Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2023.0200
Oracle Financial Services Applications Critical Patch Update
18 October 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Financial Services Applications
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2023-34981 CVE-2023-34462 CVE-2023-33201
CVE-2023-28439 CVE-2023-26049 CVE-2023-24998
CVE-2023-22946 CVE-2023-22125 CVE-2023-22124
CVE-2023-22123 CVE-2023-22122 CVE-2023-22121
CVE-2023-22119 CVE-2023-22118 CVE-2023-22117
CVE-2023-20883 CVE-2023-20873 CVE-2023-20863
CVE-2023-20862 CVE-2023-2976 CVE-2023-1436
CVE-2023-1370 CVE-2022-48285 CVE-2022-45688
CVE-2022-42003 CVE-2022-41966 CVE-2022-41881
CVE-2022-36033 CVE-2022-33980 CVE-2022-29577
CVE-2022-3171 CVE-2022-1471 CVE-2021-41165
CVE-2021-37533
Comment: CVSS (Max): 9.9 CVE-2023-22946 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: Oracle
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle Banking APIs, versions 18.3, 19.1, 19.2, 21.1, 22.1,
22.2
o Oracle Banking Branch, versions 14.5-14.7
o Oracle Banking Cash Management, versions 14.5-14.7
o Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7
o Oracle Banking Corporate Lending Process Management, versions
14.5-14.7
o Oracle Banking Credit Facilities Process Management, versions
14.5-14.7
o Oracle Banking Deposits and Lines of Credit Servicing, versions
2.7, 2.12
o Oracle Banking Digital Experience, versions 18.3, 19.1, 19.2,
21.1, 22.1, 22.2
o Oracle Banking Electronic Data Exchange for Corporates,
versions 14.5-14.7
o Oracle Banking Liquidity Management, versions 14.5-14.7
o Oracle Banking Loans Servicing, version 2.12
o Oracle Banking Origination, versions 14.5-14.7
o Oracle Banking Party Management, version 2.7
o Oracle Banking Payments, versions 14.0-14.3, 14.5-14.7
o Oracle Banking Platform, versions 2.6.2, 2.9.0
o Oracle Banking Supply Chain Finance, versions 14.5-14.7
o Oracle Banking Trade Finance, versions 14.5-14.7
o Oracle Banking Trade Finance Process Management, versions
14.5-14.7
o Oracle Banking Virtual Account Management, versions 14.5-14.7
o Oracle Financial Services Cash Flow Engine, version 8.1.2.0.0
o Oracle Financial Services Model Management and Governance,
versions 8.1.2.3, 8.1.2.4
o Oracle FLEXCUBE Core Banking, versions 11.6-11.8, 11.10, 11.11
o Oracle FLEXCUBE Enterprise Limits and Collateral Management,
versions 12.3, 12.4, 14.0-14.3, 14.5-14.7
o Oracle FLEXCUBE Universal Banking, versions 12.3, 12.4,
14.0-14.3, 14.5-14.7
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 103 new security patches, plus
additional third party patches noted below, for Oracle Financial
Services Applications. 49 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials." [1]
"CVE-2023-22946
9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Financial Services Model
Management and Governance. While the vulnerability is in Oracle
Financial Services Model Management and Governance, attacks may
significantly impact additional products (scope change). Successful
attacks of this vulnerability can result in takeover of Oracle
Financial Services Model Management and Governance.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
CVE-2022-1471
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 2.7 and 2.12. Easily
exploitable vulnerability allows high privileged attacker with
network access via HTTP to compromise Oracle Banking Deposits and
Lines of Credit Servicing. Successful attacks of this vulnerability
can result in takeover of Oracle Banking Deposits and Lines of Credit
Servicing.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
o Oracle Banking Deposits and Lines of Credit Servicing 2.7, 2.12
o Oracle Banking Loans Servicing 2.12
o Oracle Banking Party Management 2.7
o Oracle FLEXCUBE Core Banking 11.10, 11.11
CVE-2023-20873
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Financial Services Model
Management and Governance. Successful attacks of this vulnerability
can result in takeover of Oracle Financial Services Model Management
and Governance.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
CVE-2023-20883
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 21.1, 22.1 and 22.2. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Banking APIs. Successful
attacks of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS) of Oracle
Banking APIs.
