Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2023.0018
Oracle Communications Applications Critical Patch Update
18 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Communications Applications
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2023-21848 CVE-2023-21824 CVE-2022-42889
CVE-2022-42252 CVE-2022-42003 CVE-2022-41720
CVE-2022-40150 CVE-2022-40146 CVE-2022-39271
CVE-2022-38752 CVE-2022-37454 CVE-2022-36055
CVE-2022-35737 CVE-2022-34917 CVE-2022-33980
CVE-2022-32212 CVE-2022-31692 CVE-2022-30126
CVE-2022-25857 CVE-2022-25647 CVE-2022-22978
CVE-2022-22971 CVE-2022-3171 CVE-2021-43797
CVE-2021-41411 CVE-2020-16156 CVE-2019-17571
Comment: CVSS (Max): 9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Oracle, [NVD]
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle Communications Billing and Revenue Management, versions
12.0.0.4.0-12.0.0.7.0
o Oracle Communications BRM - Elastic Charging Engine, versions
12.0.0.3.0-12.0.0.7.0
o Oracle Communications Calendar Server, version 8.0.0.6.0
o Oracle Communications Contacts Server, version 8.0.0.7.0
o Oracle Communications Convergence, version 3.0.3.1.0
o Oracle Communications Design Studio, version 7.4.2
o Oracle Communications Elastic Charging Engine, versions
12.0.0.3.0-12.0.0.7.0
o Oracle Communications Instant Messaging Server, version
10.0.1.6.0
o Oracle Communications Messaging Server, version 8.1.0.20.0
o Oracle Communications MetaSolv Solution, version 6.3.1
o Oracle Communications Order and Service Management, version
7.4.0
o Oracle Communications Pricing Design Center, versions
12.0.0.5.0-12.0.0.7.0
o Oracle Communications Unified Assurance, versions 5.5.0-5.5.9,
6.0.0-6.0.1
o Oracle Communications Unified Inventory Management, versions
7.4.0-7.4.2, 7.5.0
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 39 new security patches, plus
additional third party patches noted below, for Oracle Communications
Applications. 31 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials." [1]
"CVE-2022-42889
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.0.0.3.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via TCP to compromise Oracle Communications Elastic
Charging Engine. Successful attacks of this vulnerability can result
in takeover of Oracle Communications Elastic Charging Engine.
Affects:
o Oracle Communications Design Studio 7.4.2
o Oracle Communications Elastic Charging Engine
12.0.0.3.0-12.0.0.7.0
o Oracle Communications Order and Service Management 7.4.0
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-33980
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.0.0.5.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via TCP to compromise Oracle Communications Elastic
Charging Engine. Successful attacks of this vulnerability can result
in takeover of Oracle Communications Elastic Charging Engine.
Affects:
o Oracle Communications Elastic Charging Engine
12.0.0.5.0-12.0.0.7.0
CVE-2019-17571
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 5.5.0-5.5.9 and 6.0.0-6.0.1.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTPS to compromise Oracle Communications Unified
Assurance. Successful attacks of this vulnerability can result in
takeover of Oracle Communications Unified Assurance.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-22978
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 5.5.0-5.5.9 and 6.0.0-6.0.1.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTPS to compromise Oracle Communications Unified
Assurance. Successful attacks of this vulnerability can result in
takeover of Oracle Communications Unified Assurance.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-37454
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 5.5.0-5.5.9. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTPS to compromise Oracle Communications Unified
Assurance. Successful attacks of this vulnerability can result in
takeover of Oracle Communications Unified Assurance.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9
CVE-2022-31692
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 7.4.0, 7.4.1 and 7.4.2.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Unified
Inventory Management. Successful attacks of this vulnerability can
result in takeover of Oracle Communications Unified Inventory
Management.
Affects:
o Oracle Communications Unified Inventory Management 7.4.0,
7.4.1, 7.4.2
CVE-2021-41411
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 7.4.0, 7.4.1, 7.4.2 and
7.5.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle
Communications Unified Inventory Management. Successful attacks of
this vulnerability can result in takeover of Oracle Communications
Unified Inventory Management.
