Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2023.0200 Oracle Financial Services Applications Critical Patch Update 18 October 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Financial Services Applications Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-34981 CVE-2023-34462 CVE-2023-33201 CVE-2023-28439 CVE-2023-26049 CVE-2023-24998 CVE-2023-22946 CVE-2023-22125 CVE-2023-22124 CVE-2023-22123 CVE-2023-22122 CVE-2023-22121 CVE-2023-22119 CVE-2023-22118 CVE-2023-22117 CVE-2023-20883 CVE-2023-20873 CVE-2023-20863 CVE-2023-20862 CVE-2023-2976 CVE-2023-1436 CVE-2023-1370 CVE-2022-48285 CVE-2022-45688 CVE-2022-42003 CVE-2022-41966 CVE-2022-41881 CVE-2022-36033 CVE-2022-33980 CVE-2022-29577 CVE-2022-3171 CVE-2022-1471 CVE-2021-41165 CVE-2021-37533 Comment: CVSS (Max): 9.9 CVE-2023-22946 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Oracle Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Banking APIs, versions 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Branch, versions 14.5-14.7 o Oracle Banking Cash Management, versions 14.5-14.7 o Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7 o Oracle Banking Corporate Lending Process Management, versions 14.5-14.7 o Oracle Banking Credit Facilities Process Management, versions 14.5-14.7 o Oracle Banking Deposits and Lines of Credit Servicing, versions 2.7, 2.12 o Oracle Banking Digital Experience, versions 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Electronic Data Exchange for Corporates, versions 14.5-14.7 o Oracle Banking Liquidity Management, versions 14.5-14.7 o Oracle Banking Loans Servicing, version 2.12 o Oracle Banking Origination, versions 14.5-14.7 o Oracle Banking Party Management, version 2.7 o Oracle Banking Payments, versions 14.0-14.3, 14.5-14.7 o Oracle Banking Platform, versions 2.6.2, 2.9.0 o Oracle Banking Supply Chain Finance, versions 14.5-14.7 o Oracle Banking Trade Finance, versions 14.5-14.7 o Oracle Banking Trade Finance Process Management, versions 14.5-14.7 o Oracle Banking Virtual Account Management, versions 14.5-14.7 o Oracle Financial Services Cash Flow Engine, version 8.1.2.0.0 o Oracle Financial Services Model Management and Governance, versions 8.1.2.3, 8.1.2.4 o Oracle FLEXCUBE Core Banking, versions 11.6-11.8, 11.10, 11.11 o Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3, 12.4, 14.0-14.3, 14.5-14.7 o Oracle FLEXCUBE Universal Banking, versions 12.3, 12.4, 14.0-14.3, 14.5-14.7 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 103 new security patches, plus additional third party patches noted below, for Oracle Financial Services Applications. 49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] "CVE-2023-22946 9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. While the vulnerability is in Oracle Financial Services Model Management and Governance, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Model Management and Governance. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 CVE-2022-1471 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 2.7 and 2.12. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks of this vulnerability can result in takeover of Oracle Banking Deposits and Lines of Credit Servicing. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 o Oracle Banking Deposits and Lines of Credit Servicing 2.7, 2.12 o Oracle Banking Loans Servicing 2.12 o Oracle Banking Party Management 2.7 o Oracle FLEXCUBE Core Banking 11.10, 11.11 CVE-2023-20873 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Model Management and Governance. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 CVE-2023-20883 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 21.1, 22.1 and 22.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking APIs. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking APIs. Affects: o Oracle Banking APIs 21.1, 22.1, 22.2 o Oracle Banking Branch 14.5-14.7 o Oracle Banking Cash Management 14.5-14.7 o Oracle Banking Credit Facilities Process Management 14.5-14.7 o Oracle Banking Electronic Data Exchange for Corporates 14.5-14.7 o Oracle Banking Liquidity Management 14.5-14.7 o Oracle Banking Origination 14.5-14.7 o Oracle Banking Payments 14.0-14.3, 14.5-14.7 o Oracle Banking Supply Chain Finance 14.5-14.7 o Oracle Banking Trade Finance Process Management 14.5-14.7 o Oracle FLEXCUBE Universal Banking 14.5-14.7 CVE-2022-42003 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 2.7 and 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Deposits and Lines of Credit Servicing. Affects: o Oracle Banking Deposits and Lines of Credit Servicing 2.7, 2.12 CVE-2022-45688 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 18.3, 19.1, 19.2, 21.1, 22.1 and 22.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Digital Experience. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Digital Experience. Affects: o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2022-41966 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 21.1, 22.1 and 22.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Digital Experience. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Digital Experience. Affects: o Oracle Banking Digital Experience 21.1, 22.1, 22.2 CVE-2022-3171 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Platform. Affects: o Oracle Banking Platform 2.9.0 CVE-2022-41881 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 2.6.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Platform. Affects: o Oracle Banking Platform 2.6.2 CVE-2023-24998 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 11.6-11.8, 11.10 and 11.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Core Banking. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle FLEXCUBE Core Banking. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 o Oracle FLEXCUBE Core Banking 11.6-11.8, 11.10, 11.11 CVE-2023-34981 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Model Management and Governance accessible data. