Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0072
Oracle Retail Applications Critical Patch Update
21 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Retail Applications Products
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27218 CVE-2020-17521 CVE-2020-11987
CVE-2020-11979 CVE-2020-10683 CVE-2020-9488
CVE-2020-5421 CVE-2019-10086 CVE-2019-3740
CVE-2019-0228 CVE-2017-12626
Reference: ASB-2021.0066
ASB-2021.0029
ASB-2021.0020
ESB-2020.3513
ESB-2018.0296
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle Retail Advanced Inventory Planning, version 14.1
o Oracle Retail Assortment Planning, version 16.0.3
o Oracle Retail Back Office, version 14.1
o Oracle Retail Category Management Planning & Optimization,
version 16.0.3
o Oracle Retail Central Office, version 14.1
o Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1,
19.0.1, 20.0.0
o Oracle Retail Insights Cloud Service Suite, version 19.0
o Oracle Retail Item Planning, version 16.0.3
o Oracle Retail Macro Space Optimization, version 16.0.3
o Oracle Retail Merchandise Financial Planning, version 16.0.3
o Oracle Retail Merchandising System, version 16.0.3
o Oracle Retail Point-of-Service, version 14.1
o Oracle Retail Predictive Application Server, versions 14.1,
15.0, 16.0
o Oracle Retail Regular Price Optimization, version 16.0.3
o Oracle Retail Replenishment Optimization, version 16.0.3
o Oracle Retail Returns Management, version 14.1
o Oracle Retail Sales Audit, version 14.0
o Oracle Retail Size Profile Optimization, version 16.0.3
o Oracle Retail Store Inventory Management, versions 14.1.3.10,
15.0.3.5, 16.0.3.5
o Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6,
17.0.4, 18.0.3, 19.0.2
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 35 new security patches for
Oracle Retail Applications. 31 of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be exploited
over a network without requiring user credentials." [1]
CVE-2020-10683
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 15.0.4, 16.0.6, 17.0.4 and
18.0.3. Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise Oracle Retail
Xstore Point of Service. Successful attacks of this vulnerability can
result in takeover of Oracle Retail Xstore Point of Service.
Affects:
o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4,
18.0.3
CVE-2019-0228
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 16.0.6 and 18.0.3. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Retail Xstore Point of
Service. Successful attacks of this vulnerability can result in
takeover of Oracle Retail Xstore Point of Service.
Affects:
o Oracle Retail Xstore Point of Service 16.0.6, 18.0.3
[WARNING] Found details of CVE vary depending upon products
CVE-2020-5421
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 14.1. Easily exploitable
vulnerability allows low privileged attacker with network access via
HTTP to compromise Oracle Retail Predictive Application Server.
Successful attacks of this vulnerability can result in takeover of
Oracle Retail Predictive Application Server.
Affects:
o Oracle Retail Predictive Application Server 14.1
o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4,
18.0.3, 19.0.2,
CVE-2020-11979
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The supported version that is affected is 14.1. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Retail Advanced Inventory Planning.
Successful attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data or all
Oracle Retail Advanced Inventory Planning accessible data.
Affects:
o Oracle Retail Advanced Inventory Planning 14.1
o Oracle Retail Assortment Planning 16.0.3
o Oracle Retail Category Management Planning & Optimization
16.0.3
o Oracle Retail EFTLink 19.0.1, 20.0.0
o Oracle Retail Item Planning 16.0.3
o Oracle Retail Macro Space Optimization 16.0.3
o Oracle Retail Merchandise Financial Planning 16.0.3
o Oracle Retail Merchandising System 16.0.3
o Oracle Retail Predictive Application Server 14.1
o Oracle Retail Regular Price Optimization 16.0.3
o Oracle Retail Replenishment Optimization 16.0.3
o Oracle Retail Size Profile Optimization 16.0.3
o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4,
18.0.3, 19.0.2
CVE-2020-11987
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The supported version that is affected is 14.1. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Retail Back Office. Successful attacks of
this vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle Retail Back Office
accessible data.
Affects:
o Oracle Retail Back Office 14.1
o Oracle Retail Central Office 14.1
o Oracle Retail Point-of-Service 14.1
o Oracle Retail Returns Management 14.1
CVE-2017-12626
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 14.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Retail Sales Audit. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle Retail Sales
Audit.