Affects:
o Oracle Banking APIs 21.1, 22.1, 22.2
o Oracle Banking Branch 14.5-14.7
o Oracle Banking Cash Management 14.5-14.7
o Oracle Banking Credit Facilities Process Management 14.5-14.7
o Oracle Banking Electronic Data Exchange for Corporates
14.5-14.7
o Oracle Banking Liquidity Management 14.5-14.7
o Oracle Banking Origination 14.5-14.7
o Oracle Banking Payments 14.0-14.3, 14.5-14.7
o Oracle Banking Supply Chain Finance 14.5-14.7
o Oracle Banking Trade Finance Process Management 14.5-14.7
o Oracle FLEXCUBE Universal Banking 14.5-14.7
CVE-2022-42003
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 2.7 and 2.12. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Banking Deposits and
Lines of Credit Servicing. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Banking Deposits and Lines
of Credit Servicing.
Affects:
o Oracle Banking Deposits and Lines of Credit Servicing 2.7, 2.12
CVE-2022-45688
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 18.3, 19.1, 19.2, 21.1, 22.1
and 22.2. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle Banking
Digital Experience. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Banking Digital Experience.
Affects:
o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1,
22.2
CVE-2022-41966
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 21.1, 22.1 and 22.2. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Banking Digital
Experience. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Banking Digital Experience.
Affects:
o Oracle Banking Digital Experience 21.1, 22.1, 22.2
CVE-2022-3171
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 2.9.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Banking Platform. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle Banking
Platform.
Affects:
o Oracle Banking Platform 2.9.0
CVE-2022-41881
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 2.6.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Banking Platform. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle Banking
Platform.
Affects:
o Oracle Banking Platform 2.6.2
CVE-2023-24998
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 11.6-11.8, 11.10 and 11.11.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle FLEXCUBE Core Banking.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle FLEXCUBE Core Banking.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
o Oracle FLEXCUBE Core Banking 11.6-11.8, 11.10, 11.11
CVE-2023-34981
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Financial Services Model
Management and Governance. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle Financial Services Model Management and Governance
accessible data.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
CVE-2023-1370
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Financial Services Model
Management and Governance. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Financial Services Model
Management and Governance.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
CVE-2023-1436
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 11.6-11.8, 11.10 and 11.11.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle FLEXCUBE Core Banking.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle FLEXCUBE Core Banking.
Affects:
o Oracle FLEXCUBE Core Banking 11.6-11.8, 11.10, 11.11
CVE-2022-48285
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Financial Services Model
Management and Governance. Successful attacks of this vulnerability
can result in unauthorized update, insert or delete access to some of
Oracle Financial Services Model Management and Governance accessible
data as well as unauthorized read access to a subset of Oracle
Financial Services Model Management and Governance accessible data
and unauthorized ability to cause a partial denial of service
(partial DOS) of Oracle Financial Services Model Management and
Governance.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
CVE-2022-33980
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 2.7. Easily exploitable
vulnerability allows high privileged attacker with network access via
HTTP to compromise Oracle Banking Deposits and Lines of Credit
Servicing. Successful attacks of this vulnerability can result in
takeover of Oracle Banking Deposits and Lines of Credit Servicing.
Affects:
o Oracle Banking Deposits and Lines of Credit Servicing 2.7
CVE-2023-2976
7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 18.3, 19.1, 19.2, 21.1, 22.1
and 22.2. Easily exploitable vulnerability allows low privileged
attacker with logon to the infrastructure where Oracle Banking APIs
executes to compromise Oracle Banking APIs. Successful attacks of
this vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle Banking APIs
accessible data as well as unauthorized access to critical data or
complete access to all Oracle Banking APIs accessible data.