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 CVE-2023-1370 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Model Management and Governance. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 CVE-2023-1436 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 11.6-11.8, 11.10 and 11.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Core Banking. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle FLEXCUBE Core Banking. Affects: o Oracle FLEXCUBE Core Banking 11.6-11.8, 11.10, 11.11 CVE-2022-48285 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Model Management and Governance accessible data as well as unauthorized read access to a subset of Oracle Financial Services Model Management and Governance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Model Management and Governance. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 CVE-2022-33980 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 2.7. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks of this vulnerability can result in takeover of Oracle Banking Deposits and Lines of Credit Servicing. Affects: o Oracle Banking Deposits and Lines of Credit Servicing 2.7 CVE-2023-2976 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Supported versions that are affected are 18.3, 19.1, 19.2, 21.1, 22.1 and 22.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Banking APIs executes to compromise Oracle Banking APIs. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking APIs accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking APIs accessible data. Affects: o Oracle Banking APIs 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Branch 14.5-14.7 o Oracle Banking Cash Management 14.5-14.7 o Oracle Banking Corporate Lending 14.0-14.3, 14.5-14.7 o Oracle Banking Corporate Lending Process Management 14.5-14.7 o Oracle Banking Credit Facilities Process Management 14.5-14.7 o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Liquidity Management 14.5-14.7 o Oracle Banking Origination 14.5-14.7 o Oracle Banking Payments 14.0-14.3, 14.5-14.7 o Oracle Banking Supply Chain Finance 14.5-14.7 o Oracle Banking Trade Finance Process Management 14.5-14.7 o Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-20863 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 21.1, 22.1 and 22.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking APIs. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking APIs. Affects: o Oracle Banking APIs 21.1, 22.1, 22.2 o Oracle Banking Branch 14.5-14.7 o Oracle Banking Cash Management 14.5-14.7 o Oracle Banking Corporate Lending 14.5-14.7 o Oracle Banking Credit Facilities Process Management 14.5-14.7 o Oracle Banking Digital Experience 21.1, 22.1, 22.2 o Oracle Banking Electronic Data Exchange for Corporates 14.5-14.7 o Oracle Banking Liquidity Management 14.5-14.7 o Oracle Banking Origination 14.5-14.7 o Oracle Banking Supply Chain Finance 14.5-14.7 o Oracle Banking Trade Finance Process Management 14.5-14.7 o Oracle Banking Virtual Account Management 14.5-14.7 o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 o Oracle FLEXCUBE Universal Banking 14.5-14.7 CVE-2023-34462 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 14.5-14.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Cash Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Cash Management. Affects: o Oracle Banking Cash Management 14.5-14.7 o Oracle Banking Credit Facilities Process Management 14.5-14.7 o Oracle Banking Deposits and Lines of Credit Servicing 2.7 o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Electronic Data Exchange for Corporates 14.5-14.7 o Oracle Banking Liquidity Management 14.5-14.7 o Oracle Banking Origination 14.5-14.7 o Oracle Banking Party Management 2.7 o Oracle Banking Supply Chain Finance 14.5-14.7 o Oracle Banking Trade Finance Process Management 14.5-14.7 o Oracle Banking Virtual Account Management 14.5-14.7 o Oracle FLEXCUBE Universal Banking 14.5-14.7 CVE-2021-37533 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Supported versions that are affected are 11.6-11.8, 11.10 and 11.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Core Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Core Banking accessible data. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 o Oracle FLEXCUBE Core Banking 11.6-11.8, 11.10, 11.11 CVE-2023-22118 6.5 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and 14.5-14.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Universal Banking, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle FLEXCUBE Universal Banking. Affects: o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-20862 6.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Model Management and Governance accessible data as well as unauthorized read access to a subset of Oracle Financial Services Model Management and Governance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Model Management and Governance. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4 CVE-2022-29577 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 2.7 and 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Deposits and Lines of Credit Servicing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Deposits and Lines of Credit Servicing accessible data as well as unauthorized read access to a subset of Oracle Banking Deposits and Lines of Credit Servicing accessible data. Affects: o Oracle Banking Deposits and Lines of Credit Servicing 2.7, 2.12 CVE-2023-28439 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N The supported version that is affected is 2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Deposits and Lines of Credit Servicing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Deposits and Lines of Credit Servicing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Deposits and Lines of Credit Servicing accessible data as well as unauthorized read access to a subset of Oracle Banking Deposits and Lines of Credit Servicing accessible data. Affects: o Oracle Banking Deposits and Lines of Credit Servicing 2.7 CVE-2022-36033 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 8.1.2.3 and 8.1.