Affects:
o Oracle Communications Unified Inventory Management 7.4.0,
7.4.1, 7.4.2, 7.5.0
CVE-2023-21848
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 3.0.3.1.0. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Communications Convergence.
Successful attacks of this vulnerability can result in takeover of
Oracle Communications Convergence.
Affects:
o Oracle Communications Convergence 3.0.3.1.0
CVE-2022-32212
8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 5.5.0-5.5.9 and 6.0.0-6.0.1.
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise Oracle Communications
Unified Assurance. Successful attacks of this vulnerability can
result in takeover of Oracle Communications Unified Assurance.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2020-16156
7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Supported versions that are affected are 5.5.0-5.5.9 and 6.0.0-6.0.1.
Easily exploitable vulnerability allows unauthenticated attacker with
logon to the infrastructure where Oracle Communications Unified
Assurance executes to compromise Oracle Communications Unified
Assurance. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in takeover of Oracle Communications Unified Assurance.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-42003
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.0.0.4.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Billing
and Revenue Management. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Communications Billing and
Revenue Management.
Affects:
o Oracle Communications Billing and Revenue Management
12.0.0.4.0-12.0.0.7.0
o Oracle Communications Calendar Server 8.0.0.6.0
o Oracle Communications Contacts Server 8.0.0.7.0
o Oracle Communications Instant Messaging Server 10.0.1.6.0
o Oracle Communications Messaging Server 8.1.0.20.0
o Oracle Communications Pricing Design Center
12.0.0.5.0-12.0.0.7.0
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
o Oracle Communications Unified Inventory Management 7.4.0,
7.4.1, 7.4.2, 7.5.0
CVE-2022-25857
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.0.0.4.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Billing
and Revenue Management. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Communications Billing and
Revenue Management.
Affects:
o Oracle Communications Billing and Revenue Management
12.0.0.4.0-12.0.0.7.0
CVE-2022-40150
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.0.0.4.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Billing
and Revenue Management. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Communications Billing and
Revenue Management.
Affects:
o Oracle Communications Billing and Revenue Management
12.0.0.4.0-12.0.0.7.0
CVE-2022-34917
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.0.0.5.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Elastic
Charging Engine. Successful attacks of this vulnerability can result
in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of Oracle Communications Elastic Charging
Engine.
Affects:
o Oracle Communications Elastic Charging Engine
12.0.0.5.0-12.0.0.7.0
CVE-2022-42252
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The supported version that is affected is 10.0.1.6.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTPS to compromise Oracle Communications Instant
Messaging Server. Successful attacks of this vulnerability can result
in unauthorized creation, deletion or modification access to critical
data or all Oracle Communications Instant Messaging Server accessible
data.
Affects:
o Oracle Communications Instant Messaging Server 10.0.1.6.0
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-35737
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 8.1.0.20.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via TLS to compromise Oracle Communications Messaging
Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Communications Messaging Server.
Affects:
o Oracle Communications Messaging Server 8.1.0.20.0
CVE-2022-40146
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 6.3.1. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Communications MetaSolv Solution.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle
Communications MetaSolv Solution accessible data.
Affects:
o Oracle Communications MetaSolv Solution 6.3.1
CVE-2022-41720
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 5.5.0-5.5.9 and 6.0.0-6.0.1.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTPS to compromise Oracle Communications Unified
Assurance. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Communications Unified Assurance accessible data.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-39271
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 7.5.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Communications Unified Inventory
Management. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Communications Unified Inventory Management.
Affects:
o Oracle Communications Unified Inventory Management 7.5.0
CVE-2022-3171
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 7.4.0-7.4.2 and 7.5.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Unified
Inventory Management. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Communications Unified
Inventory Management.
Affects:
o Oracle Communications Unified Inventory Management 7.4.0-7.4.2,
7.5.0
CVE-2022-25647
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 7.4.0, 7.4.1, 7.4.2 and
7.5.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle
Communications Unified Inventory Management. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle
Communications Unified Inventory Management.
Affects:
o Oracle Communications Unified Inventory Management 7.4.0,
7.4.1, 7.4.2, 7.5.0
CVE-2021-43797
6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Supported versions that are affected are 12.0.0.3.0-12.0.0.7.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Communications Elastic
Charging Engine. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle Communications
Elastic Charging Engine accessible data.