Affects:
o Oracle Retail Sales Audit 14.0
CVE-2019-10086
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
The supported version that is affected is 14.1. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Retail Advanced Inventory Planning.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Retail Advanced
Inventory Planning accessible data as well as unauthorized read
access to a subset of Oracle Retail Advanced Inventory Planning
accessible data and unauthorized ability to cause a partial denial of
service (partial DOS) of Oracle Retail Advanced Inventory Planning.
Affects:
o Oracle Retail Advanced Inventory Planning 14.1
o Oracle Retail Back Office 14.1
o Oracle Retail Central Office 14.1
o Oracle Retail Point-of-Service 14.1
o Oracle Retail Predictive Application Server 16.0
o Oracle Retail Returns Management 14.1
CVE-2019-3740
6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
The supported version that is affected is 15.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTPS to compromise Oracle Retail Predictive Application Server.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Retail Predictive Application Server accessible data.
Affects:
o Oracle Retail Predictive Application Server 15.0
[WARNING] Found details of CVE vary depending upon products
CVE-2020-17521
5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 16.0.3. Easily exploitable
vulnerability allows low privileged attacker with logon to the
infrastructure where Oracle Retail Merchandising System executes to
compromise Oracle Retail Merchandising System. Successful attacks of
this vulnerability can result in unauthorized access to critical data
or complete access to all Oracle Retail Merchandising System
accessible data.
Affects:
o Oracle Retail Merchandising System 16.0.3
o Oracle Retail Store Inventory Management 14.1.3.10, 15.0.3.5,
16.0.3.5
CVE-2020-27218
4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
The supported version that is affected is 20.0.0. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via HTTP to compromise Oracle Retail EFTLink. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Retail EFTLink accessible
data and unauthorized ability to cause a partial denial of service
(partial DOS) of Oracle Retail EFTLink.
Affects:
o Oracle Retail EFTLink 20.0.0
[WARNING] Found details of CVE vary depending upon products
[WARNING] Found details of CVE vary depending upon products
CVE-2020-9488
3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 15.0.2, 16.0.3, 17.0.2,
18.0.1 and 19.0.1. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Retail EFTLink. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of Oracle Retail
EFTLink accessible data.
Affects:
o Oracle Retail EFTLink 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1
o Oracle Retail Insights Cloud Service Suite 19.0
o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4,
18.0.3, 19.0.2
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2021
https://www.oracle.com/security-alerts/cpuapr2021.html
[2] Text Form of Oracle Critical Patch Update - April 2021 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2021verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYH+c3eNLKJtyKPYoAQhVpxAAog378OrJ6vxlEDbOxRGy8NUDta3FHGhw
PiN4ignvl620qnyAI32eyAUVp51pkJcefifGHdJ5W6itskAKi9NbsREZaBGT82mM
pAuaDMwKQ60/7eue6eLN44TlLNcblSUpF3g4FTsuL7gaZL/G6mMZfpguJ2ZbF1Gr
8TBwYmaW+HBxHuwtC1YoeKLHY1B2VWNwTETSxbkYjgmdsGIXLa6YXH1oL9f4GrOh
H0sOj5bmQG+/IiUGT0dD+N895IxiVULuIR1YPIbqF7u1xzo+c/WNOT0kxx85TLAE
yGa+YvXCGZ/h8x9s9kZi+cJB2iKsdS3MJJUsCIAvCh2TKJnQgR0IczL12XmM7kVR
z8PwexTrmX/kkfWM001lKYtC5MKjZ4R0GBWoFvHP7umon4vLYffYpwajeSIxJgN1
lZlS/fsnbfB3FX5ZrfVlnakk4iuXxuYsjX63QMMB4evwHqPignlAuTkab9cbENtR
l9MZZZo0US+UAg9NbJeWlvlamfoH6WCLEtF7BM03sQqXTuOZKmfan0/RnFT48+cW
9Sj0a712XVaAgSSiWzMlLM3jWiReJgPpD91XfOd6441ohZJjEPjEDXKytF3Pbg84
XV0sZrAonEjCjTPWuCvSqgwitt64Gfb0OcrQXUp3+Q5cVpuwYRxzsCoqjibntHZk
nb3Oav0G2/4=
=clNW
-----END PGP SIGNATURE-----