ASB-2018.0018 - [Win][UNIX/Linux] Oracle Financial Services Applications: Multiple vulnerabilities 2018-01-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0018
          Multiple vulnerabilities have been identified in Oracle
                      Financial Services Applications
                              17 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Financial Services Applications
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account            
                      Modify Arbitrary Files          -- Existing Account            
                      Denial of Service               -- Existing Account            
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-2732 CVE-2018-2729 CVE-2018-2728
                      CVE-2018-2727 CVE-2018-2726 CVE-2018-2725
                      CVE-2018-2724 CVE-2018-2723 CVE-2018-2722
                      CVE-2018-2721 CVE-2018-2720 CVE-2018-2719
                      CVE-2018-2716 CVE-2018-2714 CVE-2018-2712
                      CVE-2018-2709 CVE-2018-2708 CVE-2018-2707
                      CVE-2018-2706 CVE-2018-2705 CVE-2018-2704
                      CVE-2018-2692 CVE-2018-2682 CVE-2018-2679
                      CVE-2018-2674 CVE-2018-2670 CVE-2018-2661
                      CVE-2018-2660 CVE-2018-2649 CVE-2018-2648
                      CVE-2018-2630 CVE-2018-2626 CVE-2018-2614
                      CVE-2018-2592  
Member content until: Friday, February 16 2018

OVERVIEW

        Multiple vulnerabilities have been identified in 
         Oracle Banking Corporate Lending, versions  12.3.0,
          12.4.0
         Oracle Banking Payments, versions  12.3.0,  12.4.0
         Oracle Financial Services Analytical Applications
          Infrastructure, versions  7.3.5.x,  8.0.x
         Oracle Financial Services Analytical Applications
          Reconciliation Framework, version  8.0.x
         Oracle Financial Services Asset Liability Management,
          versions  6.1.x,  8.0.x
         Oracle Financial Services Balance Sheet Planning, version
          8.0.x
         Oracle Financial Services Funds Transfer Pricing, versions
          6.1.x,  8.0.x
         Oracle Financial Services Hedge Management and IFRS
          Valuations, version  8.0.x
         Oracle Financial Services Liquidity Risk Management,
          version  8.0.x
         Oracle Financial Services Loan Loss Forecasting and
          Provisioning, version  8.0.x
         Oracle Financial Services Market Risk, version  8.0.x
         Oracle Financial Services Market Risk Measurement and
          Management, version  8.0.5
         Oracle Financial Services Price Creation and Discovery,
          version  8.0.5
         Oracle Financial Services Profitability Management,
          versions  6.1.x,  8.0.x
         Oracle FLEXCUBE Direct Banking, versions  12.0.2,  12.0.3
         Oracle FLEXCUBE Universal Banking, versions  11.3.0,
          11.4.0,  11.5.0,  11.6.0,  11.7.0,  12.0.1,  12.0.2,
          12.0.3,  12.1.0,  12.2.0,  12.3.0,  12.4.0
        [1]


IMPACT

        The vendor has provided the following information regarding
        the vulnerabilities:
        
        "This Critical Patch Update contains 34 new security fixes
        for Oracle Financial Services Applications. 13 of these
        vulnerabilities may be remotely exploitable without
        authentication,  i.e.,  may be exploited over a network
        without requiring user credentials." [1]
        
        
        
        "CVE-2018-2706
        
        8.8
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.3.0 and  12.4.0.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Banking Corporate Lending.  Successful attacks of this
        vulnerability can result in takeover of Oracle Banking
        Corporate Lending.
        
        CVE-2018-2705
        
        8.8
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 12.3.0 and  12.4.0.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Banking Payments.  Successful attacks of this vulnerability
        can result in takeover of Oracle Banking Payments.
        
        CVE-2018-2648
        
        8.8
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 and  12.4.0.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        FLEXCUBE Universal Banking.  Successful attacks of this
        vulnerability can result in takeover of Oracle FLEXCUBE
        Universal Banking.
        
        CVE-2018-2707
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
        
        Supported versions that are affected are 12.3.0 and  12.4.0.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Banking Corporate Lending.  Successful attacks of this
        vulnerability can result in  unauthorized creation, deletion
        or modification access to critical data or all Oracle
        Banking Corporate Lending accessible data and unauthorized
        ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Banking Corporate Lending.
        
        CVE-2018-2704
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
        
        Supported versions that are affected are 12.3.0 and  12.4.0.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Banking Payments.  Successful attacks of this vulnerability
        can result in  unauthorized creation, deletion or
        modification access to critical data or all Oracle Banking
        Payments accessible data and unauthorized ability to cause a
        hang or frequently repeatable crash (complete DOS) of Oracle
        Banking Payments.
        
