Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0072 Oracle Retail Applications Critical Patch Update 21 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Retail Applications Products Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-27218 CVE-2020-17521 CVE-2020-11987 CVE-2020-11979 CVE-2020-10683 CVE-2020-9488 CVE-2020-5421 CVE-2019-10086 CVE-2019-3740 CVE-2019-0228 CVE-2017-12626 Reference: ASB-2021.0066 ASB-2021.0029 ASB-2021.0020 ESB-2020.3513 ESB-2018.0296 OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Retail Advanced Inventory Planning, version 14.1 o Oracle Retail Assortment Planning, version 16.0.3 o Oracle Retail Back Office, version 14.1 o Oracle Retail Category Management Planning & Optimization, version 16.0.3 o Oracle Retail Central Office, version 14.1 o Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.0 o Oracle Retail Insights Cloud Service Suite, version 19.0 o Oracle Retail Item Planning, version 16.0.3 o Oracle Retail Macro Space Optimization, version 16.0.3 o Oracle Retail Merchandise Financial Planning, version 16.0.3 o Oracle Retail Merchandising System, version 16.0.3 o Oracle Retail Point-of-Service, version 14.1 o Oracle Retail Predictive Application Server, versions 14.1, 15.0, 16.0 o Oracle Retail Regular Price Optimization, version 16.0.3 o Oracle Retail Replenishment Optimization, version 16.0.3 o Oracle Retail Returns Management, version 14.1 o Oracle Retail Sales Audit, version 14.0 o Oracle Retail Size Profile Optimization, version 16.0.3 o Oracle Retail Store Inventory Management, versions 14.1.3.10, 15.0.3.5, 16.0.3.5 o Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 35 new security patches for Oracle Retail Applications. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2020-10683 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 15.0.4, 16.0.6, 17.0.4 and 18.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Xstore Point of Service. Successful attacks of this vulnerability can result in takeover of Oracle Retail Xstore Point of Service. Affects: o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4, 18.0.3 CVE-2019-0228 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 16.0.6 and 18.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Xstore Point of Service. Successful attacks of this vulnerability can result in takeover of Oracle Retail Xstore Point of Service. Affects: o Oracle Retail Xstore Point of Service 16.0.6, 18.0.3 [WARNING] Found details of CVE vary depending upon products CVE-2020-5421 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 14.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Predictive Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Retail Predictive Application Server. Affects: o Oracle Retail Predictive Application Server 14.1 o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2, CVE-2020-11979 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N The supported version that is affected is 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Advanced Inventory Planning. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Advanced Inventory Planning accessible data. Affects: o Oracle Retail Advanced Inventory Planning 14.1 o Oracle Retail Assortment Planning 16.0.3 o Oracle Retail Category Management Planning & Optimization 16.0.3 o Oracle Retail EFTLink 19.0.1, 20.0.0 o Oracle Retail Item Planning 16.0.3 o Oracle Retail Macro Space Optimization 16.0.3 o Oracle Retail Merchandise Financial Planning 16.0.3 o Oracle Retail Merchandising System 16.0.3 o Oracle Retail Predictive Application Server 14.1 o Oracle Retail Regular Price Optimization 16.0.3 o Oracle Retail Replenishment Optimization 16.0.3 o Oracle Retail Size Profile Optimization 16.0.3 o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2 CVE-2020-11987 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N The supported version that is affected is 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Back Office. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Back Office accessible data. Affects: o Oracle Retail Back Office 14.1 o Oracle Retail Central Office 14.1 o Oracle Retail Point-of-Service 14.1 o Oracle Retail Returns Management 14.1 CVE-2017-12626 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 14.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Sales Audit. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Retail Sales Audit. Affects: o Oracle Retail Sales Audit 14.0 CVE-2019-10086 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L The supported version that is affected is 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Advanced Inventory Planning. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Advanced Inventory Planning accessible data as well as unauthorized read access to a subset of Oracle Retail Advanced Inventory Planning accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Advanced Inventory Planning. Affects: o Oracle Retail Advanced Inventory Planning 14.1 o Oracle Retail Back Office 14.1 o Oracle Retail Central Office 14.1 o Oracle Retail Point-of-Service 14.1 o Oracle Retail Predictive Application Server 16.0 o Oracle Retail Returns Management 14.1 CVE-2019-3740 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Retail Predictive Application Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Retail Predictive Application Server accessible data. Affects: o Oracle Retail Predictive Application Server 15.0 [WARNING] Found details of CVE vary depending upon products CVE-2020-17521 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N The supported version that is affected is 16.0.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Retail Merchandising System executes to compromise Oracle Retail Merchandising System. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Retail Merchandising System accessible data. Affects: o Oracle Retail Merchandising System 16.0.3 o Oracle Retail Store Inventory Management 14.1.3.10, 15.0.3.5, 16.0.3.5 CVE-2020-27218 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L The supported version that is affected is 20.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail EFTLink. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail EFTLink accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail EFTLink. Affects: o Oracle Retail EFTLink 20.0.0 [WARNING] Found details of CVE vary depending upon products [WARNING] Found details of CVE vary depending upon products CVE-2020-9488 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Supported versions that are affected are 15.0.2, 16.0.3, 17.0.2, 18.0.1 and 19.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail EFTLink. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail EFTLink accessible data. Affects: o Oracle Retail EFTLink 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1 o Oracle Retail Insights Cloud Service Suite 19.0 o Oracle Retail Xstore Point of Service 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2021 https://www.oracle.com/security-alerts/cpuapr2021.html [2] Text Form of Oracle Critical Patch Update - April 2021 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2021verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYH+c3eNLKJtyKPYoAQhVpxAAog378OrJ6vxlEDbOxRGy8NUDta3FHGhw PiN4ignvl620qnyAI32eyAUVp51pkJcefifGHdJ5W6itskAKi9NbsREZaBGT82mM pAuaDMwKQ60/7eue6eLN44TlLNcblSUpF3g4FTsuL7gaZL/G6mMZfpguJ2ZbF1Gr 8TBwYmaW+HBxHuwtC1YoeKLHY1B2VWNwTETSxbkYjgmdsGIXLa6YXH1oL9f4GrOh H0sOj5bmQG+/IiUGT0dD+N895IxiVULuIR1YPIbqF7u1xzo+c/WNOT0kxx85TLAE yGa+YvXCGZ/h8x9s9kZi+cJB2iKsdS3MJJUsCIAvCh2TKJnQgR0IczL12XmM7kVR z8PwexTrmX/kkfWM001lKYtC5MKjZ4R0GBWoFvHP7umon4vLYffYpwajeSIxJgN1 lZlS/fsnbfB3FX5ZrfVlnakk4iuXxuYsjX63QMMB4evwHqPignlAuTkab9cbENtR l9MZZZo0US+UAg9NbJeWlvlamfoH6WCLEtF7BM03sQqXTuOZKmfan0/RnFT48+cW 9Sj0a712XVaAgSSiWzMlLM3jWiReJgPpD91XfOd6441ohZJjEPjEDXKytF3Pbg84 XV0sZrAonEjCjTPWuCvSqgwitt64Gfb0OcrQXUp3+Q5cVpuwYRxzsCoqjibntHZk nb3Oav0G2/4= =clNW -----END PGP SIGNATURE-----