Affects:
o Oracle Banking APIs 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
o Oracle Banking Branch 14.5-14.7
o Oracle Banking Cash Management 14.5-14.7
o Oracle Banking Corporate Lending 14.0-14.3, 14.5-14.7
o Oracle Banking Corporate Lending Process Management 14.5-14.7
o Oracle Banking Credit Facilities Process Management 14.5-14.7
o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1,
22.2
o Oracle Banking Liquidity Management 14.5-14.7
o Oracle Banking Origination 14.5-14.7
o Oracle Banking Payments 14.0-14.3, 14.5-14.7
o Oracle Banking Supply Chain Finance 14.5-14.7
o Oracle Banking Trade Finance Process Management 14.5-14.7
o Oracle FLEXCUBE Enterprise Limits and Collateral Management
12.3, 12.4, 14.0-14.3, 14.5-14.7
CVE-2023-20863
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 21.1, 22.1 and 22.2. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking APIs. Successful attacks
of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of Oracle Banking
APIs.
Affects:
o Oracle Banking APIs 21.1, 22.1, 22.2
o Oracle Banking Branch 14.5-14.7
o Oracle Banking Cash Management 14.5-14.7
o Oracle Banking Corporate Lending 14.5-14.7
o Oracle Banking Credit Facilities Process Management 14.5-14.7
o Oracle Banking Digital Experience 21.1, 22.1, 22.2
o Oracle Banking Electronic Data Exchange for Corporates
14.5-14.7
o Oracle Banking Liquidity Management 14.5-14.7
o Oracle Banking Origination 14.5-14.7
o Oracle Banking Supply Chain Finance 14.5-14.7
o Oracle Banking Trade Finance Process Management 14.5-14.7
o Oracle Banking Virtual Account Management 14.5-14.7
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
o Oracle FLEXCUBE Universal Banking 14.5-14.7
CVE-2023-34462
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 14.5-14.7. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Cash Management.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of Oracle Banking Cash Management.
Affects:
o Oracle Banking Cash Management 14.5-14.7
o Oracle Banking Credit Facilities Process Management 14.5-14.7
o Oracle Banking Deposits and Lines of Credit Servicing 2.7
o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1,
22.2
o Oracle Banking Electronic Data Exchange for Corporates
14.5-14.7
o Oracle Banking Liquidity Management 14.5-14.7
o Oracle Banking Origination 14.5-14.7
o Oracle Banking Party Management 2.7
o Oracle Banking Supply Chain Finance 14.5-14.7
o Oracle Banking Trade Finance Process Management 14.5-14.7
o Oracle Banking Virtual Account Management 14.5-14.7
o Oracle FLEXCUBE Universal Banking 14.5-14.7
CVE-2021-37533
6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Supported versions that are affected are 11.6-11.8, 11.10 and 11.11.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle FLEXCUBE Core Banking.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
FLEXCUBE Core Banking accessible data.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
o Oracle FLEXCUBE Core Banking 11.6-11.8, 11.10, 11.11
CVE-2023-22118
6.5 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and
14.5-14.7. Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise Oracle FLEXCUBE
Universal Banking. Successful attacks require human interaction from
a person other than the attacker and while the vulnerability is in
Oracle FLEXCUBE Universal Banking, attacks may significantly impact
additional products (scope change). Successful attacks of this
vulnerability can result in unauthorized update, insert or delete
access to some of Oracle FLEXCUBE Universal Banking accessible data
as well as unauthorized read access to a subset of Oracle FLEXCUBE
Universal Banking accessible data and unauthorized ability to cause a
partial denial of service (partial DOS) of Oracle FLEXCUBE Universal
Banking.
Affects:
o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3,
14.5-14.7
CVE-2023-20862
6.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Financial Services Model
Management and Governance. Successful attacks of this vulnerability
can result in unauthorized update, insert or delete access to some of
Oracle Financial Services Model Management and Governance accessible
data as well as unauthorized read access to a subset of Oracle
Financial Services Model Management and Governance accessible data
and unauthorized ability to cause a partial denial of service
(partial DOS) of Oracle Financial Services Model Management and
Governance.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4
CVE-2022-29577
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 2.7 and 2.12. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Banking Deposits and
Lines of Credit Servicing. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Banking Deposits and Lines of Credit
Servicing, attacks may significantly impact additional products
(scope change). Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of Oracle
Banking Deposits and Lines of Credit Servicing accessible data as
well as unauthorized read access to a subset of Oracle Banking
Deposits and Lines of Credit Servicing accessible data.