        CVE-2018-2723
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 6.1.x and  8.0.x.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Financial Services Asset Liability Management.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Financial Services Asset Liability Management
        accessible data as well as  unauthorized access to critical
        data or complete access to all Oracle Financial Services
        Asset Liability Management accessible data.
        
        CVE-2018-2592
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Balance Sheet Planning.  Successful attacks of this
        vulnerability can result in  unauthorized creation, deletion
        or modification access to critical data or all Oracle
        Financial Services Balance Sheet Planning accessible data as
        well as  unauthorized access to critical data or complete
        access to all Oracle Financial Services Balance Sheet
        Planning accessible data.
        
        CVE-2018-2729
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 6.1.x and  8.0.x.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Financial Services Funds Transfer Pricing.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Financial Services Funds Transfer Pricing
        accessible data as well as  unauthorized access to critical
        data or complete access to all Oracle Financial Services
        Funds Transfer Pricing accessible data.
        
        CVE-2018-2725
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Hedge Management and IFRS Valuations.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Financial Services Hedge Management and IFRS
        Valuations accessible data as well as  unauthorized access
        to critical data or complete access to all Oracle Financial
        Services Hedge Management and IFRS Valuations accessible
        data.
        
        CVE-2018-2720
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Liquidity Risk Management.  Successful attacks of
        this vulnerability can result in  unauthorized creation,
        deletion or modification access to critical data or all
        Oracle Financial Services Liquidity Risk Management
        accessible data as well as  unauthorized access to critical
        data or complete access to all Oracle Financial Services
        Liquidity Risk Management accessible data.
        
        CVE-2018-2724
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Loan Loss Forecasting and Provisioning.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Financial Services Loan Loss Forecasting and
        Provisioning accessible data as well as  unauthorized access
        to critical data or complete access to all Oracle Financial
        Services Loan Loss Forecasting and Provisioning accessible
        data.
        
        CVE-2018-2726
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Market Risk.  Successful attacks of this
        vulnerability can result in  unauthorized creation, deletion
        or modification access to critical data or all Oracle
        Financial Services Market Risk accessible data as well as
        unauthorized access to critical data or complete access to
        all Oracle Financial Services Market Risk accessible data.
        
        CVE-2018-2727
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.5. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Market Risk Measurement and Management.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Financial Services Market Risk Measurement and
        Management accessible data as well as  unauthorized access
        to critical data or complete access to all Oracle Financial
        Services Market Risk Measurement and Management accessible
        data.
        
        CVE-2018-2721
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is 8.0.5. Easily
        exploitable vulnerability allows low privileged attacker
        with network access via HTTP to compromise Oracle Financial
        Services Price Creation and Discovery.  Successful attacks
        of this vulnerability can result in  unauthorized creation,
        deletion or modification access to critical data or all
        Oracle Financial Services Price Creation and Discovery
        accessible data as well as  unauthorized access to critical
        data or complete access to all Oracle Financial Services
        Price Creation and Discovery accessible data.
        
        CVE-2018-2679
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        Supported versions that are affected are 6.1.x and  8.0.x.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Financial Services Profitability Management.  Successful
        attacks of this vulnerability can result in  unauthorized
        creation, deletion or modification access to critical data
        or all Oracle Financial Services Profitability Management
        accessible data as well as  unauthorized access to critical
        data or complete access to all Oracle Financial Services
        Profitability Management accessible data.
        
        CVE-2018-2649
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 and  12.4.0.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        FLEXCUBE Universal Banking.  Successful attacks of this
        vulnerability can result in  unauthorized creation, deletion
        or modification access to critical data or all Oracle
        FLEXCUBE Universal Banking accessible data and unauthorized
        ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle FLEXCUBE Universal Banking.
        
        CVE-2018-2660
        
        7.4
        
        AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
        
        Supported versions that are affected are 7.3.5.x and  8.0.x.
        Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Financial Services Analytical Applications Infrastructure.
        While the vulnerability is in Oracle Financial Services
        Analytical Applications Infrastructure, attacks may
        significantly impact additional products.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle Financial
        Services Analytical Applications Infrastructure accessible
        data as well as  unauthorized read access to a subset of
        Oracle Financial Services Analytical Applications
        Infrastructure accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Oracle
        Financial Services Analytical Applications Infrastructure.
        
