access to all Oracle Financial Services Crime and
        Compliance Management Studio accessible data.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2021-34429
          5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        Supported versions that are affected are 8.0.8.2.0 and 8.0.8.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Financial Services Crime
        and Compliance Management Studio. Successful attacks of this
        vulnerability can result in unauthorized read access to a subset of
        Oracle Financial Services Crime and Compliance Management Studio
        accessible data.
         Affects:
         o Oracle Financial Services Crime and Compliance Management
           Studio 8.0.8.2.0, 8.0.8.3.0
        
        CVE-2021-29425
          4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
        Supported versions that are affected are 5.2, 11.6-11.8 and 11.10.
        Difficult to exploit vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle FLEXCUBE Core
        Banking. Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of Oracle
        FLEXCUBE Core Banking accessible data as well as unauthorized read
        access to a subset of Oracle FLEXCUBE Core Banking accessible data.
         Affects:
         o Oracle FLEXCUBE Core Banking 5.2, 11.6-11.8, 11.10" [2]


MITIGATION

        "Due to the threat posed by a successful attack, Oracle strongly
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of
        successful attack by blocking network protocols required by an
        attack. For attacks that require certain privileges or access to
        certain packages, removing the privileges or the ability to access
        the packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may break
        application functionality, so Oracle strongly recommends that
        customers test changes on non-production systems. Neither approach
        should be considered a long-term solution as neither corrects the
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2022
            https://www.oracle.com/security-alerts/cpujul2022.html

        [2] Text Form of Oracle Critical Patch Update - July 2022 Risk Matrices
            https://www.oracle.com/security-alerts/cpujul2022verbose.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYtejnMkNZI30y1K9AQg9cQ/+Jo3ukbXwKtIPapOAKboT4Q4sXlpUlSm3
E9aLIRX9qDgLloyNGxAYvXo3sTga+SaMF53K9QTN7Azwxi2OrmVWSe6qBgbQIlui
YQtK+h312foBNGuKpO0CTN441ynF+7G1zTpVkWcR3OdtMoOlNOJZyBJlGOOu5hFS
T6CX9FbjLPeKWw+B5SLt3BklaU5fag6OhEVERcFR/zyv4he43wN1a6IolRMgG9Z7
TUBnId7jGaFk2S3EdwvSbxaKRpP/KuFWHaPVc0saincTc1UEu3TIeODFrKSZw098
uFMA6a0+KXgEIIhv9ItzRhcipEhNBB6osRkKZIxtEsXNBaCRRtYgVO6nFE25f93r
kD9o/j6Wxi2NvVxypOLGq+FvqZ9zAcKBFC7uAa+k2D3pmAu8sNJL2q+cVZgMfPQe
35Ei88sCntD19soeTmF9Csyjkw5axtIuPhn34yes6f5u9OukIUwJi1JUs6zwkErN
D4owrnUejYzOQgaL+ynqQG2WF5RBrSQJ1SX28O7Ao7dVdcgYXYoDpjSZ1uiBNZYQ
RsxEuxewKyT/Q1Mk5hPEsmTPXVPKeEwQvmIyvAp0R9XDvf0Sl0qbLdDRBPVE+xmc
uGi0JVBTgU+Bnn9QnexSenjgPtNiYCBeIxBnk8bqsWjLrFTqfS28tJsoFdBgJvVL
kKM3K8KHT2E=
=Whg4
-----END PGP SIGNATURE-----