Affects:
o Oracle Communications Elastic Charging Engine
12.0.0.3.0-12.0.0.7.0
CVE-2022-22971
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 12.0.0.3.0-12.0.0.7.0.
Easily exploitable vulnerability allows low privileged attacker with
network access via TCP to compromise Oracle Communications Elastic
Charging Engine. Successful attacks of this vulnerability can result
in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of Oracle Communications Elastic Charging
Engine.
Affects:
o Oracle Communications Elastic Charging Engine
12.0.0.3.0-12.0.0.7.0
o Oracle Communications Unified Inventory Management 7.4.0,
7.4.1, 7.4.2
CVE-2022-36055
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 5.5.0-5.5.9 and 6.0.0-6.0.1.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTPS to compromise Oracle Communications Unified
Assurance. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Communications Unified Assurance.
Affects:
o Oracle Communications Unified Assurance 5.5.0-5.5.9,
6.0.0-6.0.1
CVE-2022-38752
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 7.5.0. Easily exploitable
vulnerability allows low privileged attacker with network access via
HTTP to compromise Oracle Communications Unified Inventory
Management. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Communications Unified Inventory Management.
Affects:
o Oracle Communications Unified Inventory Management 7.5.0
CVE-2022-30126
5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
The supported version that is affected is 8.1.0.20.0. Easily
exploitable vulnerability allows unauthenticated attacker with logon
to the infrastructure where Oracle Communications Messaging Server
executes to compromise Oracle Communications Messaging Server.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Communications Messaging Server.
Affects:
o Oracle Communications Messaging Server 8.1.0.20.0
CVE-2023-21824
4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.0.0.3.0-12.0.0.7.0.
Easily exploitable vulnerability allows high privileged attacker with
logon to the infrastructure where Oracle Communications BRM - Elastic
Charging Engine executes to compromise Oracle Communications BRM -
Elastic Charging Engine. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle Communications BRM - Elastic Charging Engine accessible
data.
Affects:
o Oracle Communications BRM - Elastic Charging Engine
12.0.0.3.0-12.0.0.7.0" [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - January 2023
https://www.oracle.com/security-alerts/cpujan2023.html
[2] Text Form of Oracle Critical Patch Update - January 2023 Risk
Matrices
https://www.oracle.com/security-alerts/cpujan2023verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY8d0EckNZI30y1K9AQgMbg/+I58Nyi3mMM130gKST+RX4Fsk/O7AQAKf
nSYtcDCbZKPpU+i7gBNHwNDp46DxdK6X0Gw3BxXBPFpykLNg1bOBc3PrxBzwVOIC
gASzy+E+ZjgdrKfpMjYDlIWLs+l9ALU2rdsqgd9XRJPfzBfdklnpEhho5y+7qahE
/HqDjfhRxbncIll4on14lmsWSJXatcQtu8dsqyBAgEnNNEm3pftYBR8iVBtqcSBP
m0pK0OQL2VnvdTAEAZcdACnV7SM8oE9zns8DpKn5jgD36cAzN1/p6siTBJFu/c4/
AOMEtNVfC9wmcIDkGB/ONAHIICtRI298sirWYl787r9eVgbeleIIARp8CPFIiRW8
8fffD30PnQS05DhKdsf2AwbB9a/EEmF5aS+12Y/TRFYA0XJTOVRBFia63QnNAl3u
4YTksN060DZGOIQIot3JEClXoyfvRtwMW/eMxaaAFZJaImRmo2OK3xskfaJF73WI
rH7kmP7Pb7LjD1Wn7Ag1bOLj+tq29JTTkSGmKjXWlbqzpIR8kf7uevWl77P4Ijdc
EPyuFuFknsoZGyIAUCtrYzNdxd5Gl+d4VPB/Zm8ukaJ5N5FMnjIR6b9UL3fKbE1o
dJYyvoyVMw9rITSVnuCZcsljx9EDyJU0p95wv/SoMnkGKqOpRFH/z5OsZeYHnAh5
9wsmCWrNKEM=
=Cf/A
-----END PGP SIGNATURE-----