        CVE-2018-2661
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 7.3.5.x and  8.0.x.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Financial Services Analytical Applications Infrastructure.
        Successful attacks require human interaction from a person
        other than the attacker and while the vulnerability is in
        Oracle Financial Services Analytical Applications
        Infrastructure, attacks may significantly impact additional
        products. Successful attacks of this vulnerability can
        result in  unauthorized update, insert or delete access to
        some of Oracle Financial Services Analytical Applications
        Infrastructure accessible data as well as  unauthorized read
        access to a subset of Oracle Financial Services Analytical
        Applications Infrastructure accessible data.
        
        CVE-2018-2732
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Analytical Applications Reconciliation Framework.
        Successful attacks require human interaction from a person
        other than the attacker and while the vulnerability is in
        Oracle Financial Services Analytical Applications
        Reconciliation Framework, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle Financial Services
        Analytical Applications Reconciliation Framework accessible
        data as well as  unauthorized read access to a subset of
        Oracle Financial Services Analytical Applications
        Reconciliation Framework accessible data.
        
        CVE-2018-2692
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 6.1.x and  8.0.x.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Financial Services Asset Liability Management.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Financial Services Asset Liability Management, attacks may
        significantly impact additional products. Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Financial Services
        Asset Liability Management accessible data as well as
        unauthorized read access to a subset of Oracle Financial
        Services Asset Liability Management accessible data.
        
        CVE-2018-2626
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Balance Sheet Planning.  Successful attacks require
        human interaction from a person other than the attacker and
        while the vulnerability is in Oracle Financial Services
        Balance Sheet Planning, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in  unauthorized update, insert or
        delete access to some of Oracle Financial Services Balance
        Sheet Planning accessible data as well as  unauthorized read
        access to a subset of Oracle Financial Services Balance
        Sheet Planning accessible data.
        
        CVE-2018-2728
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 6.1.x and  8.0.x.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Financial Services Funds Transfer Pricing.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Financial Services Funds Transfer Pricing, attacks may
        significantly impact additional products. Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Financial Services
        Funds Transfer Pricing accessible data as well as
        unauthorized read access to a subset of Oracle Financial
        Services Funds Transfer Pricing accessible data.
        
        CVE-2018-2719
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Hedge Management and IFRS Valuations.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Financial Services Hedge Management and IFRS Valuations,
        attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Oracle Financial Services Hedge Management and IFRS
        Valuations accessible data as well as  unauthorized read
        access to a subset of Oracle Financial Services Hedge
        Management and IFRS Valuations accessible data.
        
        CVE-2018-2682
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Liquidity Risk Management.  Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Oracle Financial
        Services Liquidity Risk Management, attacks may
        significantly impact additional products. Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Financial Services
        Liquidity Risk Management accessible data as well as
        unauthorized read access to a subset of Oracle Financial
        Services Liquidity Risk Management accessible data.
        
        CVE-2018-2712
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Loan Loss Forecasting and Provisioning.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Financial Services Loan Loss Forecasting and Provisioning,
        attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Oracle Financial Services Loan Loss Forecasting and
        Provisioning accessible data as well as  unauthorized read
        access to a subset of Oracle Financial Services Loan Loss
        Forecasting and Provisioning accessible data.
        
        CVE-2018-2714
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.x. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Market Risk.  Successful attacks require human
        interaction from a person other than the attacker and while
        the vulnerability is in Oracle Financial Services Market
        Risk, attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Oracle Financial Services Market Risk accessible data as
        well as  unauthorized read access to a subset of Oracle
        Financial Services Market Risk accessible data.
        
        CVE-2018-2716
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.5. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Market Risk Measurement and Management.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Financial Services Market Risk Measurement and Management,
        attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Oracle Financial Services Market Risk Measurement and
        Management accessible data as well as  unauthorized read
        access to a subset of Oracle Financial Services Market Risk
        Measurement and Management accessible data.
        
        CVE-2018-2722
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is 8.0.5. Easily
        exploitable vulnerability allows unauthenticated attacker
        with network access via HTTP to compromise Oracle Financial
        Services Price Creation and Discovery.  Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Oracle Financial
        Services Price Creation and Discovery, attacks may
        significantly impact additional products. Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Financial Services
        Price Creation and Discovery accessible data as well as
        unauthorized read access to a subset of Oracle Financial
        Services Price Creation and Discovery accessible data.
        