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Model Management and Governance, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Model Management and Governance accessible data as well as unauthorized read access to a subset of Oracle Financial Services Model Management and Governance accessible data. Affects: o Oracle Financial Services Model Management and Governance 8.1.2.3,8.1.2.4 CVE-2023-22122 5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Supported versions that are affected are 14.5-14.7. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data as well as unauthorized update, insert or delete access to some of Oracle Banking Trade Finance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Trade Finance. Affects: o Oracle Banking Trade Finance 14.5-14.7 CVE-2023-22119 5.9 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and 14.5-14.7. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle FLEXCUBE Universal Banking. Affects: o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2021-41165 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N The supported version that is affected is 2.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Party Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Party Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Party Management accessible data as well as unauthorized read access to a subset of Oracle Banking Party Management accessible data. Affects: o Oracle Banking Party Management 2.7 CVE-2023-22121 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Supported versions that are affected are 14.5-14.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Trade Finance accessible data as well as unauthorized read access to a subset of Oracle Banking Trade Finance accessible data. Affects: o Oracle Banking Trade Finance 14.5-14.7 CVE-2023-22123 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 14.5-14.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Trade Finance, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Trade Finance accessible data as well as unauthorized read access to a subset of Oracle Banking Trade Finance accessible data. Affects: o Oracle Banking Trade Finance 14.5-14.7 CVE-2023-22124 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 14.5-14.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Trade Finance, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Trade Finance accessible data as well as unauthorized read access to a subset of Oracle Banking Trade Finance accessible data. Affects: o Oracle Banking Trade Finance 14.5-14.7 CVE-2023-22125 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 14.5-14.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Banking Trade Finance, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Trade Finance accessible data as well as unauthorized read access to a subset of Oracle Banking Trade Finance accessible data. Affects: o Oracle Banking Trade Finance 14.5-14.7 CVE-2023-22117 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 12.3, 12.4, 14.0-14.3 and 14.5-14.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Universal Banking, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data. Affects: o Oracle FLEXCUBE Universal Banking 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-33201 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Supported versions that are affected are 18.3, 19.1, 19.2, 21.1, 22.1 and 22.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Banking APIs. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Banking APIs accessible data. Affects: o Oracle Banking APIs 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Branch 14.5-14.7 o Oracle Banking Cash Management 14.5-14.7 o Oracle Banking Credit Facilities Process Management 14.5-14.7 o Oracle Banking Digital Experience 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 o Oracle Banking Electronic Data Exchange for Corporates 14.5-14.7 o Oracle Banking Liquidity Management 14.5-14.7 o Oracle Banking Origination 14.5-14.7 o Oracle Banking Supply Chain Finance 14.5-14.7 o Oracle Banking Trade Finance Process Management 14.5-14.7 CVE-2023-26049 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Supported versions that are affected are 14.5-14.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Cash Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Banking Cash Management accessible data. Affects: o Oracle Banking Cash Management 14.5-14.7 o Oracle Banking Credit Facilities Process Management 14.5-14.7 o Oracle Banking Electronic Data Exchange for Corporates 14.5-14.7 o Oracle Banking Liquidity Management 14.5-14.7 o Oracle Banking Origination 14.5-14.7 o Oracle Banking Supply Chain Finance 14.5-14.7 o Oracle Banking Trade Finance Process Management 14.5-14.7 o Oracle Banking Virtual Account Management 14.5-14.7 o Oracle Financial Services Model Management and Governance 8.1.2.3, 8.1.2.4" [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2023 https://www.oracle.com/security-alerts/cpuoct2023.html [2] Text Form of Oracle Critical Patch Update - October 2023 Risk Matrices https://www.oracle.com/security-alerts/cpuoct2023verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZS89UckNZI30y1K9AQhC8hAAp3oBm+gTeYlc+mOfedxWpjABFtb0dZQm hK2tUrT+oNVN9saTbas6zwUuCX7bLDDtW+tTE3A+Zc1J6qvrn8M6YxSOk5pt1N7s sGP6pBMo5cJPUelkUS6xAsd5zKjtAWb/sa3cEyw78Ji3XMZ33dxVVm+d/ys5/Niv w2Il+bOocY6AUq6mGxfad+O1PlBvQdnYvgSdA3R4umYFKp7obRWuWpxSTCKckcyA D27O6dsfdvKpZJxyorcmWmAfjJAeXZE5FoDTroewcH0h3Oys7Z0rtjLkKiL/20Hd AsIDMQjwEK9WaJbaq35wc5Gd4JIyF93zALoJrMoeF3eoPSMMHDZ4gTuQJxtehJPZ an2GF71Dx075+D2i+l265eeKqQJFp70EwDyjjp5KG5pc+uKfQvzbljjcHNEGQ8SU GQPFMHvPRsm6egkWdlemiE31xJ3PWbof5AbEdxP9Nfz/EvQdV+auVMpeqQrcRNgM nCAM56bCRyDNLQ+8+EclhvqZUyF7uEdX9CU2VQTM5gY88NJF5MbQR4hLxklP9e8D DGQuc/NeBflMJdq1iXT2Ivq2SgCWlqAL0GRy+WddmKE2Bc7cdS6qRbfV11HYBtUK tadBsYULMbNg9f8ntclufrjlK7BMsekBEiz5qaPJNLeurLxOjWkgbzGA37vCYIxD 0g75epX3Ojw= =21Sa -----END PGP SIGNATURE-----