Affects:
o Oracle Banking Deposits and Lines of Credit Servicing 2.7, 2.12
CVE-2023-28439
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The supported version that is affected is 2.7. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Banking Deposits and Lines of Credit
Servicing. Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in Oracle
Banking Deposits and Lines of Credit Servicing, attacks may
significantly impact additional products (scope change). Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Banking Deposits and Lines
of Credit Servicing accessible data as well as unauthorized read
access to a subset of Oracle Banking Deposits and Lines of Credit
Servicing accessible data.
Affects:
o Oracle Banking Deposits and Lines of Credit Servicing 2.7
CVE-2022-36033
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Financial Services Model
Management and Governance. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Financial Services Model Management and
Governance, attacks may significantly impact additional products
(scope change). Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of Oracle
Financial Services Model Management and Governance accessible data as
well as unauthorized read access to a subset of Oracle Financial
Services Model Management and Governance accessible data.
Affects:
o Oracle Financial Services Model Management and Governance
8.1.2.3,8.1.2.4
CVE-2023-22122
5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Supported versions that are affected are 14.5-14.7. Difficult to
exploit vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Trade Finance.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Banking Trade Finance accessible data as well as unauthorized update,
insert or delete access to some of Oracle Banking Trade Finance
accessible data and unauthorized ability to cause a partial denial of
service (partial DOS) of Oracle Banking Trade Finance.
Affects:
o Oracle Banking Trade Finance 14.5-14.7
CVE-2023-22119
5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and
14.5-14.7. Difficult to exploit vulnerability allows low privileged
attacker with network access via HTTP to compromise Oracle FLEXCUBE
Universal Banking. Successful attacks require human interaction from
a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle FLEXCUBE Universal Banking accessible
data as well as unauthorized update, insert or delete access to some
of Oracle FLEXCUBE Universal Banking accessible data and unauthorized
ability to cause a partial denial of service (partial DOS) of Oracle
FLEXCUBE Universal Banking.
Affects:
o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3,
14.5-14.7
CVE-2021-41165
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
The supported version that is affected is 2.7. Easily exploitable
vulnerability allows low privileged attacker with network access via
HTTP to compromise Oracle Banking Party Management. Successful
attacks require human interaction from a person other than the
attacker and while the vulnerability is in Oracle Banking Party
Management, attacks may significantly impact additional products
(scope change). Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of Oracle
Banking Party Management accessible data as well as unauthorized read
access to a subset of Oracle Banking Party Management accessible
data.
Affects:
o Oracle Banking Party Management 2.7
CVE-2023-22121
5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Supported versions that are affected are 14.5-14.7. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Banking Trade Finance.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
Banking Trade Finance accessible data as well as unauthorized read
access to a subset of Oracle Banking Trade Finance accessible data.
Affects:
o Oracle Banking Trade Finance 14.5-14.7
CVE-2023-22123
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 14.5-14.7. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Trade Finance.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle Banking Trade
Finance, attacks may significantly impact additional products (scope
change). Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
Banking Trade Finance accessible data as well as unauthorized read
access to a subset of Oracle Banking Trade Finance accessible data.
Affects:
o Oracle Banking Trade Finance 14.5-14.7
CVE-2023-22124
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 14.5-14.7. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Trade Finance.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle Banking Trade
Finance, attacks may significantly impact additional products (scope
change). Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
Banking Trade Finance accessible data as well as unauthorized read
access to a subset of Oracle Banking Trade Finance accessible data.
Affects:
o Oracle Banking Trade Finance 14.5-14.7
CVE-2023-22125
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 14.5-14.7. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise Oracle Banking Trade Finance.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle Banking Trade
Finance, attacks may significantly impact additional products (scope
change). Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
Banking Trade Finance accessible data as well as unauthorized read
access to a subset of Oracle Banking Trade Finance accessible data.