        CVE-2018-2670
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 6.1.x and  8.0.x.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Financial Services Profitability Management.  Successful
        attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle
        Financial Services Profitability Management, attacks may
        significantly impact additional products. Successful attacks
        of this vulnerability can result in  unauthorized update,
        insert or delete access to some of Oracle Financial Services
        Profitability Management accessible data as well as
        unauthorized read access to a subset of Oracle Financial
        Services Profitability Management accessible data.
        
        CVE-2018-2674
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Supported versions that are affected are 12.0.2 and  12.0.3.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        FLEXCUBE Direct Banking.  Successful attacks require human
        interaction from a person other than the attacker and while
        the vulnerability is in Oracle FLEXCUBE Direct Banking,
        attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Oracle FLEXCUBE Direct Banking accessible data as well as
        unauthorized read access to a subset of Oracle FLEXCUBE
        Direct Banking accessible data.
        
        CVE-2018-2630
        
        5.4
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
        
        Supported versions that are affected are 11.5.0, 11.6.0 and
        11.7.0. Easily exploitable vulnerability allows low
        privileged attacker with network access via HTTP to
        compromise Oracle FLEXCUBE Universal Banking.  Successful
        attacks of this vulnerability can result in  unauthorized
        update, insert or delete access to some of Oracle FLEXCUBE
        Universal Banking accessible data as well as  unauthorized
        read access to a subset of Oracle FLEXCUBE Universal Banking
        accessible data.
        
        CVE-2018-2709
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 12.3.0 and  12.4.0.
        Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Banking Corporate Lending.  Successful attacks of this
        vulnerability can result in  unauthorized access to critical
        data or complete access to all Oracle Banking Corporate
        Lending accessible data.
        
        CVE-2018-2708
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 12.3.0 and  12.4.0.
        Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        Banking Payments.  Successful attacks of this vulnerability
        can result in  unauthorized access to critical data or
        complete access to all Oracle Banking Payments accessible
        data.
        
        CVE-2018-2614
        
        5.3
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are 11.3.0, 11.4.0,
        12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 and  12.4.0.
        Difficult to exploit vulnerability allows low privileged
        attacker with network access via HTTP to compromise Oracle
        FLEXCUBE Universal Banking.  Successful attacks of this
        vulnerability can result in  unauthorized access to critical
        data or complete access to all Oracle FLEXCUBE Universal
        Banking accessible data." [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon
        as possible. Until you apply the CPU fixes, it may be
        possible to reduce the risk of successful attack by blocking
        network protocols required by an attack. For attacks that
        require certain privileges or access to certain packages,
        removing the privileges or the ability to access the
        packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may
        break application functionality, so Oracle strongly
        recommends that customers test changes on non-production
        systems. Neither approach should be considered a long-term
        solution as neither corrects the underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - January 2018
            http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

        [2] Text Form of Oracle Critical Patch Update - January 2018 Risk
            Matrices
            http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWl7hnIx+lLeg9Ub1AQg4yw/+Kb0afJE4M6w2w9YjbTH+kl7MvqTz1QDi
YZW5HoRGNvFJVlhxW3r3uuyePDquwU0JrZFBPUbHOHPf1A+RFPJc2wSxIlxaJLbL
QiJiF0VxIXUNYxLyywFAhP8NLAbkzGIafNk8s5cMb5lof4fMAOLqoPdGKmbbRhcS
8HvTKTU9jPnw6tOD6zoKo+Ao9+ONDy6wxBUJ2ZWGxADfPcZC1dtFHPnEm3+RnWjG
NI1HPNQEdNzTl0B/WfYNoOIVDDjNLiWOX/fM3gS1Ea7NJsymcw5a0X5uWstt8cnJ
xT7S6oIY08rPq2n1D14Y5t8CCtWK8QQt+RnivGvZbP56pyrdydKCVZc11O1vlW79
cwAy12QUGDIn0shV4xFLMny8/z8nG5NVNMcXRRD8L1Fk6907/0jCc2MQgxdLgNK3
mnTJoOeMl71OcSbQESMdm5FPT96IkMNUFhEb0EDfcPtgzoPQcjRaX4JP3q6Ro6jZ
vzlhpLgHLLJLtrMp0CUbel6Iv0GrpnV/plYQo46mo4cFchlCuhTEnNEGymvMPGdO
gvhfM1fL3nFzD8JRhh+mIhPQeSO7YCjzREENOFQy3NGczEv93yueqJLvbs6+Z93/
CINoPlRQwyLh84hC5QrY+ckF26dqwUTq58m4tgDBHi4VBOr8umJ/Z3JPYHF6MPHR
8iiGtNXVDls=
=IWAV
-----END PGP SIGNATURE-----

« Back to bulletins