Affects:
o Oracle Banking Trade Finance 14.5-14.7
CVE-2023-22117
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and
14.5-14.7. Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise Oracle FLEXCUBE
Universal Banking. Successful attacks require human interaction from
a person other than the attacker and while the vulnerability is in
Oracle FLEXCUBE Universal Banking, attacks may significantly impact
additional products (scope change). Successful attacks of this
vulnerability can result in unauthorized update, insert or delete
access to some of Oracle FLEXCUBE Universal Banking accessible data
as well as unauthorized read access to a subset of Oracle FLEXCUBE
Universal Banking accessible data.
Affects:
o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3,
14.5-14.7
CVE-2023-33201
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 18.3, 19.1, 19.2, 21.1, 22.1
and 22.2. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTPS to compromise Oracle Banking
APIs. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle Banking APIs
accessible data.
Affects:
o Oracle Banking APIs 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
o Oracle Banking Branch 14.5-14.7
o Oracle Banking Cash Management 14.5-14.7
o Oracle Banking Credit Facilities Process Management 14.5-14.7
o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1,
22.2
o Oracle Banking Electronic Data Exchange for Corporates
14.5-14.7
o Oracle Banking Liquidity Management 14.5-14.7
o Oracle Banking Origination 14.5-14.7
o Oracle Banking Supply Chain Finance 14.5-14.7
o Oracle Banking Trade Finance Process Management 14.5-14.7
CVE-2023-26049
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 14.5-14.7. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Banking Cash Management.
Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Oracle Banking Cash Management accessible
data.
Affects:
o Oracle Banking Cash Management 14.5-14.7
o Oracle Banking Credit Facilities Process Management 14.5-14.7
o Oracle Banking Electronic Data Exchange for Corporates
14.5-14.7
o Oracle Banking Liquidity Management 14.5-14.7
o Oracle Banking Origination 14.5-14.7
o Oracle Banking Supply Chain Finance 14.5-14.7
o Oracle Banking Trade Finance Process Management 14.5-14.7
o Oracle Banking Virtual Account Management 14.5-14.7
o Oracle Financial Services Model Management and Governance
8.1.2.3, 8.1.2.4" [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - October 2023
https://www.oracle.com/security-alerts/cpuoct2023.html
[2] Text Form of Oracle Critical Patch Update - October 2023 Risk
Matrices
https://www.oracle.com/security-alerts/cpuoct2023verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZS89UckNZI30y1K9AQhC8hAAp3oBm+gTeYlc+mOfedxWpjABFtb0dZQm
hK2tUrT+oNVN9saTbas6zwUuCX7bLDDtW+tTE3A+Zc1J6qvrn8M6YxSOk5pt1N7s
sGP6pBMo5cJPUelkUS6xAsd5zKjtAWb/sa3cEyw78Ji3XMZ33dxVVm+d/ys5/Niv
w2Il+bOocY6AUq6mGxfad+O1PlBvQdnYvgSdA3R4umYFKp7obRWuWpxSTCKckcyA
D27O6dsfdvKpZJxyorcmWmAfjJAeXZE5FoDTroewcH0h3Oys7Z0rtjLkKiL/20Hd
AsIDMQjwEK9WaJbaq35wc5Gd4JIyF93zALoJrMoeF3eoPSMMHDZ4gTuQJxtehJPZ
an2GF71Dx075+D2i+l265eeKqQJFp70EwDyjjp5KG5pc+uKfQvzbljjcHNEGQ8SU
GQPFMHvPRsm6egkWdlemiE31xJ3PWbof5AbEdxP9Nfz/EvQdV+auVMpeqQrcRNgM
nCAM56bCRyDNLQ+8+EclhvqZUyF7uEdX9CU2VQTM5gY88NJF5MbQR4hLxklP9e8D
DGQuc/NeBflMJdq1iXT2Ivq2SgCWlqAL0GRy+WddmKE2Bc7cdS6qRbfV11HYBtUK
tadBsYULMbNg9f8ntclufrjlK7BMsekBEiz5qaPJNLeurLxOjWkgbzGA37vCYIxD
0g75epX3Ojw=
=21Sa
-----END PGP SIGNATURE-----